|
-
Nov 5th, 2003, 02:37 PM
#1
Thread Starter
Lively Member
any one know a good site for ....
hi every body
any one know a good site cotain a power information about sites security specually linux security
cause i have a problem in my new server
i don't know how to secure it from cgi scripts like cgitelnet for example
thanx
-
Nov 5th, 2003, 03:51 PM
#2
What do you mean by "secure it from"?
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Nov 5th, 2003, 08:55 PM
#3
Thread Starter
Lively Member
((secure it from means)) make a high security , i don't want bad cgi scripts to run on my server cause it's so dangours ..
so how i deny it from working ????
-
Nov 6th, 2003, 02:57 AM
#4
With Apache:
First, remove or comment out every ScriptAlias entry in the httpd.conf.
Second, remove or comment out every AddHandler cgi-script entry in the httpd.conf.
Third, make sure that Override None is in effect everywhere, this prevents people from adding CGI execution via .htaccess files.
This should completly prevent cgi scripts from being executed. There is no option to sort bad CGI scripts from good ones of course.
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
-
Nov 9th, 2003, 11:58 AM
#5
Thread Starter
Lively Member
thank's CornedBee
This should completly prevent cgi scripts from being executed. There is no option to sort bad CGI scripts from good ones of course.
we can desaible any nobody script (( enable SuExec ))
we could give the command's dir chmod 744
add more security anti perl
chmod 744 /usr/lib/perl5/5.8.0/i386-linux-thread-multi/CORE
something like that
you think that to stop the cgi completly is the only way
usr/local/apache/conf/
ScriptAlias /cgi-bin/ /home/XXXXXX/public_html/cgi-bin/
but is thresn't any other way ??
i want to make a hosting company
no one will take a space from me if he know that the cgi and perl are desaible
i'm a newer in this field i
-
Nov 10th, 2003, 05:54 AM
#6
The thing is, CGI is not only PERL, CGI is everything executable.
This can mean shell scripts, awk scripts, perl scripts, tcl scripts. Those are all more or less harmless.
But it can also mean C programs. Those are dangerous.
Ok, according to your plans, you want to prevent the user from uploading a script that does something to the server. This can be next to any language. You can control this at the server configuration and OS level. You need to add a new user to the computer with VERY limited rights. Access only to a few selected directories, no system resources at all, no process spawning etc. Then you configure Apache to use this user to execute CGI scripts (don't know how, but it is possible).
This will prevent people from intentionally uploading evil CGI scripts.
There is the other danger. Even normal CGI scripts can be bad if they are poorly written. This applies most of all to those written in C, as those are often subject to buffer overflows. This means that a cracker can send malformed data and at least crash the CGI script, at worst do some really evil things. The limited user rights should prevent these, though. But nobody likes DoS attacks, even if they have only a faint chance of succeeding.
I know of no way to allow only execution of non-compiled CGI scripts.
What you CAN do is use alternatives to CGI: mod_php (PHP), mod_perl (embedded PERL), or mod_jk/mod_jk2/mod_webapp (connect to a standalone Apache Tomcat server for JSP).
All three languages (PHP, Perl and Java) are not easily subject to any dangerous flaws, and the security settings of JSP can easily configured with great detail (thanks to the Java security model).
mod_php and mod_perl are very easy to install too, often being already set up and configured in common distributions. PHP is very common, PERL in mod_perl less so. JSP is mostly used for really large projects, which I find unjustified, but well...
All the buzzt
 CornedBee
"Writing specifications is like writing a novel. Writing code is like writing poetry."
- Anonymous, published by Raymond Chen
Don't PM me with your problems, I scan most of the forums daily. If you do PM me, I will not answer your question.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|