Hi Melanie,
> My current site is constructed as
>
> root
> root/connections
> root/books
>
> I would like to prevent the connections directory
> from being downloaded/accessed for obvious reasons.
There are two good ways to handle this - either will do, but I'd use both if
you can (belt and braces):
1. Make sure all your scripts that contain connection settings and whatnot
end in .php, so they get processed instead of output - this way, even if
someone calls the script directly, all that happens is they get a blank
page.
2. Reconstruct your site a bit. It should look something like this:
/
/cgi-bin
/logs
/public_html
/public_html/connections
/public_html/books
if you move the connections folder outside the public tree, then no-one can
request your connection stuff via HTTP (but you can still include it).
/
/cgi-bin
/includes
/includes/connections
/includes/any-other-sensitive-stuff
/logs
/public_html
/public_html/books
> It seems I can prevent access by http:// via my hosting service
> passwording the directory but this doesn't seem to protect against
> website nabber programs such as black widow and the rest (or does
> it?).
It should do, unless they have the password for the directory. Even then,
they'll only see the output of the parsed script, not the script itself. To
get the actual script, you have to have access to the filesystem on the
server, either via FTP/SSH/telnet/whatever or by physically walking up to it
:-)
This is the best reason to have *strong* FTP/SSH/telnet/whatever passwords
(min. 12 characters, random etters/numbers/symbols, mixed case).
> (growing more paranoid the more I get into this web
> site security issue)
That's a good sign. Paranoia should be the *default* frame of mind for any
halfway-competent sysadmin.
Cheers
Jon
____ � The WDVL Discussion List from WDVL.COM � ____
To Join wdvltalk, Send An Email To: mailto:[EMAIL PROTECTED]
Send Your Posts To: [EMAIL PROTECTED]
To change subscription settings to the wdvltalk digest version:
http://wdvl.internet.com/WDVL/Forum/#sub
________________ http://www.wdvl.com _______________________
You are currently subscribed to wdvltalk as: [email protected]
To unsubscribe send a blank email to [EMAIL PROTECTED]
