|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: AW: [suse-security] Web server security holes ?
From: John Ritchie (ritchiej
snakepit.ritchie.peak.org)Date: Wed Apr 05 2000 - 07:16:53 CDT
- Next message: Wood, Alan: "RE: [suse-security] Cracking passwd file on suse systems"
- Previous message: Carsten Schmitz: "Re: [suse-security] Cracking passwd file on suse systems"
- In reply to: Stefan Becker: "AW: [suse-security] Web server security holes ?"
- Next in thread: Oliver Grube: "RE: [suse-security] Web server security holes ?"
- Reply: John Ritchie: "Re: AW: [suse-security] Web server security holes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Wed, 5 Apr 2000, Stefan Becker wrote:
> Hi,
> If your Webserver is practicaly open to public
> (like Apache running on the ISDN Router) and
> you need to deny access to that interface but
> still want your internal users to see the
> webserver - you can consider the following:
>
> put this in the httpd.conf
> #
> # Listen: Allows you to bind Apache to specific IP addresses and/or
> # ports, in addition to the default. See also the <VirtualHost>
> # directive.
> #
> #Listen 3000
> Listen 192.168.80.99:80
>
> This will handle requests directed the www-servers interface
> (for example using apache as a proxy server) - but will
> be totally deaf to rest of the world!
>
> This should do fine!
>
No, this is actually not right. The Listen directive only specifies which
interface/port Apache listens on if a server has multiple IP interfaces or
listens on multiple or non-standard ports. It will accept an HTTP request
to that interface from anywhere. The correct way to limit where Apache
will accept requests from is to use the Allow and Deny directives within a
Directory container. For example:
To limit Apache to only respond to requests from itself (i.e. help docs on
a standalone machine, not served to anyone else) put the following within
the default directory container:
<Directory />
[yada yada - other default directives]
Order deny,allow
Deny from all
Allow from localhost
</Directory>
This is the first thing I do with Apache when I install it on a
workstation so that people can't try all the exploits against me that the
previous poster noted. :)
You can also specify IP address subnets, individual IP addresses,
hostnames or network names, or use userid/passwords with the Allow
command. Take a look at
http://www.apache.org/docs-1.2/mod/mod_access.html#allow
for help (this is 1.2 docs, so it's outdated), or look at the apache docs
that get installed by default (SuSE 6.3 anyway).
Hope this helps,
John Ritchie
---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribesuse.com
For additional commands, e-mail: suse-security-helpsuse.com
- Next message: Wood, Alan: "RE: [suse-security] Cracking passwd file on suse systems"
- Previous message: Carsten Schmitz: "Re: [suse-security] Cracking passwd file on suse systems"
- In reply to: Stefan Becker: "AW: [suse-security] Web server security holes ?"
- Next in thread: Oliver Grube: "RE: [suse-security] Web server security holes ?"
- Reply: John Ritchie: "Re: AW: [suse-security] Web server security holes ?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]