Re: server config
Hi all, I appreciate all the tips and info I've received from my server config questions. It looks like I need to do much more to secure my server before tackling he SVN portion. I'm going to take a step back and do that first. If necessary I'll (re)post once that's complete. Thanks! Scott On Aug 19, 2013, at 12:13 PM, Scott Frankel wrote: > > Hi all, > > Thanks for the replies! Please see below for additional comments. > > > On Aug 19, 2013, at 9:42 AM, David Chapman wrote: > >> On 8/19/2013 9:07 AM, Scott Frankel wrote: >>> Hi all, >>> >>> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 >>> server with svn version 1.6.1, following the red-bean book. >>> >>> I'm having difficulty with authorization &/or authentication: my repo >>> appears to be accessible by anyone in spite of requiring "valid-user" and >>> specifying digest authentication. I believe this because 1) I can download >>> a full working copy of the repo to a 3rd-party logged into a foreign >>> computer, and 2) I have dozens of entries in apache's logfiles, like these >>> from this morning, *prior* to any known/legitimate access to my repos today: >> >> Step 1: Take the real repo offline until you get the security problems >> resolved. Every IP address on the Internet is scanned every single day, and >> your repo is vulnerable right now. >> Step 2: Run experiments with a dummy repo to resolve the security problems. >> >> Don't ever run security experiments with production data. Put production >> data online only after you know that all security problems have been >> resolved. > > Good points! My repo currently being downloaded by whomever is a testProj > with absolutely nothing of value in it. > > >>> svn_logfile: >>> [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity >> >> This does not look good at all. It's quite possible that someone else has >> downloaded your repository. The access_log file may tell you the IP address >> from which the request was made; with luck it's the one you were >> experimenting with and the time stamp matches your access. >> >>> access_log >>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET >>> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" >> >> If you watch access_log over time, as I do, you will see these sorts of >> probes constantly. Too many to list, they are meant to check for known >> vulnerabilities in older versions of Apache or tools installed (SQL >> administration, PHP administration, etc.). These will never go away. Get >> used to them. They should all fail; if not then you have other security >> problems to fix. > > OK. Getting used to common log entries is important. > > >>> error_log >>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >>> exist: /var/www/html/MyAdmin >>> >>> >>> This doesn't look good at all. My Location directive follows below. The >>> /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup >>> the repo, serve it via Apache, provide access to only a small number of >>> people that I approve, use cmd-line svn and do so securely. >> >> These are standard goals. > > Good. I mention them in hopes it whittles-down in advance any suggestions > you might have. eg: the red-bean book has quite a lot to say about tunneling > svnserve, which is not germane to my setup. > > >>> This is my first brush with Apache, OpenSSL, and general server config. >>> Thanks in advance for your suggestions! BTW, I'm not subscribed and would >>> appreciate being cc'd on any replies. >>> Scott >>> >>> >>> >>> >>> DAV svn >>> SVNParentPath /var/svn >>> >>> # Authentication: Digest >>> AuthName "Subversion repository" >>> AuthType Digest >>> AuthUserFile /etc/svn-auth.htdigest >>> >>> # Authorization: Authenticated users only >>> Require valid-user >>> >>> >>> >> >> How many repositories do you have? You shouldn't use SVNParentPath if you >> have only one repository; use SVNPath. I don't know if that is the direct >> cause of your problem, but you should fix it. > > I chose to use SVNParentPath on purpose. As soon as I have a secure, working > server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for > your suggestions. > > >> You can also try working with AuthType Basic, creating passwords with >> /usr/sbin/htpasswd, until you figure things out. I have more experience >> with that than AuthType Digest, so I can't help you there. > > I'll try that to see what I discover; but ultimately my research so far > points to Digest mode being more secure. > > Thanks for the suggestions! > Scott > > > > >> >> -- >> David Chapman dcchap...@acm.org >> Chapman Consulting -- San Jose, CA >> Software Development Done Right. >> www.chapman-consulting-sj.com >> >
Re: server config
