Hi,

I could configure Apache for testing my website offline, but is not
clear to me how to secure the folders before I connect the site to the
www.

In particular, I do not have the necessary knowledge to answer the
questions pasted below. (My Apache runs on Windows XP.)

It would also be very kind if some experienced Apache user could have
a look at the config file at the bottom of this post and points which
security lacks does he see.

Many thanks in advance.

-----------------------

1) Do I have to secure the folders that are not public documents
using the operating system, giving them owner and password, or are
Apache directives sufficient?

2) Can a hacker access the folders that are out of the main server
root (C:\Apache2)?
For instance, can he access a folder like "C:\thisIsNotPublic\" ?

3) Should I apply a 'Deny from all' to the logs folder?

4) Is there a risk that a user can write or delete files in the www
(i.e. htdocs), in the cgi-bin or the logs folder ?
If yes, how to prevent this to happen?

5) Should I put the cgi-bin folder totally out of the Apache root (C:
\Apache2\) and the same for the logs folder ?

6) Should I give the cgi-bin folder a sophisticated name so that one
cannot discover it easily ?
(I use the ScriptAlias directive.)

7) The Apache docs security tips tell:
<<
# cd /; ln -s / public_html
Accessing http://localhost/~root/
This would allow clients to walk through the entire filesystem.
>>
I tested http://localhost/~root/ on my PC but this did not let me
walk through the filesystem; a "document not found" error displayed.

Is it really necessary to add the following block as told in the
docs ?
<Directory />
Order Deny,Allow
Deny from all
</Directory>

8) Currently, I want only MSIE 6 to be able to run the website and a
redirection for other browsers.
Is the BrowserMatch directive sufficiently reliable to test this?
I doubt.
If yes, how to configure BrowserMatch? If no, how to test the
client broswer reliably?

9) Is there a way to limit the number of requests that come from a
IP address in a given amount of time?
(Avoiding automated password cracking, server overloading,
a.s.o.)

10) For secured folders, should I set 'AllowOverride none' to avoid
that an allowed user adds his own .htfiles
in subfolders in an attempt get additional rights ?

11) Is there a way to make that the cgi-bin applications (which
are .exe in my case)
can be called from forms in the public documents but not another
way?
(I don't think so, but wonder however.)

--------------------------------------
ServerRoot "C:/Apache2"

Listen 80

### Loading modules ###
# (...)

#ServerAdmin srvAdmin@mywebsite.com

#ErrorLog logs/error.log

#LogLevel warn

# The following line telling about the main server is necessary, but I
ignore why.
ServerName localhost
DocumentRoot "C:/Apache2"

<Directory "C:/Apache2/manual">
#Options MultiViews
</Directory>

# With *, it will work also if IP address is given dynamically.
NameVirtualHost *:80

# This virtual site has the Apache docs. It will be removed from the
conf file.
<VirtualHost *:80>
ServerName apachedoc
DocumentRoot "C:/Apache2/manual"
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
LanguagePriority fr en de
Options +MultiViews
</VirtualHost>

# This virtual site is my website.
<VirtualHost *:80>
ServerName www.mywebsite.com
DocumentRoot "C:/Apache2/mywebsite/www"
ErrorLog "mywebsite/logs/log.txt"
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
LanguagePriority en fr de
DirectoryIndex index
Options +MultiViews
IndexIgnore *
Alias /archive C:/Apache2/mywebsite/archive
ScriptAlias /cgi-bin C:/Apache2/mywebsite/cgi-bin

<Directory C:/Apache2/mywebsite/cgi-bin>
allow from all
Options +ExecCGI
</Directory>

<Directory C:/Apache2/mywebsite/www>
allow from all
</Directory>

</VirtualHost>

# Another web site
<VirtualHost *:80>
ServerName www.anothersite.net
(...)
</VirtualHost>

On May 7, 4:03 pm, geomet...@fastmail.fm wrote:
> Hi,
>
> I could configure Apache for testing my website offline, but is not
> clear to me how to secure the folders before I connect the site to the
> www.
>
> In particular, I do not have the necessary knowledge to answer the
> questions pasted below. (My Apache runs on Windows XP.)

XP Home or PRO?


>
> It would also be very kind if some experienced Apache user could have
> a look at the config file at the bottom of this post and points which
> security lacks does he see.
>
> Many thanks in advance.
>
> -----------------------
>
> 1) Do I have to secure the folders that are not public documents
> using the operating system, giving them owner and password, or are
> Apache directives sufficient?

depends what you mean, I think the answer is no.
however you should run apache as a service, and create a user for it.
then you should set the user to only have access to the files it
needs, php and apache and the doc root.
If you have XP Pro you can do this easily

>
> 2) Can a hacker access the folders that are out of the main server
> root (C:\Apache2)?
> For instance, can he access a folder like "C:\thisIsNotPublic\" ?
>
Not if the apache service has no access. However if you cannot secure
apache in this way, then yes a hacker can potentially gain access if
your code is bad, and leaves holes for him/her to do so.


> 3) Should I apply a 'Deny from all' to the logs folder?

No it wont protect them. /logs is used by apache, and is outside the
document root. The way a hacker would get to the logs folder would be
through a hole in your script, if they already had the file system
access then its game over no matter what apache thinks.

>
> 4) Is there a risk that a user can write or delete files in the www
> (i.e. htdocs), in the cgi-bin or the logs folder ?
> If yes, how to prevent this to happen?
>
yes, if your code is bad.
patch apache/php to the latest version
write good php code.
dont allow user upload of files which can then be viewed through their
browser.

