Modified "CGI in general" and moved it so it's available earlier then the other
CGI security tips.
Added info to "Watching Your Logs".
Added "Using Passphrases instead of Passwords" which is about chosing better
passwords when using client authentication.
No wordwrap and diff -u, this patch better work. :)
Index: ./httpd-docs-2.0/manual/misc/security_tips.html
===================================================================
RCS file: /home/cvspublic/httpd-2.0/docs/manual/misc/security_tips.html,v
retrieving revision 1.28
diff -u -r1.28 security_tips.html
--- ./httpd-docs-2.0/manual/misc/security_tips.html 19 Jan 2002 17:44:08
-0000 1.28
+++ ./httpd-docs-2.0/manual/misc/security_tips.html 12 Jul 2002 01:10:39
-0000
@@ -20,17 +20,21 @@
<li><a href="#ssi">Server Side Includes</a></li>
+ <li><a href="#cgi">CGI in General</a></li>
+
<li><a href="#nsaliasedcgi">Non Script Aliased CGI</a></li>
<li><a href="#saliasedcgi">Script Aliased CGI</a></li>
- <li><a href="#cgi">CGI in General</a></li>
-
- <li><a href="#systemsettings">Protecting System
+ <li><a href="#systemsettings">Protecting System
Settings</a></li>
<li><a href="#protectserverfiles">Protect Server Files by
Default</a></li>
+
+ <li><a href="#watchyourlogs">Watching Your Logs</a></li>
+
+ <li><a href="#usingpassphrases">Using Passphrases instead of
Passwords</a></li>
</ul>
<hr />
@@ -140,6 +144,25 @@
<hr />
+ <h2><a id="cgi" name="cgi">CGI in General</a></h2>
+
+ <p>First of all: you always have to remember that you must trust the
writers of
+ the CGI script/programs or your ability to spot potential security
+ holes in CGI, whether they were deliberate or accidental.</p>
+
+ <p>All the CGI scripts will run as the same user, so they have
+ potential to conflict (accidentally or deliberately) with other
+ scripts <em>e.g.</em> User A hates User B, so he writes a
+ script to trash User B's CGI database. One program which can be
+ used to allow scripts to run as different users is <a
+ href="../suexec.html">suEXEC</a> which is included with Apache
+ as of 1.2 and is called from special hooks in the Apache server
+ code. Another popular way of doing this is with <a
+ href="http://wwwcgi.umr.edu/~cgiwrap/";>CGIWrap</a>.</p>
+
+ <p></p>
+ <hr />
+
<h2><a id="nsaliasedcgi" name="nsaliasedcgi">Non Script Aliased
CGI</a></h2>
@@ -176,25 +199,6 @@
<p></p>
<hr />
- <h2><a id="cgi" name="cgi">CGI in General</a></h2>
-
- <p>Always remember that you must trust the writers of the CGI
- script/programs or your ability to spot potential security
- holes in CGI, whether they were deliberate or accidental.</p>
-
- <p>All the CGI scripts will run as the same user, so they have
- potential to conflict (accidentally or deliberately) with other
- scripts <em>e.g.</em> User A hates User B, so he writes a
- script to trash User B's CGI database. One program which can be
- used to allow scripts to run as different users is <a
- href="../suexec.html">suEXEC</a> which is included with Apache
- as of 1.2 and is called from special hooks in the Apache server
- code. Another popular way of doing this is with <a
- href="http://wwwcgi.umr.edu/~cgiwrap/";>CGIWrap</a>.</p>
-
- <p></p>
- <hr />
-
<h2><a id="systemsettings" name="systemsettings">Protecting
System Settings</a></h2>
@@ -276,8 +280,80 @@
<dl>
<dd><samp>UserDir disabled root</samp></dd>
</dl>
+
+ <p></p>
<hr />
+ <h2><a id="watchyourlogs" name="watchyourlogs">
+ Watching Your Logs</a></h2>
+
+ <p>To keep up-to-date with what is actually going on against your server
+ you have to check the <a href="../logs.html">Log Files</a>.
+ Even though the log files only reports what has already happend, they will
give
+ you some understanding of what attacks is thrown against the server
+ and allows you to check if the necessary level of security is present.</p>
+
+ <p>A couple of examples:</p>
+ <ol>
+ <li><samp>grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??"
access_log</samp></li>
+ <li><samp>grep "client denied" error_log | tail -n 10 </samp></li>
+ </ol>
+
+ <p>The first example will list the number of attacks trying to exploit the
+ <a href="http://online.securityfocus.com/bid/4876/info/";>Apache Tomcat
Source.JSP
+ Malformed Request Information Disclosure Vulnerability</a>, the second
example will
+ list the ten last denied clients, for example:</p>
+
+ <dl>
+ <dd><samp>[Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client
denied by
+ server configuration: /usr/local/apache/htdocs/.htpasswd</samp></dd>
+ </dl>
+
+ <p>As you can see, the log files only report what already has happend, so
if the client
+ had been able to access the <samp>.htpasswd</samp> file you would have seen
something
+ similar to <samp>foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET
/.htpasswd HTTP/1.1"</samp>
+ in your <a href="../logs.html#accesslog">Access Log</a>. This means you
probably commented out
+ the following in your server configuration file:</p>
+
+ <pre>
+ <Files ~ "^\.ht">
+ Order allow,deny
+ Deny from all
+ </Files>
+ </pre>
+
+ <hr />
+
+ <h2><a id="usingpassphrases" name="usingpassphrases">
+ Using Passphrases instead of Passwords</a></h2>
+
+ <p>If you are using any form of <a
href="../howto/auth.html.en">Authentication</a>
+ the biggest problem besides a faulty configuration is the usage of bad
passwords.
+ Since Apache lets you choose a password without checking it's strength it
allows
+ you to set password <samp>joed</samp> for user <samp>joed</samp>, which
+ means that any visitor could guess the password in a very small amount of
time
+ if the user name was known to him or her.</p>
+
+ <p>Since passwords tend to be modifications of known words like
<samp>us3r</samp>
+ it is better to use so called passphrases. Passphrases are basically
passwords that
+ is built around a phrase instead of a word.</p>
+
+ <p>A Step-by-step guide to creating a passphrase:</p>
+
+ <ol>
+ <li>Choose a phrase that is pretty easy to remember. The phrase "The
number one
+ HTTP server on the Internet" will be used in this example.</li>
+ <li>Take the first letter of each word and merge them into one. The above
phrase
+ would result in the <samp>TnoHsotI</samp> passphrase.</li>
+ <li>Since <samp>TnoHsotI</samp> only contains upper and lower case
letters we need
+ to modify it a bit more. With a little bit of imagination the upper case
version of the letter
+ <samp>t</samp> looks like a 7 and <samp>o</samp> looks like a 0.
+ The finished passphrase is therefor <samp>7n0Hs0tI</samp>.</li>
+ </ol>
+
+ <p></p>
+ <hr />
+
<p>Please send any other useful security tips to The Apache
Group by filling out a <a href="http://bugs.apache.org/";>
problem report</a>. If you are confident you have found a
@@ -288,4 +364,6 @@
<p><!--#include virtual="footer.html" --></p>
</body>
</html>
+
+
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