Hi all, I appreciate all the tips and info I've received from my server config questions. It looks like I need to do much more to secure my server before tackling he SVN portion. I'm going to take a step back and do that first. If necessary I'll (re)post once that's complete. Thanks! Scott On Aug 19, 2013, at 12:13 PM, Scott Frankel wrote: > > Hi all, > > Thanks for the replies! Please see below for additional comments. > > > On Aug 19, 2013, at 9:42 AM, David Chapman wrote: > >> On 8/19/2013 9:07 AM, Scott Frankel wrote: >>> Hi all, >>> >>> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 >>> server with svn version 1.6.1, following the red-bean book. >>> >>> I'm having difficulty with authorization &/or authentication: my repo >>> appears to be accessible by anyone in spite of requiring "valid-user" and >>> specifying digest authentication. I believe this because 1) I can download >>> a full working copy of the repo to a 3rd-party logged into a foreign >>> computer, and 2) I have dozens of entries in apache's logfiles, like these >>> from this morning, *prior* to any known/legitimate access to my repos today: >> >> Step 1: Take the real repo offline until you get the security problems >> resolved. Every IP address on the Internet is scanned every single day, and >> your repo is vulnerable right now. >> Step 2: Run experiments with a dummy repo to resolve the security problems. >> >> Don't ever run security experiments with production data. Put production >> data online only after you know that all security problems have been >> resolved. > > Good points! My repo currently being downloaded by whomever is a testProj > with absolutely nothing of value in it. > > >>> svn_logfile: >>> [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity >> >> This does not look good at all. It's quite possible that someone else has >> downloaded your repository. The access_log file may tell you the IP address >> from which the request was made; with luck it's the one you were >> experimenting with and the time stamp matches your access. >> >>> access_log >>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET >>> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" >> >> If you watch access_log over time, as I do, you will see these sorts of >> probes constantly. Too many to list, they are meant to check for known >> vulnerabilities in older versions of Apache or tools installed (SQL >> administration, PHP administration, etc.). These will never go away. Get >> used to them. They should all fail; if not then you have other security >> problems to fix. > > OK. Getting used to common log entries is important. > > >>> error_log >>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >>> exist: /var/www/html/MyAdmin >>> >>> >>> This doesn't look good at all. My Location directive follows below. The >>> /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup >>> the repo, serve it via Apache, provide access to only a small number of >>> people that I approve, use cmd-line svn and do so securely. >> >> These are standard goals. > > Good. I mention them in hopes it whittles-down in advance any suggestions > you might have. eg: the red-bean book has quite a lot to say about tunneling > svnserve, which is not germane to my setup. > > >>> This is my first brush with Apache, OpenSSL, and general server config. >>> Thanks in advance for your suggestions! BTW, I'm not subscribed and would >>> appreciate being cc'd on any replies. >>> Scott >>> >>> >>> >>> >>> DAV svn >>> SVNParentPath /var/svn >>> >>> # Authentication: Digest >>> AuthName "Subversion repository" >>> AuthType Digest >>> AuthUserFile /etc/svn-auth.htdigest >>> >>> # Authorization: Authenticated users only >>> Require valid-user >>> >>> >>> >> >> How many repositories do you have? You shouldn't use SVNParentPath if you >> have only one repository; use SVNPath. I don't know if that is the direct >> cause of your problem, but you should fix it. > > I chose to use SVNParentPath on purpose. As soon as I have a secure, working > server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for > your suggestions. > > >> You can also try working with AuthType Basic, creating passwords with >> /usr/sbin/htpasswd, until you figure things out. I have more experience >> with that than AuthType Digest, so I can't help you there. > > I'll try that to see what I discover; but ultimately my research so far > points to Digest mode being more secure. > > Thanks for the suggestions! > Scott > > > > >> >> -- >> David Chapman dcchap...@acm.org >> Chapman Consulting -- San Jose, CA >> Software Development Done Right. >> www.chapman-consulting-sj.com >> >
Re: server config
On 8/19/2013 6:19 PM, Ben Reser wrote: On 8/19/13 9:07 AM, Scott Frankel wrote: I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server with svn version 1.6.1, following the red-bean book. I'd strongly urge you not to use 1.6.1, see the list of applicable security issues here: http://subversion.apache.org/security/ If you're using the CentOS packages they may have patched those issues without updating the svn version number. You should check that though. If you're setting a new server I wouldn't start with 1.6.x but would go straight to 1.7.x or 1.8.x, probably 1.8.x if you can. For the 1.8.1 RPMs, I suggest adding the WANDisco repository to your configuration. http://www.wandisco.com/subversion/download What you're looking for is "Download Subversion Installer V1.8.1 for Redhat". You download a shell script which then needs to be executed to install the WANDisco repositories and install the SVN 1.8.1 RPMs.
