Email address obfuscation in effect -- please
click here to turn it off.
[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
On Thu, 20 Mar 2008, Pottinger, Hardy J. wrote:
Just want to jump in here, there is an additional risk you assume by
allowing all users (except root) to have a public_html folder. If you
also allow some sort of remote access (SSH, FTP), there are scripted
attacks out in the wild that will attempt to leverage a brute force
password attack by setting up a public_html folder
What does it mean to "set up a public_html folder"?
and then start probing for weaknesses in your Apache setup. Works even
for non-privileged accounts (i.e. without a valid shell).
How does the existence of a ~ in a URL help them to probe for weaknesses
in an Apache setup? Can't they probe anyway?
To mitigate the risk, if possible, I'd suggest explicitly enabling
UserDir for just the users that need it.
That can't be a bad thing security-wise but it creates management
annoyances.
Mike
_______________________________________________
members mailing list
EMAIL:PROTECTED
http://mlug.missouri.edu/mailman/listinfo/members
Home | FAQ | Server | Presentations | Mailing Lists/Archives | Member Tools | Links | Sponsors | Contact