subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Scott Frankel <fran...@circlesfx.com>
Subject Re: server config
Date Fri, 23 Aug 2013 04:33:07 GMT

Hi all,

I appreciate all the tips and info I've received from my server config questions.  It looks
like I need to do much more to secure my server before tackling he SVN portion.  I'm going
to take a step back and do that first.  If necessary I'll (re)post once that's complete.

Thanks!
Scott



On Aug 19, 2013, at 12:13 PM, Scott Frankel wrote:

> 
> Hi all,
> 
> Thanks for the replies!  Please see below for additional comments.
> 
> 
> On Aug 19, 2013, at 9:42 AM, David Chapman wrote:
> 
>> On 8/19/2013 9:07 AM, Scott Frankel wrote:
>>> Hi all,
>>> 
>>> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server
with svn version 1.6.1, following the red-bean book.
>>> 
>>> I'm having difficulty with authorization &/or authentication:  my repo appears
to be accessible by anyone in spite of requiring "valid-user" and specifying digest authentication.
 I believe this because 1) I can download a full working copy of the repo to a 3rd-party logged
into a foreign computer, and 2) I have dozens of entries in apache's logfiles, like these
from this morning, *prior* to any known/legitimate access to my repos today:
>> 
>> Step 1:  Take the real repo offline until you get the security problems resolved.
 Every IP address on the Internet is scanned every single day, and your repo is vulnerable
right now.
>> Step 2:  Run experiments with a dummy repo to resolve the security problems.
>> 
>> Don't ever run security experiments with production data.  Put production data online
only after you know that all security problems have been resolved.
> 
> Good points!  My repo currently being downloaded by whomever is a testProj with absolutely
nothing of value in it.
> 
> 
>>> svn_logfile:
>>> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity
>> 
>> This does not look good at all.  It's quite possible that someone else has downloaded
your repository.  The access_log file may tell you the IP address from which the request was
made; with luck it's the one you were experimenting with and the time stamp matches your access.
>> 
>>> access_log
>>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:)
HTTP/1.1" 404 319 "-" "ZmEu"
>> 
>> If you watch access_log over time, as I do, you will see these sorts of probes constantly.
 Too many to list, they are meant to check for known vulnerabilities in older versions of
Apache or tools installed (SQL administration, PHP administration, etc.).  These will never
go away.  Get used to them.  They should all fail; if not then you have other security problems
to fix.
> 
> OK.  Getting used to common log entries is important.
> 
> 
>>> error_log
>>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not exist:
/var/www/html/MyAdmin
>>> 
>>> 
>>> This doesn't look good at all.  My Location directive follows below.  The /etc/svn-auth.htdigest
exists and appears to be valid.  My goal is to setup the repo, serve it via Apache, provide
access to only a small number of people that I approve, use cmd-line svn and do so securely.
>> 
>> These are standard goals.
> 
> Good.  I mention them in hopes it whittles-down in advance any suggestions you might
have.  eg: the red-bean book has quite a lot to say about tunneling svnserve, which is not
germane to my setup.
> 
> 
>>> This is my first brush with Apache, OpenSSL, and general server config.  Thanks
in advance for your suggestions!  BTW, I'm not subscribed and would appreciate being cc'd
on any replies.
>>> Scott
>>> 
>>> 
>>> 
>>> <Location /svn>
>>> DAV svn
>>> SVNParentPath /var/svn
>>> 
>>> # Authentication: Digest
>>> AuthName "Subversion repository"
>>> AuthType Digest
>>> AuthUserFile /etc/svn-auth.htdigest
>>> 
>>> # Authorization: Authenticated users only
>>> Require valid-user
>>> </Location>
>>> 
>>> 
>> 
>> How many repositories do you have?  You shouldn't use SVNParentPath if you have only
one repository; use SVNPath.  I don't know if that is the direct cause of your problem, but
you should fix it.
> 
> I chose to use SVNParentPath on purpose.  As soon as I have a secure, working server
config, I'll be hosting multiple repos.  Daniel and Thomas, thanks for your suggestions.
> 
> 
>> You can also try working with AuthType Basic, creating passwords with /usr/sbin/htpasswd,
until you figure things out.  I have more experience with that than AuthType Digest, so I
can't help you there.
> 
> I'll try that to see what I discover; but ultimately my research so far points to Digest
mode being more secure.
> 
> Thanks for the suggestions!
> Scott
> 
> 
> 
> 
>> 
>> -- 
>>  David Chapman      dcchapman@acm.org
>>  Chapman Consulting -- San Jose, CA
>>  Software Development Done Right.
>>  www.chapman-consulting-sj.com
>> 
> 


Mime
View raw message