> 5) Should I put the cgi-bin folder totally out of the Apache root (C:
> \Apache2\) and the same for the logs folder ?

cgi-bin has to be in doc root or else cgis cannot be executed, (a
ScriptAlias is the same as having it in the doc root after all)
logs folder is already outside htdocs.

>
> 6) Should I give the cgi-bin folder a sophisticated name so that one
> cannot discover it easily ?
> (I use the ScriptAlias directive.)
>
no, it wont protect, as you NEED to be click on links to execute the
cgi.
method="post" action="wibblestiltskin-crazy-name/script.cgi" is still
a name which can be found and typed
If you dont use CGI turn off ExecCGI for all directories and dont
worry about it anymore!!

> 7) The Apache docs security tips tell:
> <<
> # cd /; ln -s / public_html
> Accessinghttp://localhost/~root/
> This would allow clients to walk through the entire filesystem.
> >>
> I testedhttp://localhost/~root/on my PC but this did not let me
> walk through the filesystem; a "document not found" error displayed.
>
thats cos its not a windows XP vulneraility - there are many others.
Run mod security and look at the cool rules project if you are
prepared to learn about possible threats and how to stop them at the
door

> Is it really necessary to add the following block as told in the
> docs ?
> <Directory />
> Order Deny,Allow
> Deny from all
> </Directory>

yes, it starts from the position of absolutely NO rights, standard
practise in the *nix world, whereas Windows XP starts from the
position of "Administrator" so its all downhill from there!!!

>
> 8) Currently, I want only MSIE 6 to be able to run the website and a
> redirection for other browsers.
> Is the BrowserMatch directive sufficiently reliable to test this?
> I doubt.

No, I can spoof the MSIE UserAgent with 2clicks in firefox, however it
will stop non UA aware "users"

> If yes, how to configure BrowserMatch? If no, how to test the
> client broswer reliably?

You cannot, you just cannot. Simple as that. Even if you match the
MSIE string, then use javascript to feature detect for MSIE, you will
still NOT prevent Firefox from coming along and viewing your website.

>
> 9) Is there a way to limit the number of requests that come from a
> IP address in a given amount of time?
> (Avoiding automated password cracking, server overloading,
> a.s.o.)

yes, a decent firewall. Apache is not the place to be doing this,
after all if apache can see the requests and connection attempts then
it can see them, DOS will still occur. However there are modules which
do this. mod_bw limited bandwidth, etc....

>
> 10) For secured folders, should I set 'AllowOverride none' to avoid
> that an allowed user adds his own .htfiles
> in subfolders in an attempt get additional rights ?
>

yes, if you have httpd.conf access use it. do not use .htaccess files,
they slow down the server slightly, they could reveal info if
downloaded by accident after a server misconfiguration.

> 11) Is there a way to make that the cgi-bin applications (which
> are .exe in my case)
> can be called from forms in the public documents but not another
> way?
> (I don't think so, but wonder however.)
>
If your cgi scripts can be called in a browser they can be set off
from anywhere, using the referer is not valid as browsers dont have to
send them, and some privacy applications remove them.

Done forget to remove the /manual as recommended in the apache docs.

My advice is that if you are concerned about security, don't be so
quick to run exe's, until you have looked into their weaknesses. And
in particular you say your server is to test "offline" but you appear
to be letting the public see things. My advice, limit by IP who can
see your server. IE. only you at work, and while youre on yuor loacl
network. Until you have fully appreciated the risks you are exposed
to.

Also turn off all unneeded services on your computer, from UPnP, SNMP,
netbios, etc.. etc.. or else your machine might be broadcasting info
to the machines that come visiting.

Ensure you are running a decent hardware firewall between the server
and internet, and then grab yourself a few scanner and have fun
testing your server like it will be probed by others.

If you write any php, make sure you know what you are doing. This is
the easiest way to open up your machine to attack. If you have XP
Home, then make sure you take regular backups onto a new disk, because
you cant lock your machine down.

> --------------------------------------
> ServerRoot "C:/Apache2"
>
> Listen 80
>
> ### Loading modules ###
> # (...)
>
> #ServerAdmin srvAd...@mywebsite.com
>
> #ErrorLog logs/error.log
>
> #LogLevel warn
>
> # The following line telling about the main server is necessary, but I
> ignore why.
> ServerName localhost
> DocumentRoot "C:/Apache2"
>
> <Directory "C:/Apache2/manual">
> #Options MultiViews
> </Directory>
>
> # With *, it will work also if IP address is given dynamically.
> NameVirtualHost *:80
>
> # This virtual site has the Apache docs. It will be removed from the
> conf file.
> <VirtualHost *:80>
> ServerName apachedoc
> DocumentRoot "C:/Apache2/manual"
> AddLanguage en .en
> AddLanguage fr .fr
> AddLanguage de .de
> LanguagePriority fr en de
> Options +MultiViews
> </VirtualHost>
>
> # This virtual site is my website.
> <VirtualHost *:80>
> ServerNamewww.mywebsite.com
> DocumentRoot "C:/Apache2/mywebsite/www"
> ErrorLog "mywebsite/logs/log.txt"
> AddLanguage en .en
> AddLanguage fr .fr
> AddLanguage de .de
> LanguagePriority en fr de
> DirectoryIndex index
> Options +MultiViews
> IndexIgnore *
> Alias /archive C:/Apache2/mywebsite/archive
> ScriptAlias /cgi-bin C:/Apache2/mywebsite/cgi-bin
>
> <Directory C:/Apache2/mywebsite/cgi-bin>
> allow from all
> Options +ExecCGI
> </Directory>
>
> <Directory C:/Apache2/mywebsite/www>
> allow from all
> </Directory>
>
> </VirtualHost>
>
> # Another web site
> <VirtualHost *:80>
> ServerNamewww.anothersite.net
> (...)
> </VirtualHost>

On 7 mai, 22:08, shimmyshack <matt.fa...@gmail.com> wrote:
> On May 7, 4:03 pm, geomet...@fastmail.fm wrote:
>

Thank you Shimmy. I commented your answer.