Re: server config
On 8/20/2013 1:19 AM, olli hauer wrote: On 2013-08-20 01:41, Nico Kadel-Garcia wrote: I think he meant "subversion-1.6.11", which is the default version for CentOS 6.4. Check the SELinux settings in /etc/sysconfig/selinux. Set the line to 'SELINUX=permissive' (or disabled) After changing the SELINUX value a reboot is required Additional add a trailing '/' so you config looks so. A better way to handle SELinux issues is to: # getenforce - To see whether you are in permissive or enforcing mode # setenforce permissive - Run this before doing your tests Then use the various SELinux troubleshooting tools to see what errors were logged while in permissive mode. Once you have fixed your issues, you can use "setenforce enforcing" and then re-run your tests. The command line troubleshooting tool is: # sealert -a /var/log/audit/audit.log
Re: server config
On 2013-08-20 01:41, Nico Kadel-Garcia wrote: > I think he meant "subversion-1.6.11", which is the default version for > CentOS 6.4. Check the SELinux settings in /etc/sysconfig/selinux. Set the line to 'SELINUX=permissive' (or disabled) After changing the SELINUX value a reboot is required Additional add a trailing '/' so you config looks so. RewriteEngine on # the trailing '/' in /svn/ is needed to browse repos with standart browser! RedirectMatch ^(/svn)$ $1/ DAV svn SVNParentPath /var/svn/ # Authentication: Digest AuthName "Subversion repository" AuthType Digest AuthUserFile /etc/svn-auth.htdigest # Authorization: Authenticated users only Require valid-user > > On Mon, Aug 19, 2013 at 6:19 PM, Ben Reser wrote: > >> On 8/19/13 9:07 AM, Scott Frankel wrote: >>> I'm new to SVN server configuration and find myself setting up a CentOS >> 6.4 server with svn version 1.6.1, following the red-bean book. >> >> I'd strongly urge you not to use 1.6.1, see the list of applicable >> security issues here: >> http://subversion.apache.org/security/ >> >> If you're using the CentOS packages they may have patched those issues >> without updating the svn version number. You should check that though. >> >> If you're setting a new server I wouldn't start with 1.6.x but would go >> straight to 1.7.x or 1.8.x, probably 1.8.x if you can. >> >>> I'm having difficulty with authorization &/or authentication: my repo >> appears to be accessible by anyone in spite of requiring "valid-user" and >> specifying digest authentication. I believe this because 1) I can download >> a full working copy of the repo to a 3rd-party logged into a foreign >> computer, and 2) I have dozens of entries in apache's logfiles, like these >> from this morning, *prior* to any known/legitimate access to my repos today: >>> >>> svn_logfile: >>> [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity >> >> That does indeed look like access without a user. >> >>> access_log >>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET >> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" >>> >>> error_log >>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >> exist: /var/www/html/MyAdmin >> >> These however do not appear to be alarming at all. Neither of them are >> under the /svn Location on your server where you have put the Require >> valid-user requirement. They appear to me to be just normal probes run >> by someone looking for security holes. This sort of thing is just going >> to be a normal part of running a server on the Internet. >> >>> >>> DAV svn >>> SVNParentPath /var/svn >>> >>> # Authentication: Digest >>> AuthName "Subversion repository" >>> AuthType Digest >>> AuthUserFile /etc/svn-auth.htdigest >>> >>> # Authorization: Authenticated users only >>> Require valid-user >>> >> >> I'm not seeing anything wrong with this, so I'm not sure why you're >> having a problem. You didn't mention it but I'm wondering what version >> of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on >> CentOS 6.4. >> >> >
Re: server config
