Patrick Donker wrote:
Well, what you're asking essentially amounts to "how do I secure my server", which is a really involved question. Some simply guidelines, however, are the following (and I hope others will elaborate, as I'm not a security expert):Abu Hurayrah wrote:Patrick Donker wrote:What exactly do you mean by hosting your scripts? Are you referring to where to put them on your server, physically, in relation to your DOCUMENT_ROOT?Guys,What is the best way, security wise, to host cgi, perl or php scripts? Should I start using a jail or are there other ways to keep my server from being a worm or spam platform. Links to howtos or other threads are most welcomed.Thanks -PatrickAlso, if the script is going to be useful, it's going to be accessible from the web, so it doesn't really matter where you host them on your server, as they'll all be equally visible in order to be executable.Lastly, some of these scripting engines, such as PHP, have a "safe mode" feature that helps to prevent common exploits, but that is only effective if you are running an unsafe setup in the first place, and moreover, is oftentimes very restrictive to most scripts.Let us know some of these details, and maybe we can help out some more.Right, ok, maybe I should've given more info.Well then, it mostly concerns mailto forms accessable from the web or other feedback scripts. Maybe lookup or dataentry scripts into a mysql database. Clearly there shouldnt be very much of a problem running scripts that are called from html pages, as in dynamic contents. What you could think of is clients making an online calculation and submitting this through email as an order. Sounds like a shopping cart kinda script, but such a broad application isnt needed. What I would like to know is what the best approach is to secure a server to avoid it becoming a launch platform for all sorts of nasty things. Lastly I'd like to know how to avoid people peeking into data of other vhosts that might be running on the same server. I'm not very keen on running different instances; I'd like to keep things as simple as possible. I'm not a big time isp or something, I just host some small websites for small companies, but now they have asked me if it possible to make their sites somewhat interactive. I hope that it is more clearly now what I mean. If not, please say so and I'll try to elaborate moreThanks Patrick ---------------------------------------------------------------------The official User-To-User support forum of the Apache HTTP Server Project.See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
1) Check ALL data types - do not assume anything submitted to your script is already well-formed. Check for both value and type, if necessary. 2) Fail safe - that is, if your script should fail, let it fail in a non-catastrophic way. To do this, you should only execute AFTER confirming that a value is what it should be. Also, let your default case be one of safety, and not one of trusting input data. If you pass filenames as a URL parameter (not very smart in the first place), then ensure that the filename belongs to a list of acceptable names first, and then continue processing. For example, "if not in ( array( 'index.php', 'home.php', 'contact.php' ) ) exit(); else continue" - I hope my pseudocode was understandable. 3) Be careful of resource usage - this is one way a malicious attacker can wreak havoc acting "normal" - be mindful of how much processing time a script takes, any database connections that need to be made, how much memory is consumed, etc. 4) Read up on Apache's security information: http://httpd.apache.org/docs-2.0/misc/security_tips.html (this if for 2.0, read the documentation for your appropriate version first).
The issues your brought seem unlikely unless your script explicitly allows them - for example, your concern of a "people peeking into data of other vhosts" etc...how would that happen exactly?
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|