> > Hi,
>
> > I could configure Apache for testing my website offline, but is not
> > clear to me how to secure the folders before I connect the site to the
> > www.
>
> > In particular, I do not have the necessary knowledge to answer the
> > questions pasted below. (My Apache runs on Windows XP.)
>
> XP Home or PRO?

XP home for my offline tests. Should I absolutely consider XP Pro to
host the final site?
(I know that Unix-like OS would be better but decided to keep with
Windows for a while.)

>
> > It would also be very kind if some experienced Apache user could have
> > a look at the config file at the bottom of this post and points which
> > security lacks does he see.
>
> > Many thanks in advance.
>
> > -----------------------
>
> > 1) Do I have to secure the folders that are not public documents
> > using the operating system, giving them owner and password, or are
> > Apache directives sufficient?
>
> depends what you mean, I think the answer is no.
I also think so, but would rather be sure.

> however you should run apache as a service, and create a user for it.
> then you should set the user to only have access to the files it
> needs, php and apache and the doc root.
> If you have XP Pro you can do this easily

I did not installed Apache as a service as the installation program
proposed me to install the server for all computer users and I did not
want it. I just lauch it from the command line and with XP Home. Why
is this a problem?
>
>
> > 2) Can a hacker access the folders that are out of the main server
> > root (C:\Apache2)?
> > For instance, can he access a folder like "C:\thisIsNotPublic\" ?
>
> Not if the apache service has no access. However if you cannot secure
> apache in this way, then yes a hacker can potentially gain access if
> your code is bad, and leaves holes for him/her to do so.

I think my code well written (with many checks inside). My cgi-bin
folder has small compiled programs (.exe) that call a library. The
request on the library is different depending on the exe that calls
it. The library is out of the Apache root. I thought that if
unfortunately a hacker access the cgi-bin file and can get the
executables, he does not have the core of the program, that is the
dll. All runs fine on my PC. Is this good idea?

> > 3) Should I apply a 'Deny from all' to the logs folder?
>
> No it wont protect them. /logs is used by apache, and is outside the
> document root. The way a hacker would get to the logs folder would be
> through a hole in your script, if they already had the file system
> access then its game over no matter what apache thinks.
Good remark.
>
> > 4) Is there a risk that a user can write or delete files in the www
> > (i.e. htdocs), in the cgi-bin or the logs folder ?
> > If yes, how to prevent this to happen?
>
> yes, if your code is bad.
> patch apache/php to the latest version
> write good php code.
There is not any PHP on my whole site. I did not installed PHP, only
Apache.
I thought that the less components are to configure, the less the risk
of security holes is.

> dont allow user upload of files which can then be viewed through their
> browser.
You mean the files that are not in htdocs, I assume.
Compiling the HTML and JavaScripts could make harder to discover the
name of the called executables but will have no effect against a
motivated malevolent person. Is this however recommended to avoid
automatic calls of the executables?

> > 5) Should I put the cgi-bin folder totally out of the Apache root (C:
> > \Apache2\) and the same for the logs folder ?
>
> cgi-bin has to be in doc root or else cgis cannot be executed,

I hope you speak from the server root, not the root where documents
are!

> (a ScriptAlias is the same as having it in the doc root after all)
> logs folder is already outside htdocs.

Excepted that ScriptAlias avoid the user to see the name of the folder
where the executables are stored. I think that this kind of discretion
is not neglegible. Moreover a path like C:\Program Files\Apache2\cgi-
bin is a good choice for a hacker. A path like C:\randomstring1\cgi-
bin is less.

> > 6) Should I give the cgi-bin folder a sophisticated name so that one
> > cannot discover it easily ?
> > (I use the ScriptAlias directive.)
>
> no, it wont protect, as you NEED to be click on links to execute the
> cgi.

I meant for motivated hackers wanting to find where the cgi-bin folder
is.
The link shows only the ScriptAlias. But that's true that if a hacker
enters the system, he can read the httpd.conf file and see where are
the executables located.

> method="post" action="wibblestiltskin-crazy-name/script.cgi" is still
> a name which can be found and typed
> If you dont use CGI turn off ExecCGI for all directories and dont
> worry about it anymore!!
>
> > 7) The Apache docs security tips tell:
> > <<
> > # cd /; ln -s / public_html
> > Accessinghttp://localhost/~root/
> > This would allow clients to walk through the entire filesystem.
>
> > I testedhttp://localhost/~root/onmy PC but this did not let me
> > walk through the filesystem; a "document not found" error displayed.
>
> thats cos its not a windows XP vulneraility - there are many others.

Thanks for this info. One less think I have to worry about.

> Run mod security
What's this?

> and look at the cool rules project
What's this? I'll type in Google to see.