I think he meant "subversion-1.6.11", which is the default version for CentOS 6.4. On Mon, Aug 19, 2013 at 6:19 PM, Ben Reser wrote: > On 8/19/13 9:07 AM, Scott Frankel wrote: > > I'm new to SVN server configuration and find myself setting up a CentOS > 6.4 server with svn version 1.6.1, following the red-bean book. > > I'd strongly urge you not to use 1.6.1, see the list of applicable > security issues here: > http://subversion.apache.org/security/ > > If you're using the CentOS packages they may have patched those issues > without updating the svn version number. You should check that though. > > If you're setting a new server I wouldn't start with 1.6.x but would go > straight to 1.7.x or 1.8.x, probably 1.8.x if you can. > > > I'm having difficulty with authorization &/or authentication: my repo > appears to be accessible by anyone in spite of requiring "valid-user" and > specifying digest authentication. I believe this because 1) I can download > a full working copy of the repo to a 3rd-party logged into a foreign > computer, and 2) I have dozens of entries in apache's logfiles, like these > from this morning, *prior* to any known/legitimate access to my repos today: > > > > svn_logfile: > > [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity > > That does indeed look like access without a user. > > > access_log > > 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET > /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" > > > > error_log > > [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not > exist: /var/www/html/MyAdmin > > These however do not appear to be alarming at all. Neither of them are > under the /svn Location on your server where you have put the Require > valid-user requirement. They appear to me to be just normal probes run > by someone looking for security holes. This sort of thing is just going > to be a normal part of running a server on the Internet. > > > > > DAV svn > > SVNParentPath /var/svn > > > > # Authentication: Digest > > AuthName "Subversion repository" > > AuthType Digest > > AuthUserFile /etc/svn-auth.htdigest > > > > # Authorization: Authenticated users only > > Require valid-user > > > > I'm not seeing anything wrong with this, so I'm not sure why you're > having a problem. You didn't mention it but I'm wondering what version > of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on > CentOS 6.4. > >
Re: server config
On 8/19/13 9:07 AM, Scott Frankel wrote: > I'm new to SVN server configuration and find myself setting up a CentOS 6.4 > server with svn version 1.6.1, following the red-bean book. I'd strongly urge you not to use 1.6.1, see the list of applicable security issues here: http://subversion.apache.org/security/ If you're using the CentOS packages they may have patched those issues without updating the svn version number. You should check that though. If you're setting a new server I wouldn't start with 1.6.x but would go straight to 1.7.x or 1.8.x, probably 1.8.x if you can. > I'm having difficulty with authorization &/or authentication: my repo > appears to be accessible by anyone in spite of requiring "valid-user" and > specifying digest authentication. I believe this because 1) I can download a > full working copy of the repo to a 3rd-party logged into a foreign computer, > and 2) I have dozens of entries in apache's logfiles, like these from this > morning, *prior* to any known/legitimate access to my repos today: > > svn_logfile: > [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity That does indeed look like access without a user. > access_log > 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET > /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" > > error_log > [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not > exist: /var/www/html/MyAdmin These however do not appear to be alarming at all. Neither of them are under the /svn Location on your server where you have put the Require valid-user requirement. They appear to me to be just normal probes run by someone looking for security holes. This sort of thing is just going to be a normal part of running a server on the Internet. > > DAV svn > SVNParentPath /var/svn > > # Authentication: Digest > AuthName "Subversion repository" > AuthType Digest > AuthUserFile /etc/svn-auth.htdigest > > # Authorization: Authenticated users only > Require valid-user > I'm not seeing anything wrong with this, so I'm not sure why you're having a problem. You didn't mention it but I'm wondering what version of httpd you're running, I'm assuming 2.2.x since you're using 1.6.1 on CentOS 6.4.
