[olug] Was Apache/SSI help now Apache Security

Brian Weber brian at cbiowa.com
Fri May 10 05:53:02 UTC 2002 

	From the two days of research on the topic.  There are very few
things you have to do to setup it up.  This is one of those taskes that
setting it up is so easy that there is no way to know how to fix it when
it breaks because you didn't do anything to set it up in the first
place.
	Now I don't have a lot of security experience beyond doing what
sounds like a good practice from somebody elses experience.  In my
research I made the decision to change the way I maintain security for
my website.  For anybody who has the time (the email is kind of long)
and curiosity (possibly on the simple/boring side), I would appreciate
other opinions on the following setup.  See if I left any open holes.

Allow SSI within apache configuration and maintain security and
functionality.
	What are the choices:
    A) Uncomment the 'AddType text/html .shtml' and 'AddHandler
server-parsed .shtml' which will only allow .shtml files to be executed.
	Benefits: - Secure setup
	Concerns: - Some search engines will not index dynamic pages.
    B) Add the 'XBitHack On' to your either your site or by directory
settings.  This will allow any file with the exec bit set to run.
	Benefits: - You are not bound by nameing convention.  Search
engines only see the ".html" and the static content no matter how
dynamic.
	Concerns: - Creates a possible hole in security policy.
    C)  Add the following options in .htaccess file(s) and change Apache
conf file to take all privleges away from everybody. 
	Benefits: Extremely tight security.  More difficult for security
holes to sneak in.
	Concerns: Extra work while maintaining website(s)

    My Choice: C
       httpd.conf changes
	1) Change every "Options" directive in httpd.conf to "None".
		exception) left user home directories and icon directory
unchanged in conf file.
	2) Change every "AllowOverride" directive to "All" or list out
allow choices.
	3) Change every "Order" directive to say "Order Allow,Deny"
(forces denied access as default)
	4) Change every "Allow" directive to "Allow from All"
	5) put in the required Deny directives as needed for your site.

	 .htaccess changes
	1) In your website root directory create .htacces with read for
everybody and write for root only.
	2) add an "Options" directive with the following options [+All
-SymLinksIfOwnerMatch -ExecCGI -Includes -Indexes ].  By adding the
"+/-" in front of the options makes them recursive thru sub directories.
Without the "+/-" you are only setting the current directory.  These
options give all permissions except "no cgi execution", "no server side
include", "no access to directories without a default index page",
"disallowing a link owned by 'nobody' to execute a root script".
	3) add a .htaccess file to your cgi-bin directory and add the
"Options" directive with the following options [ +ExecCGI +Includes ].
Since we used "+/-" in the root directory we enharent parent permissions
and denial status.  Keep allowed execution in a single directory so you
have an easy way of greping your logs for unauthorized execution.
	4) add an "XBitHack Full" directive to your root .htaccess file.
The "Full" option will allow search engines and proxies to cache your
documents.  Change from Full to On if your doesn't change that much and
you want search engines and proxies to possible cache your output.  You
will loose the last modified date.
	5) Go thru your site directory structure and add the .htaccess
files according to your security policy.  

Online reference: http://httpd.apache.org/docs/mod/mod_include.html for
SSI in Apache.
-----Original Message-----
From: Brian Wiese [mailto:bwiese at cotse.com] 
Sent: Thursday, May 09, 2002 7:05 PM
To: olug at olug.org
Subject: Re: [olug] RE: Apache/SSI help


On Thu, 9 May 2002 17:00:55 -0700
"Brian Weber" <brian at cbiowa.com> wrote:

|	It never occurred to me that I couldn't have "THE WHOLE WEBSITE 
|DIRECTORY" on a different partition and just create a link to that 
|directory on a different partition.  Just don't tell anybody you seen 
|my head hitting the wall multiple times.

I wasn't aware of this either. wow. thanks for the info. =)
I'm looking to get SSI set up here soon, I was just about to fwd your
post to a friend who hacked up my own site to use SSI, so when i get a
chance here I'm gonna see what he did. glad you got it fixed! i know
what that 'pounding head into keyboard' feeling is like. 

"Fall down 7 times, stand up 8." - Japanese proverb
(hopefully though, you can find your way to stand up!)

peace

  Brian Wiese | bwiese at cotse.com | aim: unolinuxguru
------------------------------------------------------
  GnuPG/PGP key 0x1E820A73 | "FREEDOM!" - Braveheart 

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_



-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

For help contact olug-help at olug.org - run by ezmlm
to unsubscribe, send mail to olug-unsubscribe at olug.org
or `mail olug-unsubscribe at olug.org < /dev/null`
(c)1998-2002 OLUG http://www.olug.org

-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-_

More information about the OLUG mailing list