> if you are
> prepared to learn about possible threats and how to stop them at the
> door
>
> > Is it really necessary to add the following block as told in the
> > docs ?
> > <Directory />
> > Order Deny,Allow
> > Deny from all
> > </Directory>
>
> yes, it starts from the position of absolutely NO rights, standard
> practise in the *nix world, whereas Windows XP starts from the
> position of "Administrator" so its all downhill from there!!!

So, if I understand, a very good password is necessary for the
Administrator account on Windows XP.
>
>
> > 8) Currently, I want only MSIE 6 to be able to run the website and a
> > redirection for other browsers.
> > Is the BrowserMatch directive sufficiently reliable to test this?
> > I doubt.
>
> No, I can spoof the MSIE UserAgent with 2clicks in firefox, however it
> will stop non UA aware "users"
>
> > If yes, how to configure BrowserMatch? If no, how to test the
> > client broswer reliably?
>
> You cannot, you just cannot. Simple as that. Even if you match the
> MSIE string, then use javascript to feature detect for MSIE, you will
> still NOT prevent Firefox from coming along and viewing your website.
>
That's a problem. I made a sophisticated user-agent test from within
my library. But the problem is that most browsers do not understand
when I return them an error message telling that the program is not
available to them. So they block. Should I set a timeout in each link
calling a program and serversides exit the program as soon as an
incompatible browser is detected? I many times heard that JavaScript
detection is insufficient and serversides detection is really
recommended.
>
> > 9) Is there a way to limit the number of requests that come from a
> > IP address in a given amount of time?
> > (Avoiding automated password cracking, server overloading,
> > a.s.o.)
>
> yes, a decent firewall. Apache is not the place to be doing this,
> after all if apache can see the requests and connection attempts then
> it can see them, DOS will still occur. However there are modules which
> do this. mod_bw limited bandwidth, etc....
>
I'll see. Thank you for these infos.
>
> > 10) For secured folders, should I set 'AllowOverride none' to avoid
> > that an allowed user adds his own .htfiles
> > in subfolders in an attempt get additional rights ?
>
> yes, if you have httpd.conf access use it. do not use .htaccess files,
> they slow down the server slightly, they could reveal info if
> downloaded by accident after a server misconfiguration.

I plan few users at the beginning and not huge number in the future.
I'll start with .htaccess files. If I understood how Apache works, it
only checks the access files for the branch of the tree it want to
access. So, if the branch is not too long and with only a .htaccess
file at its bottom it should not slow down too much the server.

> > 11) Is there a way to make that the cgi-bin applications (which
> > are .exe in my case)
> > can be called from forms in the public documents but not another
> > way?
> > (I don't think so, but wonder however.)
>
> If your cgi scripts can be called in a browser they can be set off
> from anywhere, using the referer is not valid as browsers dont have to
> send them, and some privacy applications remove them.
>
> Done forget to remove the /manual as recommended in the apache docs.
Yes.
> My advice is that if you are concerned about security, don't be so
> quick to run exe's, until you have looked into their weaknesses. And
> in particular you say your server is to test "offline" but you appear
> to be letting the public see things.

I tested my program and the extensively offline. I consider it ready,
appart the Apache configuration that I am doing these days. One day,
it becomes necessary to stop home tests and to enter the dangerous
real world...

My advice, limit by IP who can
> see your server.

I wanted too. A friend that is much capable in computer science will
me to test the security. I just want to make him the task
hard :-)
I alwo won't advertise for the site.

But I see a problem : most people have dynamically attributed IP
addresses...
So, how to do?

A good think to reduce the risk could be to restrict the geographical
area of possible users.
I assume the IP numbers tell something about this, no?

IE. only you at work, and while youre on yuor loacl
> network. Until you have fully appreciated the risks you are exposed
> to.
This is why I'm asking so many questions...

> Also turn off all unneeded services on your computer, from UPnP, SNMP,
> netbios, etc.. etc.. or else your machine might be broadcasting info
> to the machines that come visiting.

This is much interesting. I disabled most services some days ago, but
will check to disable the ones you tell about.

> Ensure you are running a decent hardware firewall between the server
> and internet, and then grab yourself a few scanner and have fun
> testing your server like it will be probed by others.
>
> If you write any php, make sure you know what you are doing. This is
> the easiest way to open up your machine to attack.

I renounced to PHP. I'm really not an expert in security but heard
that it is a common way for intrusions.

If you have XP
> Home, then make sure you take regular backups onto a new disk, because
> you cant lock your machine down.
>
>
>
> > --------------------------------------
> > ServerRoot "C:/Apache2"
>
> > Listen 80
>
> > ### Loading modules ###
> > # (...)
>
> > #ServerAdmin srvAd...@mywebsite.com
>
> > #ErrorLog logs/error.log
>
> > #LogLevel warn
>
> > # The following line telling about the main server is necessary, but I
> > ignore why.
> > ServerName localhost
> > DocumentRoot "C:/Apache2"
>
> > <Directory "C:/Apache2/manual">
> > #Options MultiViews
> > </Directory>
>
> > # With *, it will work also if IP address is given dynamically.
> > NameVirtualHost *:80
>
> > # This virtual site has the Apache docs. It will be removed from the
> > conf file.
> > <VirtualHost *:80>
> > ServerName apachedoc
> > DocumentRoot "C:/Apache2/manual"
> > AddLanguage en .en
> > AddLanguage fr .fr
> > AddLanguage de .de
> > LanguagePriority fr en de
> > Options +MultiViews
> > </VirtualHost>
>
> > # This virtual site is my website.
> > <VirtualHost *:80>
> > ServerNamewww.mywebsite.com
> > DocumentRoot "C:/Apache2/mywebsite/www"
> > ErrorLog "mywebsite/logs/log.txt"
> > AddLanguage en .en
> > AddLanguage fr .fr
> > AddLanguage de .de
> > LanguagePriority en fr de
> > DirectoryIndex index
> > Options +MultiViews
> > IndexIgnore *
> > Alias /archive C:/Apache2/mywebsite/archive
> > ScriptAlias /cgi-bin C:/Apache2/mywebsite/cgi-bin
>
> > <Directory C:/Apache2/mywebsite/cgi-bin>
> > allow from all
> > Options +ExecCGI
> > </Directory>
>
> > <Directory C:/Apache2/mywebsite/www>
> > allow from all
> > </Directory>
>
> > </VirtualHost>
>
> > # Another web site
> > <VirtualHost *:80>
> > ServerNamewww.anothersite.net
> > (...)
> > </VirtualHost>- Masquer le texte des messages précédents -
>
> - Afficher le texte des messages précédents -