Re: server config
On 8/19/2013 12:13 PM, Scott Frankel wrote: This is my first brush with Apache, OpenSSL, and general server config. Thanks in advance for your suggestions! BTW, I'm not subscribed and would appreciate being cc'd on any replies. Scott DAV svn SVNParentPath /var/svn # Authentication: Digest AuthName "Subversion repository" AuthType Digest AuthUserFile /etc/svn-auth.htdigest # Authorization: Authenticated users only Require valid-user How many repositories do you have? You shouldn't use SVNParentPath if you have only one repository; use SVNPath. I don't know if that is the direct cause of your problem, but you should fix it. I chose to use SVNParentPath on purpose. As soon as I have a secure, working server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for your suggestions. My standard operating procedure is to get things working properly with a simple configuration, then add features one at a time. This helps isolate problems, especially when you are a beginner. I have containers in my httpd.conf files for various Web sites, domains, and SVN repositories, and you better believe I didn't try to configure everything at once! Try using SVNPath the first time and get it working securely before adding new capabilities. It's trivial to move a repository directory under Unix-like systems (and not very hard under Windows) to set up SVNParentPath later, so there is no reason to use SVNParentPath for a single repository. One last question, just in case: did you run "svnadmin create /var/svn" or "svnadmin create /var/svn/repo1"? In other words, is "/var/svn" a repository or a directory in which a repository was created? The directory in SVNParentPath shouldn't point to a repository, but to the parent directory of the repository (and its friends). I don't know if this would cause the security issues you are seeing, but it is a common enough mistake that I thought I would ask. -- David Chapman dcchap...@acm.org Chapman Consulting -- San Jose, CA Software Development Done Right. www.chapman-consulting-sj.com
Re: server config
Hi all, Thanks for the replies! Please see below for additional comments. On Aug 19, 2013, at 9:42 AM, David Chapman wrote: > On 8/19/2013 9:07 AM, Scott Frankel wrote: >> Hi all, >> >> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 >> server with svn version 1.6.1, following the red-bean book. >> >> I'm having difficulty with authorization &/or authentication: my repo >> appears to be accessible by anyone in spite of requiring "valid-user" and >> specifying digest authentication. I believe this because 1) I can download >> a full working copy of the repo to a 3rd-party logged into a foreign >> computer, and 2) I have dozens of entries in apache's logfiles, like these >> from this morning, *prior* to any known/legitimate access to my repos today: > > Step 1: Take the real repo offline until you get the security problems > resolved. Every IP address on the Internet is scanned every single day, and > your repo is vulnerable right now. > Step 2: Run experiments with a dummy repo to resolve the security problems. > > Don't ever run security experiments with production data. Put production > data online only after you know that all security problems have been resolved. Good points! My repo currently being downloaded by whomever is a testProj with absolutely nothing of value in it. >> svn_logfile: >> [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity > > This does not look good at all. It's quite possible that someone else has > downloaded your repository. The access_log file may tell you the IP address > from which the request was made; with luck it's the one you were > experimenting with and the time stamp matches your access. > >> access_log >> 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET >> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" > > If you watch access_log over time, as I do, you will see these sorts of > probes constantly. Too many to list, they are meant to check for known > vulnerabilities in older versions of Apache or tools installed (SQL > administration, PHP administration, etc.). These will never go away. Get > used to them. They should all fail; if not then you have other security > problems to fix. OK. Getting used to common log entries is important. >> error_log >> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >> exist: /var/www/html/MyAdmin >> >> >> This doesn't look good at all. My Location directive follows below. The >> /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup >> the repo, serve it via Apache, provide