httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "R'twick Niceorgaw" <pub...@utkalika.net>
Subject Re: [users@httpd] how to block hackers ?
Date Tue, 21 Jan 2003 17:46:02 GMT

----- Original Message -----
From: "Jeremy Tinley" <jtinley@unirez.com>
To: <users@httpd.apache.org>
Sent: Tuesday, January 21, 2003 11:37 AM
Subject: RE: [users@httpd] how to block hackers ?


DocumentRoot is chroot environment, meaning someone can't access
http://yourserver/../../etc/passwd, however, if they have access to the
filesystem, this is still an option.

To be honest, if you're not using shadows in place of the passwd file,
you're
asking for trouble to begin with.

The workarounds really depend upon what kind of environment you have setup.
If there will be trusted vs. untrusted users accessing your machine, what
type
of content you are serving, etc.  If you feel comfortable, provide some
detail
as to what this server will be doing so that others can make more meaningful
suggestions about your environment:

Who has access to change the content?
Are you going to be allowing FTP access or will the modifications come
directly on the server?
If so, are these users trusted users, employees, or customers?

As for your other question, there is a directive for the httpd.conf file
(that
usually comes turned on by default) that disallows viewing of the .htaccess
files, so yes, you can restrict certain IPs (either blocked, or allowed) to
certain actions.

-J

I do use shadow password files.

I have a redhat 7.3 linux box with apache php 4.3 mod_perl
It's hosting 4 websites with name based hosting. they are mostly dynamic
contents pulled form databases or from a stratus machine via sockets.
there are two more trusted users who have ssh access to it. and few more can
use ftp. these  ftp users are not that much trusted though they work for us
but are supposed to be non linux users and so are restricted to upload to
one directory outside the web directories. Only three users who has shell
access can put something in the doc roots after reviewing what others have
uploaded. .htaccess and anything outside the webroot are denied by apache.
also open_basedir for PHP is set properly for each web site. But, my company
is bit paranoid as there may be some leak somewhere which can compromise the
server as some one can get into the stratus boxes through it (which contains
highly sensitive data ). So, I'm just trying to make sure no one gets access
to the server.

Regards
-R'twick



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message