On May 7, 10:58 pm, geomet...@fastmail.fm wrote:
> On 7 mai, 22:08, shimmyshack <matt.fa...@gmail.com> wrote:
>
> > On May 7, 4:03 pm, geomet...@fastmail.fm wrote:
>
> Thank you Shimmy. I commented your answer.
>
> > > Hi,
>
> > > I could configure Apache for testing my website offline, but is not
> > > clear to me how to secure the folders before I connect the site to the
> > > www.
>
> > > In particular, I do not have the necessary knowledge to answer the
> > > questions pasted below. (My Apache runs on Windows XP.)
>
> > XP Home or PRO?
>
> XP home for my offline tests. Should I absolutely consider XP Pro to
> host the final site?
> (I know that Unix-like OS would be better but decided to keep with
> Windows for a while.)
>
>
>
> > > It would also be very kind if some experienced Apache user could have
> > > a look at the config file at the bottom of this post and points which
> > > security lacks does he see.
>
> > > Many thanks in advance.
>
> > > -----------------------
>
> > > 1) Do I have to secure the folders that are not public documents
> > > using the operating system, giving them owner and password, or are
> > > Apache directives sufficient?
>
> > depends what you mean, I think the answer is no.
>
> I also think so, but would rather be sure.
>
> > however you should run apache as a service, and create a user for it.
> > then you should set the user to only have access to the files it
> > needs, php and apache and the doc root.
> > If you have XP Pro you can do this easily
>
> I did not installed Apache as a service as the installation program
> proposed me to install the server for all computer users and I did not
> want it. I just lauch it from the command line and with XP Home. Why
> is this a problem?
>
>
>
> > > 2) Can a hacker access the folders that are out of the main server
> > > root (C:\Apache2)?
> > > For instance, can he access a folder like "C:\thisIsNotPublic\" ?
>
> > Not if the apache service has no access. However if you cannot secure
> > apache in this way, then yes a hacker can potentially gain access if
> > your code is bad, and leaves holes for him/her to do so.
>
> I think my code well written (with many checks inside). My cgi-bin
> folder has small compiled programs (.exe) that call a library. The
> request on the library is different depending on the exe that calls
> it. The library is out of the Apache root. I thought that if
> unfortunately a hacker access the cgi-bin file and can get the
> executables, he does not have the core of the program, that is the
> dll. All runs fine on my PC. Is this good idea?
>
> > > 3) Should I apply a 'Deny from all' to the logs folder?
>
> > No it wont protect them. /logs is used by apache, and is outside the
> > document root. The way a hacker would get to the logs folder would be
> > through a hole in your script, if they already had the file system
> > access then its game over no matter what apache thinks.
> Good remark.
>
> > > 4) Is there a risk that a user can write or delete files in the www
> > > (i.e. htdocs), in the cgi-bin or the logs folder ?
> > > If yes, how to prevent this to happen?
>
> > yes, if your code is bad.
> > patch apache/php to the latest version
> > write good php code.
>
> There is not any PHP on my whole site. I did not installed PHP, only
> Apache.
> I thought that the less components are to configure, the less the risk
> of security holes is.
>
> > dont allow user upload of files which can then be viewed through their
> > browser.
>
> You mean the files that are not in htdocs, I assume.
> Compiling the HTML and JavaScripts could make harder to discover the
> name of the called executables but will have no effect against a
> motivated malevolent person. Is this however recommended to avoid
> automatic calls of the executables?
>
> > > 5) Should I put the cgi-bin folder totally out of the Apache root (C:
> > > \Apache2\) and the same for the logs folder ?
>
> > cgi-bin has to be in doc root or else cgis cannot be executed,
>
> I hope you speak from the server root, not the root where documents
> are!
>
> > (a ScriptAlias is the same as having it in the doc root after all)
> > logs folder is already outside htdocs.
>
> Excepted that ScriptAlias avoid the user to see the name of the folder
> where the executables are stored. I think that this kind of discretion
> is not neglegible. Moreover a path like C:\Program Files\Apache2\cgi-
> bin is a good choice for a hacker. A path like C:\randomstring1\cgi-
> bin is less.
>
> > > 6) Should I give the cgi-bin folder a sophisticated name so that one
> > > cannot discover it easily ?
> > > (I use the ScriptAlias directive.)
>
> > no, it wont protect, as you NEED to be click on links to execute the
> > cgi.
>
> I meant for motivated hackers wanting to find where the cgi-bin folder
> is.
> The link shows only the ScriptAlias. But that's true that if a hacker
> enters the system, he can read the httpd.conf file and see where are
> the executables located.
>
> > method="post" action="wibblestiltskin-crazy-name/script.cgi" is still
> > a name which can be found and typed
> > If you dont use CGI turn off ExecCGI for all directories and dont
> > worry about it anymore!!
