[Fwd: Re: [SLE] Running a webserver from a home machine...how?]...a response
Boy did you guys opened up on me! Ouch! I guess I should have expected it. It was late when I wrote it and I wanted to go to bed, so let me revise my statement a bit. My comment "I hate reading manuals" means I'm the type of guy that sets up first and what ever I "need to know" or if something doesn't work, I read about it afterwards. If I become really interested in something...then I'll read up on it. Basically, you all can't tell me that you can't recommend certain "critical" areas that I should examine first and that the only way to get setup is by reading the whole manual. ???? I don't need to know about load balancing or other things that a "home user" would care to know about to get up and running. I just want to be up and running and get some "advice" about critical areas of security. I received some helpful advice from other folks so I'm sure its out there. If at a later time I decide to become more advanced, then I'm sure I'll have to read up on it. As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories? I've seen you all answer these types of questions before. I really do appreciate the input I've received and will receive...including the RTFM parts. Here's one for example....having to always change, add or modify pages or images as root is rather a pain. I understand why I need to, but it's still a pain. If I were to change the path from /srv/www to /home/tom/public_html would this cause any security issues? Again, I know in order for me to get all the information anyone would ever want to know about Apache, I should read the manual....but I just want to test and slowly increase my knowledge. I just want to play around right now and I'm sure there are simple tips that can be given to an Apache newbie. (I think). Thanks to all again! Tom -----Forwarded Message-----
From: Tom Nielsen
To: SuSE English Subject: Re: [SLE] Running a webserver from a home machine...how? Date: 07 Jun 2003 23:15:44 -0700
On Sat, 2003-06-07 at 22:29, Derek Fountain wrote:
The downside is security. Once you have an entry point into your box from the outside world, especially with a static IP address, you need to understand exactly what that entry point allows and what abuse it might get put to. In other words, you need to read up on Apache and ensure the config is set as you need it. Don't just assume SuSE have set up a secure config which meets your needs.
If you just want to serve static pages and photos, make sure you don't allow PHP, mod_perl or any other of the other abusable things to be accessed from the outside world.
I really, really, really hate reading manuals!! I could stress that more, but I don't have enought time. Most have too much information that would apply on an enterprise level rather than a home user/newbie. Is there a "crib notes" version that I can look at some where? I've always had a static IP, but no reason for anyone to look at it. Thanks for the info! Tom - - - - - - - - - - - - - - - - - - Tom Nielsen Neuro Logic Systems, Inc. 805.389.5435 x18 www.neuro-logic.com - - - - - - - - - - - - - - - - - - Tom Nielsen Neuro Logic Systems, Inc. 805.389.5435 x18 www.neuro-logic.com
type of guy that sets up first and what ever I "need to know" or if something doesn't work, I read about it afterwards. If I become really interested in something...then I'll read up on it.
That approach doesn't work for security issues on your live server. I've no doubt you'll be interested - nay, *fascinated*! - when someone cracks your system and wipes all your disks. But by then it's too late to start reading up.
Basically, you all can't tell me that you can't recommend certain "critical" areas that I should examine first and that the only way to get setup is by reading the whole manual. ???? I don't need to know about load balancing or other things that a "home user" would care to know about to get up and running.
The word everyone screamed at you was "security". You don't need to read the whole manual, you need to read up on the security issues. Your approach to learning as you go will work fine for getting the thing running efficiently, but not for security. You *have* to read that manual!
I just want to be up and running and get some "advice" about critical areas of security.
All areas of security are critical. The most important bit is the bit you ignore or don't understand.
As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?
Other way round - you should be asking how you close off your other directories, and only open the one(s) you want. See, you don't yet know what questions to ask, so how can you ever be sure you've asked all the right ones until you have the background? And the background comes from TFM.
still a pain. If I were to change the path from /srv/www to /home/tom/public_html would this cause any security issues?
Yes.
Again, I know in order for me to get all the information anyone would ever want to know about Apache, I should read the manual....but I just want to test and slowly increase my knowledge. I just want to play around right now and I'm sure there are simple tips that can be given to an Apache newbie. (I think).
If you want to test and play, install apache on one of your internal machines, away from untrusted users. That's simple - it'll work out of the box. You should have it running inside 5 minutes. Increase your knowledge from there by all means. Just don't open the thing to the outside until you have read up on the security implications, and you've understood how they apply to you. Not anyone else, or an example server, *you*! -- "...our desktop is falling behind stability-wise and feature wise to KDE ...when I went to Mexico in December to the facility where we launched gnome, they had all switched to KDE3." - Miguel de Icaza, March 2003
On Monday June 09 2003 12:09 am, Derek Fountain wrote: [snip]
If you want to test and play, install apache on one of your internal machines, away from untrusted users. That's simple - it'll work out of the box. You should have it running inside 5 minutes. Increase your knowledge from there by all means. Just don't open the thing to the outside until you have read up on the security implications, and you've understood how they apply to you. Not anyone else, or an example server, *you*!