access to only a small number of >> people that I approve, use cmd-line svn and do so securely. > > These are standard goals. Good. I mention them in hopes it whittles-down in advance any suggestions you might have. eg: the red-bean book has quite a lot to say about tunneling svnserve, which is not germane to my setup. >> This is my first brush with Apache, OpenSSL, and general server config. >> Thanks in advance for your suggestions! BTW, I'm not subscribed and would >> appreciate being cc'd on any replies. >> Scott >> >> >> >> >> DAV svn >> SVNParentPath /var/svn >> >> # Authentication: Digest >> AuthName "Subversion repository" >> AuthType Digest >> AuthUserFile /etc/svn-auth.htdigest >> >> # Authorization: Authenticated users only >> Require valid-user >> >> >> > > How many repositories do you have? You shouldn't use SVNParentPath if you > have only one repository; use SVNPath. I don't know if that is the direct > cause of your problem, but you should fix it. I chose to use SVNParentPath on purpose. As soon as I have a secure, working server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for your suggestions. > You can also try working with AuthType Basic, creating passwords with > /usr/sbin/htpasswd, until you figure things out. I have more experience with > that than AuthType Digest, so I can't help you there. I'll try that to see what I discover; but ultimately my research so far points to Digest mode being more secure. Thanks for the suggestions! Scott > > -- >David Chapman dcchap...@acm.org >Chapman Consulting -- San Jose, CA >Software Development Done Right. >www.chapman-consulting-sj.com >
Re: server config
On 8/19/2013 12:42 PM, David Chapman wrote: How many repositories do you have? You shouldn't use SVNParentPath if you have only one repository; use SVNPath. I don't know if that is the direct cause of your problem, but you should fix it. I suggest planning for multiple repositories from the get-go. Some things in SVN land work better when you dedicate a separate repository to it. We started with one monolithic repository, but have since split that into ~300 smaller repositories.
Re: server config
David Chapman wrote on Mon, Aug 19, 2013 at 09:42:42 -0700: > You shouldn't use SVNParentPath if you have only one repository; use > SVNPath. I don't know if that is the direct cause of your problem, > but you should fix it. I disagree. I'm not aware of a reason to prefer one over the other.
Re: server config
Being that you will be using WebDAV, I'd recommend you look at the AuthzSVNAccessFile directive and control the access you want that way. Here is what mine looks like: DAV svn SVNPath /var/svn AuthzSVNAccessFile /var/svn/svnaccess.conf Require Valid-User AuthType Basic AuthName "Code Repository" AuthUserFile /var/svn/passwd HTH. YMMV. Regards, Dana On Mon, Aug 19, 2013 at 9:07 AM, Scott Frankel wrote: > > Hi all, > > I'm new to SVN server configuration and find myself setting up a CentOS > 6.4 server with svn version 1.6.1, following the red-bean book. > > I'm having difficulty with authorization &/or authentication: my repo > appears to be accessible by anyone in spite of requiring "valid-user" and > specifying digest authentication. I believe this because 1) I can download > a full working copy of the repo to a 3rd-party logged into a foreign > computer, and 2) I have dozens of entries in apache's logfiles, like these > from this morning, *prior* to any known/legitimate access to my repos today: > > svn_logfile: > [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity > > access_log > 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET > /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" > > error_log > [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not > exist: /var/www/html/MyAdmin > > > This doesn't look good at all. My Location directive follows below. The > /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup > the repo, serve it via Apache, provide access to only a small number of > people that I approve, use cmd-line svn and do so securely. > > This is my first brush with Apache, OpenSSL, and general server config. > Thanks in advance for your suggestions! BTW, I'm not subscribed and would > appreciate being cc'd on any replies. > Scott > > > > > DAV svn > SVNParentPath /var/svn > > # Authentication: Digest > AuthName "Subversion repository" > AuthType Digest > AuthUserFile /etc/svn-auth.htdigest > > # Authorization: Authenticated users only > Require valid-user > > > > > -- Regards, Dana Epp Microsoft Security MVP
Re: server config