>
> > > 7) The Apache docs security tips tell:
> > > <<
> > > # cd /; ln -s / public_html
> > > Accessinghttp://localhost/~root/
> > > This would allow clients to walk through the entire filesystem.
>
> > > I testedhttp://localhost/~root/onmyPC but this did not let me
> > > walk through the filesystem; a "document not found" error displayed.
>
> > thats cos its not a windows XP vulneraility - there are many others.
>
> Thanks for this info. One less think I have to worry about.
>
> > Run mod security
>
> What's this?
>
> > and look at the cool rules project
>
> What's this? I'll type in Google to see.
>
> > if you are
> > prepared to learn about possible threats and how to stop them at the
> > door
>
> > > Is it really necessary to add the following block as told in the
> > > docs ?
> > > <Directory />
> > > Order Deny,Allow
> > > Deny from all
> > > </Directory>
>
> > yes, it starts from the position of absolutely NO rights, standard
> > practise in the *nix world, whereas Windows XP starts from the
> > position of "Administrator" so its all downhill from there!!!
>
> So, if I understand, a very good password is necessary for the
> Administrator account on Windows XP.
>
>
>
> > > 8) Currently, I want only MSIE 6 to be able to run the website and a
> > > redirection for other browsers.
> > > Is the BrowserMatch directive sufficiently reliable to test this?
> > > I doubt.
>
> > No, I can spoof the MSIE UserAgent with 2clicks in firefox, however it
> > will stop non UA aware "users"
>
> > > If yes, how to configure BrowserMatch? If no, how to test the
> > > client broswer reliably?
>
> > You cannot, you just cannot. Simple as that. Even if you match the
> > MSIE string, then use javascript to feature detect for MSIE, you will
> > still NOT prevent Firefox from coming along and viewing your website.
>
> That's a problem. I made a sophisticated user-agent test from within
> my library. But the problem is that most browsers do not understand
> when I return them an error message telling that the program is not
> available to them. So they block. Should I set a timeout in each link
> calling a program and serversides exit the program as soon as an
> incompatible browser is detected? I many times heard that JavaScript
> detection is insufficient and serversides detection is really
> recommended.
>
> > > 9) Is there a way to limit the number of requests that come from a
> > > IP address in a given amount of time?
> > > (Avoiding automated password cracking, server overloading,
> > > a.s.o.)
>
> > yes, a decent firewall. Apache is not the place to be doing this,
> > after all if apache can see the requests and connection attempts then
> > it can see them, DOS will still occur. However there are modules which
> > do this. mod_bw limited bandwidth, etc....
>
> I'll see. Thank you for these infos.
>
>
>
> > > 10) For secured folders, should I set 'AllowOverride none' to avoid
> > > that an allowed user adds his own .htfiles
> > > in subfolders in an attempt get additional rights ?
>
> > yes, if you have httpd.conf access use it. do not use .htaccess files,
> > they slow down the server slightly, they could reveal info if
> > downloaded by accident after a server misconfiguration.
>
> I plan few users at the beginning and not huge number in the future.
> I'll start with .htaccess files. If I understood how Apache works, it
> only checks the access files for the branch of the tree it want to
> access. So, if the branch is not too long and with only a .htaccess
> file at its bottom it should not slow down too much the server.
>
>
>
>
>
> > > 11) Is there a way to make that the cgi-bin applications (which
> > > are .exe in my case)
> > > can be called from forms in the public documents but not another
> > > way?
> > > (I don't think so, but wonder however.)
>
> > If your cgi scripts can be called in a browser they can be set off
> > from anywhere, using the referer is not valid as browsers dont have to
> > send them, and some privacy applications remove them.
>
> > Done forget to remove the /manual as recommended in the apache docs.
> Yes.
> > My advice is that if you are concerned about security, don't be so
> > quick to run exe's, until you have looked into their weaknesses. And
> > in particular you say your server is to test "offline" but you appear
> > to be letting the public see things.
>
> I tested my program and the extensively offline. I consider it ready,
> appart the Apache configuration that I am doing these days. One day,
> it becomes necessary to stop home tests and to enter the dangerous
> real world...
>
> My advice, limit by IP who can
>
> > see your server.
>
> I wanted too. A friend that is much capable in computer science will
> me to test the security. I just want to make him the task
> hard :-)
> I alwo won't advertise for the site.
>
> But I see a problem : most people have dynamically attributed IP
> addresses...
> So, how to do?
>
> A good think to reduce the risk could be to restrict the geographical
> area of possible users.
> I assume the IP numbers tell something about this, no?
>
> IE. only you at work, and while youre on yuor loacl
>
> > network.
>
> ...
>
> read more »