Maybe I can put this into a perspective that he'll understand better. I assume he's in the USA. FACT.....NO exaggeration!! If your 'puter is cracked and it's used by foreign nationals, (like Chinese since that's common), to attack any Gov't server(s) or banks, etc., the FBI WILL be at your door. You WILL loose your 'puter, and IF you get it back, it WON'T be in the condition it left.....PERIOD!! So go ahead and not listen to the advice you've been given here. Fred -- Powered by SuSE Linux 8.2 Pro & KMail 1.5.1 Never forget: At Microsoft, the engineering department are the Ferengi... The marketing and legal departments are the Borg!
On 08 Jun 2003 20:40:14 -0700
Tom Nielsen
Boy did you guys opened up on me! Ouch! I guess I should have expected it.
As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?
Apache's built-in security takes care of most of that for you. If the directory isn't listed in httpd.conf, and you don't have a flawed version of apache, it won't allow visitors out of the web directories. Your best option is to make a separate user just for displaying your web photos. That way, if they do get out of the public_html, it's just a dummy user's home directory.
I've seen you all answer these types of questions before. I really do appreciate the input I've received and will receive...including the RTFM parts.
The only tricky thing with apache and homedirs is "suexec", which applies to the cgi-bin. suexec is enabled by default; to disable it, you need to remove the suexec binary from the system(or rename it). suexec will not allow any cgi to run unless it is owned by the owner of the homedir. It has it's own log too, with the other http logs. If you don't use any cgi scripts, and just serve web pages, your security risk is pretty low. -- use Perl; #powerful programmable prestidigitation
On Mon, 2003-06-09 at 03:02, zentara wrote:
On 08 Jun 2003 20:40:14 -0700 Tom Nielsen
wrote: Boy did you guys opened up on me! Ouch! I guess I should have expected it.
As an example, I just want to publish pictures of my carpet. (It's really nice carpet). I can do it know, but how can I keep folks out of my other directories?
Apache's built-in security takes care of most of that for you. If the directory isn't listed in httpd.conf, and you don't have a flawed version of apache, it won't allow visitors out of the web directories. Your best option is to make a separate user just for displaying your web photos. That way, if they do get out of the public_html, it's just a dummy user's home directory.
I've seen you all answer these types of questions before. I really do appreciate the input I've received and will receive...including the RTFM parts.
The only tricky thing with apache and homedirs is "suexec", which applies to the cgi-bin. suexec is enabled by default; to disable it, you need to remove the suexec binary from the system(or rename it). suexec will not allow any cgi to run unless it is owned by the owner of the homedir. It has it's own log too, with the other http logs.
If you don't use any cgi scripts, and just serve web pages, your security risk is pretty low.
Thanks for the tip. This is the type of "simple tips" I was talking about. Tom - - - - - - - - - - - - - - - - - - Tom Nielsen Neuro Logic Systems, Inc. 805.389.5435 x18 www.neuro-logic.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi On Monday 09 June 2003 05:40, Tom Nielsen wrote:
Boy did you guys opened up on me! Ouch! I guess I should have expected it.
<snip>> You should of expected you put as if you did not want to look at the manuals and that we all should do your work. Take a look at this link for setting up Installation of a Secure Webserver http://www.suse.de/en/private/support/howto/secure_webserv/index.html Ian - -- A child of five would understand this. Send someone to fetch a child of five. Groucho Marx - ---------------------------------------------------- This mail has been scanned for virus by AntiVir for UNIX Copyright (C) 1994-2003 by H+BEDV Datentechnik GmbH. PGP ID: 589F8449 Fingerprint: EB1C FACF 6BEB 540E 8AC0 F04E 2A25 A2F1 589F 8449 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE+5F+QKiWi8VifhEkRAjpxAJ9LFwKXtiU727NTyw8oe3VavXkbBwCcDftc 3BdDK8gnFGtceAL9xObTgLk= =vA8V -----END PGP SIGNATURE-----
On Mon, 2003-06-09 at 03:20, Ian David Laws wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hi
On Monday 09 June 2003 05:40, Tom Nielsen wrote:
Boy did you guys opened up on me! Ouch! I guess I should have expected it.
<snip>> You should of expected you put as if you did not want to look at the manuals and that we all should do your work. Take a look at this link for setting up Installation of a Secure Webserver
http://www.suse.de/en/private/support/howto/secure_webserv/index.html
Ian
The only thing is that I don't want you all to do all the work....otherwise I would have invited some of you over to setup Apache and give you beer and chips while you configure it. :-) Just simple tips which I'm sure are out there....matter of fact, I got one a couple messages before this. BTW - I like your Groucho quote... Tom ------- You've got the brain of a 5-year old, and I bet he was glad to get rid of it. Groucho Marx.
participants (5)
-
Derek Fountain
-
Fred A. Miller
-
Ian David Laws
-
Tom Nielsen
-
zentara