Re: [newbie] Apache security
On 08 Jun 2003 00:13:48 +0200 Steven Broos [EMAIL PROTECTED] uttered: Then you can disable PHP easily if you really want to, and let a script create a HTML-file which contains the uptime. ah, I'm not that concerned. it's just: ?php include uptime.txt; ? I see the usual attempts at running windows scripts, but one thing stumps me. I see this occasionally as well, from different addresses on the same subnet as me (64.x.x.x): 64.229.89.4 - - [07/Jun/2003:23:59:37 -0400] GET /default.ida?XX XXX XXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53 ff%u0078%u%u00=a HTTP/1.0 404 393 - - it doesn't correspond with any visitors to the server. I'm Googling now, but anyone know what this is? -- Joehill Registered Linux user #282046 Homepage: http://nodex.sytes.net 11:40:05 up 5 days, 9:43, 4 users, load average: 0.00, 0.00, 0.00 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Apache security
On 08 Jun 2003 00:13:48 +0200 Steven Broos [EMAIL PROTECTED] uttered: On Sat, 2003-06-07 at 23:28, JoeHill wrote: ah, ignore my immediately previous question. I found it, it's Code Red trying to spoof. Pt, keep trying bud...LOL. -- Joehill Registered Linux user #282046 Homepage: http://nodex.sytes.net 11:46:43 up 5 days, 9:50, 4 users, load average: 0.05, 0.05, 0.00 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Apache security
http://www.apacheweek.com/features/codered Some stupid worm. Nothing to be concerned about, if you're running apache. At least if you don't need to administer the stations where the requests come from :-) Steven On Sun, 2003-06-08 at 17:45, JoeHill wrote: On 08 Jun 2003 00:13:48 +0200 Steven Broos [EMAIL PROTECTED] uttered: Then you can disable PHP easily if you really want to, and let a script create a HTML-file which contains the uptime. ah, I'm not that concerned. it's just: ?php include uptime.txt; ? I see the usual attempts at running windows scripts, but one thing stumps me. I see this occasionally as well, from different addresses on the same subnet as me (64.x.x.x): 64.229.89.4 - - [07/Jun/2003:23:59:37 -0400] GET /default.ida?XX XXX XXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53 ff%u0078%u%u00=a HTTP/1.0 404 393 - - it doesn't correspond with any visitors to the server. I'm Googling now, but anyone know what this is? -- Joehill Registered Linux user #282046 Homepage: http://nodex.sytes.net 11:40:05 up 5 days, 9:43, 4 users, load average: 0.00, 0.00, 0.00 __ Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Apache security
At 11:45 AM 6/8/2003 -0400, you wrote: I see the usual attempts at running windows scripts, but one thing stumps me. I see this occasionally as well, from different addresses on the same subnet as me (64.x.x.x): 64.229.89.4 - - [07/Jun/2003:23:59:37 -0400] GET /default.ida?XX XXX XXX %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u780 1%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53 ff%u0078%u%u00=a HTTP/1.0 404 393 - - it doesn't correspond with any visitors to the server. I'm Googling now, but anyone know what this is? -- Joehill at a guess...malformed packet. Apache IIRC discards them at port entry. WIndows doesn't tries to read it less you have zonealarm or another good firewall. Linux by itself will try to read it too. This results (with enough of them) in a crash of the OS. This ofc assumes I'm correct. I also assume a spoofed IP addy from a script kiddy. - FemmeFatale, aka The Skirt Good Decisions Your boss Made: We'll do as you suggest and go with Linux. I've always liked that character from Peanuts. - Source: Dilbert Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Apache security
On Sun, 08 Jun 2003 16:41:49 -0600 FemmeFatale [EMAIL PROTECTED] uttered: This ofc assumes I'm correct. I also assume a spoofed IP addy from a script kiddy. yup, you missed my reply to myself! it's code red in all its glory... -- Joehill Registered Linux user #282046 Homepage: http://nodex.sytes.net 19:02:43 up 5 days, 17:06, 4 users, load average: 0.00, 0.00, 0.00 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Apache security
I read the Seven Deadly Sins of Linux security, and one item concerns me: On Toxen's don'ts list: Don't use PHP, even though it's convenient. Don't run DNS, auth (ident) or Apache as root. But, do use suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs. I will look into suEXEC, but I see that on my server, httpd2 is run by apache, except for *one* httpd2 process that is run as root. Is that necessary, and if not, can I kill it? Also, why would PHP be a security risk? because it is executed on the server and not on the client's browser...? -- Joehill Registered Linux user #282046 Homepage: http://nodex.sytes.net 13:24:09 up 4 days, 11:27, 1 user, load average: 0.06, 0.10, 0.09 Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
Re: [newbie] Apache security
I think it's a little bit paranoia to say you may not run PHP. I find it weird CGI is OK, but PHP isn't... Both are dangerous for your system when they are not administered well. Apache has one parent-instance owned by root. The child-rpocesses are run from the account you specified. I wouldn't worry about that. A lot of security related issues depend on how you use your machine. Is it a webserver, or a personal desktop PC ? In the second case, do you have a permanent internet connection ? Is there a router or firewall in between ? ... Maybe you want to read some information about IPtables... ? Steven On Sat, 2003-06-07 at 19:31, JoeHill wrote: I read the Seven Deadly Sins of Linux security, and one item concerns me: On Toxen's don'ts list: Don't use PHP, even though it's convenient. Don't run DNS, auth (ident) or Apache as root. But, do use suEXEC, a tool first introduced in Apache 1.2, that increases security by allowing users to develop and run private CGI or SSI programs. I will look into suEXEC, but I see that on my server, httpd2 is run by apache, except for *one* httpd2 process that is run as root. Is that necessary, and if not, can I kill it? Also, why would PHP be a security risk? because it is executed on the server and not on the client's browser...? Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com
[newbie] Apache Security
Hi, Once again, thanks to those who got me straightened out on installing/updating RPM's. Now I've gotten Apache 1.3.27 installed on Mandrake 9.0. Just curious how secure it is considered out of the box. I've seen quite a few Nimda and Code Red hits against it- obviously unsuccessfully. But in the short term, until I can get my hands on my Apache book back in the office, and start digesting it over a few days/weeks, is there anything I need to do immediately to make sure it is reasonably secure? I'd like to keep Apache running so I can test from the office. I've got Apache AdvancedExtranet Server 1.3.27 with FrontPage/5.0.2.2623 PHP/4.3.0 mod_ssl/2.8.12 OpenSSL/0.9.6g installed, along with the FrontPage server extensions, V2.2. Like I said, out of the box. The project I'm working on is to be able to create/edit FrontPage webs on Apache (don't ask, I'm not a Microsoft lover... suffice it to say, just need to get it working and I'd like to make sure it is secure). I've read over the apache.org security page and done most of that- but I'm new- some of it is Greek. I believe I've set all the file/directory permissions correctly... Anything else? Thanks, Marlo Want to buy your Pack or Services from MandrakeSoft? Go to http://www.mandrakestore.com