You have reaised a few issues. A lot of them are "security by
obscurity" using scriptalias to stop someone from seeing a filesystem
path.
While that is true, it will not stop a hacker from knowing where on
your system the real path is. Unfortunately if s/he cannot get access
to your servers filesystem, then she will poke around in your
application and see what s/he can get. When s/he does get fs access,
she does
cd \
dir /s bin cgi-bin log* conf apache > found.txt

there are a million and one ways to get control once fs access is
established, or a remote cmd window is there.
A process like apache that is running as administrator is a big no no.

XP Home doesnt allow proper user rights, with Pro you use
windows explorer -> tools-> folder options ->
view tab -> at bottom of list uncheck use simple file sharing
(recommended) ) this option is not there in home
then start->run>compmgmt.msc
local users and groups, right click Users->new user
username: apache
full name: apache user
description: security for apache
uncheck must change at next logon
check cannot change
check never expires
now "create"
double click the apache user->member of tab
remove all in that list.

now right click every folder/file that apache needs, and click sharing
and security
security tab->add->type apache and click check user, then seelect the
rights you want apache to have, mostly it will only need read, but for
somefolders more than others
do the same for all folders, dont forget to remove sub folders apache
doesnt need. only adding things it certainly needs access to.


as to .htaccess once you have allowed it, apache will search every
directory for an .htaccess file because they inherit, and every single
subfolder up to the file it serves, for every image, every css file,
every html file, so there are potentially hundreds of lookups for each
webpage, maybe more! get yourself a copy of filemon from the
sysinternals part fo the ms website and run it bound to your system
drive and request a few webapges with images etc.. in when you are
running apache.

Running apache as a serive is not toally needed, however when you run
apache you should run it as another user, right click Run As...
XP Pro is reommended for home "amateur" hosting, if you intend to host
"out there" with a company go for linux every time. Get yourself
Ubuntu at home and run apache on that, its not as hard as you might
think these days.


Compiling javascript and html is not possible I am afriad, have you
thought about proxies, whatever complexity you build into your
javascript, it is SO EASY to find out what you mean, trust me!! Also
whenever your script communicates with the server, even over SSL - it
is simple to see what it is doing and play with the request.
Fiddlertool will allow this, firebug extension for firefox allows
this.

There is NO security is making things difficult to see, this is what
hackers live for, its what makes them tick, it is NOT a put off, it
just stops the kid next door.

How to allow just your browser at work, use SSL, and bsaic auth for
the whole site. Allowing only the erros directory and the errors
images directory (403.html) which descirbes why a user is not allowed,
and tells them why.

Also you /could/ use a "sepcial" user agent string, although this too
will be sniffably by your admins at work, so they can copy your UA to
see your site:

SetEnvIf User-Agent special$ I_am_allowed
you can then
Order Allow,Deny
Allow from I_am_allowed
for the whole server
set your UA at work to be a string ending in "special"
you do this using a proxy like fiddlertool, and setting a custom UA,
unless there is an active-x feature for your IE at work.

hope this s,m

> (...) it will not stop a hacker from knowing where on
> your system the real path is. Unfortunately if s/he cannot get access
> to your servers filesystem, then she will poke around in your
> application and see what s/he can get. When s/he does get fs access,
> she does
> cd \
> dir /s bin cgi-bin log* conf apache > found.txt
>
I don't know what fs access is. I'll have to read.
Does the lines you wrote concern Linux systems?
I cannot understand what they mean and where they are typed.

(...)
> Running apache as a serive is not toally needed, however when you run
> apache you should run it as another user, right click Run As...
> XP Pro is reommended for home "amateur" hosting, if you intend to host
> "out there" with a company go for linux every time. Get yourself
> Ubuntu at home and run apache on that, its not as hard as you might
> think these days.
>
I would like my hosting to be professional but for a 1-person-company
and a on a stand-alone computer.

I hesitate a lot between Windows XP Pro and Linux.

If I choose XP, I assume that it would be wise to make the hosting on
a new or reinstalled computer in order to avoid potential security
lacks in XP configuration. Advantage: simplicity for me as I know
Windows, not Linux.
Disadavantage : price.
Unknown : sufficient security? (How much "amateur" is hosting on
Windows?)

If I choose Linux.
Advantages : better security as long as I know well the OS (and that's
not the case). Possible installation on my current computer by
partionning the disk.
Disadavantage : having to learn Linux + recompling the code off my
current EXEs and DLLs.

Sometimes, I have the feeling that it is a short term VS long term
choice.
Maybe I could start with XP and learn Linux in parallel.
How much time to learn Linux and be comfortable with it?
You told about Ubuntu. I also heard about OpenSUSE (by Novell).
Is Ubuntu specially reliable for Apache hosting?
Are some distributions harder to learn than others?

(...)
> Also you /could/ use a "sepcial" user agent string, although this too
> will be sniffably by your admins at work, so they can copy your UA to
> see your site:
>
> SetEnvIf User-Agent special$ I_am_allowed
> you can then
> Order Allow,Deny
> Allow from I_am_allowed
> for the whole server
> set your UA at work to be a string ending in "special"
> you do this using a proxy like fiddlertool, and setting a custom UA,
> unless there is an active-x feature for your IE at work.
>
> hope this s,m

Yes. Thanks a lot for all these interesting informations.
Your special agent string is a good idea.
I wonder if there is a way to use the SetEnvIf / BrowserMatch
techniques to serversides redirect unallowed browsers on a special
error page. I was performing browser detection from within my exe and
wanted to send some error page message to not accepted browsers. I
observed that it was too late. Some browser never display the
dynamically written HTML content.

