Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Unless this is just academic, I've explained myself poorly.
I'm just looking for a solution for our need to continue the existence
of public urls (example http://tiger.coe.missouri.edu/~vrcbd/) in a
world where the powers that be insist that due to the tilde and the
security concerns associated, these addresses will be orphaned... and
since they are orphaned, no need to continue DNS mappings like
tiger.coe.missouri.edu to the new server coe3.missouri.edu. The issue
is the security of the ~ so, I think if the normal ~ resolving
characteristics of the httpd.conf are removed and individual mappings
for the domains, say tiger.coe.missouri.edu => coe3.missouri.edu and
then in the httpd.conf ~vrcbd => vrcbd.missouri.edu* Will it? I don't
care what the rest of the config is and how they lock the apache server
down to protect that machine... I just care about the above working.
Will itself present any security issues?
*this could also be to a file, say vrcbd.html which contains a notice to
update one's bookmarks and then a timed meta refresh to the new URL
http://vrcbd.missouri.edu/
Pottinger, Hardy J. wrote:
Just want to jump in here, there is an additional risk you assume by
allowing all users (except root) to have a public_html folder. If you
also allow some sort of remote access (SSH, FTP), there are scripted
attacks out in the wild that will attempt to leverage a brute force
password attack by setting up a public_html folder, and then start
probing for weaknesses in your Apache setup. Works even for
non-privileged accounts (i.e. without a valid shell).
To mitigate the risk, if possible, I'd suggest explicitly enabling
UserDir for just the users that need it.
Here's my paranoid example (with PHP safe_mode enabled for good
measure):
UserDir public_html
UserDir disabled
UserDir enabled user1 user2 user3 user4
<Directory /home/*/public_html>
AllowOverride All
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
Order allow,deny
Allow from all
php_admin_flag safe_mode On
<Limit GET POST OPTIONS PROPFIND>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS PROPFIND>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
--
HARDY POTTINGER <EMAIL:PROTECTED>
University of Missouri Library Systems
http://lso.umsystem.edu/~hardy/
"No matter how far down the wrong road you've gone,
turn back." --Turkish proverb
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
--
Christian M. Cepel - Thistledowne Productions - http://thistledowne.org
Computer Support Specialist, Sr. - University of Missouri - Columbia
College of Education - School of Info Science & Learning Technologies
VRCbd, KidTools & StrategyTools Support Systems Projects, and Truman,
Library Whistlestop Project - Web Design & Programming - 573.999.2370
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact