Hi all, I appreciate all the tips and info I've received from my server config questions. It looks like I need to do much more to secure my server before tackling he SVN portion. I'm going to take a step back and do that first. If necessary I'll (re)post once that's complete.
Thanks! Scott On Aug 19, 2013, at 12:13 PM, Scott Frankel wrote: > > Hi all, > > Thanks for the replies! Please see below for additional comments. > > > On Aug 19, 2013, at 9:42 AM, David Chapman wrote: > >> On 8/19/2013 9:07 AM, Scott Frankel wrote: >>> Hi all, >>> >>> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 >>> server with svn version 1.6.1, following the red-bean book. >>> >>> I'm having difficulty with authorization &/or authentication: my repo >>> appears to be accessible by anyone in spite of requiring "valid-user" and >>> specifying digest authentication. I believe this because 1) I can download >>> a full working copy of the repo to a 3rd-party logged into a foreign >>> computer, and 2) I have dozens of entries in apache's logfiles, like these >>> from this morning, *prior* to any known/legitimate access to my repos today: >> >> Step 1: Take the real repo offline until you get the security problems >> resolved. Every IP address on the Internet is scanned every single day, and >> your repo is vulnerable right now. >> Step 2: Run experiments with a dummy repo to resolve the security problems. >> >> Don't ever run security experiments with production data. Put production >> data online only after you know that all security problems have been >> resolved. > > Good points! My repo currently being downloaded by whomever is a testProj > with absolutely nothing of value in it. > > >>> svn_logfile: >>> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity >> >> This does not look good at all. It's quite possible that someone else has >> downloaded your repository. The access_log file may tell you the IP address >> from which the request was made; with luck it's the one you were >> experimenting with and the time stamp matches your access. >> >>> access_log >>> 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET >>> /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu" >> >> If you watch access_log over time, as I do, you will see these sorts of >> probes constantly. Too many to list, they are meant to check for known >> vulnerabilities in older versions of Apache or tools installed (SQL >> administration, PHP administration, etc.). These will never go away. Get >> used to them. They should all fail; if not then you have other security >> problems to fix. > > OK. Getting used to common log entries is important. > > >>> error_log >>> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not >>> exist: /var/www/html/MyAdmin >>> >>> >>> This doesn't look good at all. My Location directive follows below. The >>> /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup >>> the repo, serve it via Apache, provide access to only a small number of >>> people that I approve, use cmd-line svn and do so securely. >> >> These are standard goals. > > Good. I mention them in hopes it whittles-down in advance any suggestions > you might have. eg: the red-bean book has quite a lot to say about tunneling > svnserve, which is not germane to my setup. > > >>> This is my first brush with Apache, OpenSSL, and general server config. >>> Thanks in advance for your suggestions! BTW, I'm not subscribed and would >>> appreciate being cc'd on any replies. >>> Scott >>> >>> >>> >>> <Location /svn> >>> DAV svn >>> SVNParentPath /var/svn >>> >>> # Authentication: Digest >>> AuthName "Subversion repository" >>> AuthType Digest >>> AuthUserFile /etc/svn-auth.htdigest >>> >>> # Authorization: Authenticated users only >>> Require valid-user >>> </Location> >>> >>> >> >> How many repositories do you have? You shouldn't use SVNParentPath if you >> have only one repository; use SVNPath. I don't know if that is the direct >> cause of your problem, but you should fix it. > > I chose to use SVNParentPath on purpose. As soon as I have a secure, working > server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for > your suggestions. > > >> You can also try working with AuthType Basic, creating passwords with >> /usr/sbin/htpasswd, until you figure things out. I have more experience >> with that than AuthType Digest, so I can't help you there. > > I'll try that to see what I discover; but ultimately my research so far > points to Digest mode being more secure. > > Thanks for the suggestions! > Scott > > > > >> >> -- >> David Chapman dcchap...@acm.org >> Chapman Consulting -- San Jose, CA >> Software Development Done Right. >> www.chapman-consulting-sj.com >> >