On May 10, 9:24 am, geomet...@fastmail.fm wrote:
> > (...) it will not stop a hacker from knowing where on
> > your system the real path is. Unfortunately if s/he cannot get access
> > to your servers filesystem, then she will poke around in your
> > application and see what s/he can get. When s/he does get fs access,
> > she does
> > cd \
> > dir /s bin cgi-bin log* conf apache > found.txt
>
> I don't know what fs access is. I'll have to read.
> Does the lines you wrote concern Linux systems?
> I cannot understand what they mean and where they are typed.
>
> (...)> Running apache as a serive is not toally needed, however when you run
> > apache you should run it as another user, right click Run As...
> > XP Pro is reommended for home "amateur" hosting, if you intend to host
> > "out there" with a company go for linux every time. Get yourself
> > Ubuntu at home and run apache on that, its not as hard as you might
> > think these days.
>
> I would like my hosting to be professional but for a 1-person-company
> and a on a stand-alone computer.
>
> I hesitate a lot between Windows XP Pro and Linux.
>
> If I choose XP, I assume that it would be wise to make the hosting on
> a new or reinstalled computer in order to avoid potential security
> lacks in XP configuration. Advantage: simplicity for me as I know
> Windows, not Linux.
> Disadavantage : price.
> Unknown : sufficient security? (How much "amateur" is hosting on
> Windows?)
>
> If I choose Linux.
> Advantages : better security as long as I know well the OS (and that's
> not the case). Possible installation on my current computer by
> partionning the disk.
> Disadavantage : having to learn Linux + recompling the code off my
> current EXEs and DLLs.
>
> Sometimes, I have the feeling that it is a short term VS long term
> choice.
> Maybe I could start with XP and learn Linux in parallel.
> How much time to learn Linux and be comfortable with it?
> You told about Ubuntu. I also heard about OpenSUSE (by Novell).
> Is Ubuntu specially reliable for Apache hosting?
> Are some distributions harder to learn than others?
>
> (...)
>
> > Also you /could/ use a "sepcial" user agent string, although this too
> > will be sniffably by your admins at work, so they can copy your UA to
> > see your site:
>
> > SetEnvIf User-Agent special$ I_am_allowed
> > you can then
> > Order Allow,Deny
> > Allow from I_am_allowed
> > for the whole server
> > set your UA at work to be a string ending in "special"
> > you do this using a proxy like fiddlertool, and setting a custom UA,
> > unless there is an active-x feature for your IE at work.
>
> > hope this s,m
>
> Yes. Thanks a lot for all these interesting informations.
> Your special agent string is a good idea.
> I wonder if there is a way to use the SetEnvIf / BrowserMatch
> techniques to serversides redirect unallowed browsers on a special
> error page. I was performing browser detection from within my exe and
> wanted to send some error page message to not accepted browsers. I
> observed that it was too late. Some browser never display the
> dynamically written HTML content.

dir /s bin cgi-bin log* conf apache > found.txt
is just a way of getting all the paths which contain the strings
cgi-bin, log, conf, apache into the text file found.txt
try it like this from any command window

cd \
dir /s bin cgi-bin log* conf apache

it's not clever, but it is something that can be executed via a
exploit shell (like c99) uploaded via some php flaw.
XP Pro hosting is possible, with later versions of XP there's the
10simultaneous outoing tcp connections hard limit;
Uptimes of only a couple of months, compared to the years possible
with a well setup linux sustem
IMHO the security is fine if you set XP up properly - as it's own user
with very limited rights to the file system (or fs for short!), the
main threat will come from within your own application code, and the
attacks will be "automatic" via worms and the like probing your code.
As you get more users, so you will get more XSS unless you write good
javascript and filter all your php.

I havent used openSUSE, but Ubuntu is "linux for humans" and it doesnt
take much time to feel at home, about a month of tinkering will mean
you have a great screen resolution, a printer and a coding/email/
browsing/music environment! Although it is by no means the polished OS
that XP is, by that I mean that eg. you will have trouble selecting
400 files in versions of explorer and trying to copy them to another
folder, you will get buffer full errors and bts of the GUI will hang,
after a crash you might boot up and find a buttons have gone missing
etc...
(on the other hand windows is just the same in some ways that we have
got used to - a firewall that says "shall I carry on blocking? but
isnt actually blocking at all; notification area arrow bug, time that
wont syncronise via NTP if its too wrong, M$ products reasserting
themselves in the quicklaunch etc....)
if you are happy with a few quirks then you will feel at home in
Linux. Ubuntu is very stable, autoupdates always always work (do for
me) there's tonnes of great free software you could never get for
Windows. Ubuntu lets me run a public wireless access point with
bandwidth shaping, dhcp, dns, firewalling and content filtering, all
with just a few downloads and some editing of text files.

As for any kind of security that allows you to see your website at
hime, but prevents others, by far the easiest would be SSL coupled
with basic authentication. If you just use something like user agent,
then someone could potentially sniff your traffic and spoof your
browser agent. I would personally want more security than that. You
could for instance run a VPN server at your home - like "ssl
explorer", and if your work network allowed it, make a vpn back to
your house and then access your website from the LAN. But yes you
could use UA string to allow only you and send the others to an error
page.

Thank you. I'll probably try Linux one day.
After some thoughts, I think I'll stay with Windows to begin and
secure my server the best I can. I prefer using an OS that is maybe
not perfect for Apache hosting but that I know quite well rather than
trying a more convenient OS that I don't masterize. I often read that
one of most important factors in security is the human one: know the
OS you use.
Your advices are not lost! I'll apply some of your recommendations
directly and keep the others in mind for later.
Thank you very much for all your .
Regards.