On 8/19/2013 9:07 AM, Scott Frankel wrote: Hi all, I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server with svn version 1.6.1, following the red-bean book. I'm having difficulty with authorization &/or authentication: my repo appears to be accessible by anyone in spite of requiring "valid-user" and specifying digest authentication. I believe this because 1) I can download a full working copy of the repo to a 3rd-party logged into a foreign computer, and 2) I have dozens of entries in apache's logfiles, like these from this morning, *prior* to any known/legitimate access to my repos today: Step 1: Take the real repo offline until you get the security problems resolved. Every IP address on the Internet is scanned every single day, and your repo is vulnerable right now. Step 2: Run experiments with a dummy repo to resolve the security problems. Don't ever run security experiments with production data. Put production data online only after you know that all security problems have been resolved. svn_logfile: [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity This does not look good at all. It's quite possible that someone else has downloaded your repository. The access_log file may tell you the IP address from which the request was made; with luck it's the one you were experimenting with and the time stamp matches your access. access_log 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" If you watch access_log over time, as I do, you will see these sorts of probes constantly. Too many to list, they are meant to check for known vulnerabilities in older versions of Apache or tools installed (SQL administration, PHP administration, etc.). These will never go away. Get used to them. They should all fail; if not then you have other security problems to fix. error_log [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not exist: /var/www/html/MyAdmin This doesn't look good at all. My Location directive follows below. The /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup the repo, serve it via Apache, provide access to only a small number of people that I approve, use cmd-line svn and do so securely. These are standard goals. This is my first brush with Apache, OpenSSL, and general server config. Thanks in advance for your suggestions! BTW, I'm not subscribed and would appreciate being cc'd on any replies. Scott DAV svn SVNParentPath /var/svn # Authentication: Digest AuthName "Subversion repository" AuthType Digest AuthUserFile /etc/svn-auth.htdigest # Authorization: Authenticated users only Require valid-user How many repositories do you have? You shouldn't use SVNParentPath if you have only one repository; use SVNPath. I don't know if that is the direct cause of your problem, but you should fix it. You can also try working with AuthType Basic, creating passwords with /usr/sbin/htpasswd, until you figure things out. I have more experience with that than AuthType Digest, so I can't help you there. -- David Chapman dcchap...@acm.org Chapman Consulting -- San Jose, CA Software Development Done Right. www.chapman-consulting-sj.com
server config
Hi all, I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server with svn version 1.6.1, following the red-bean book. I'm having difficulty with authorization &/or authentication: my repo appears to be accessible by anyone in spite of requiring "valid-user" and specifying digest authentication. I believe this because 1) I can download a full working copy of the repo to a 3rd-party logged into a foreign computer, and 2) I have dozens of entries in apache's logfiles, like these from this morning, *prior* to any known/legitimate access to my repos today: svn_logfile: [19/Aug/2013:00:46:32 +] - checkout-or-export / r1 depth=infinity access_log 93.174.93.213 - - [19/Aug/2013:07:23:50 +] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" error_log [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not exist: /var/www/html/MyAdmin This doesn't look good at all. My Location directive follows below. The /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup the repo, serve it via Apache, provide access to only a small number of people that I approve, use cmd-line svn and do so securely. This is my first brush with Apache, OpenSSL, and general server config. Thanks in advance for your suggestions! BTW, I'm not subscribed and would appreciate being cc'd on any replies. Scott DAV svn SVNParentPath /var/svn # Authentication: Digest AuthName "Subversion repository" AuthType Digest AuthUserFile /etc/svn-auth.htdigest # Authorization: Authenticated users only Require valid-user