4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<?xml version="1.0" encoding="UTF-8" ?>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<!DOCTYPE manualpage SYSTEM "/style/manualpage.dtd">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<?xml-stylesheet type="text/xsl" href="/style/manual.en.xsl"?>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele<manualpage>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <relativepath href=".." />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Security Tips</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <summary>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Some hints and tips on security issues in setting up a web server.

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Some of the suggestions will be general, others specific to Apache.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </summary>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="serverroot">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Permissions on ServerRoot Directories</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>In typical operation, Apache is started by the root user, and it

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele switches to the user defined by the <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="mpm_common">User</directive> directive to serve hits. As is the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele case with any command that root executes, you must take care that it is

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele protected from modification by non-root users. Not only must the files

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele themselves be writeable only by root, but so must the directories, and

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele parents of all directories. For example, if you choose to place

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele ServerRoot in /usr/local/apache then it is suggested that you create

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele that directory as root, with commands like these:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele mkdir /usr/local/apache <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele cd /usr/local/apache <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele mkdir bin conf logs <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chown 0 . bin conf logs <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chgrp 0 . bin conf logs <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chmod 755 . bin conf logs

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>It is assumed that /, /usr, and /usr/local are only modifiable by

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele root. When you install the httpd executable, you should ensure that

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele it is similarly protected:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele cp httpd /usr/local/apache/bin <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chown 0 /usr/local/apache/bin/httpd <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chgrp 0 /usr/local/apache/bin/httpd <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele chmod 511 /usr/local/apache/bin/httpd

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>You can create an htdocs subdirectory which is modifiable by other

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele users -- since root never executes any files out of there, and shouldn't

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele be creating files in there.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>If you allow non-root users to modify any files that root either

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele executes or writes on then you open your system to root compromises.

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele For example, someone could replace the httpd binary so that the next

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele time you start it, it will execute some arbitrary code. If the logs

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directory is writeable (by a non-root user), someone could replace

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele a log file with a symlink to some other system file, and then root

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele might overwrite that file with arbitrary data. If the log files

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele themselves are writeable (by a non-root user), then someone may be

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele able to overwrite the log itself with bogus data.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="ssi">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Server Side Includes</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Server Side Includes (SSI) present a server administrator with

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele several potential security risks.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>The first risk is the increased load on the server. All

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele SSI-enabled files have to be parsed by Apache, whether or not

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele there are any SSI directives included within the files. While this

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele load increase is minor, in a shared server environment it can become

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele significant.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>SSI files also pose the same risks that are associated with CGI

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele scripts in general. Using the "exec cmd" element, SSI-enabled files

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele can execute any CGI script or program under the permissions of the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele user and group Apache runs as, as configured in httpd.conf.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>There are ways to enhance the security of SSI files while still

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele taking advantage of the benefits they provide.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>To isolate the damage a wayward SSI file can cause, a server

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele administrator can enable <a href="/suexec.html">suexec</a> as

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele described in the <a href="#cgi">CGI in General</a> section</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Enabling SSI for files with .html or .htm extensions can be

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele dangerous. This is especially true in a shared, or high traffic,

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele server environment. SSI-enabled files should have a separate extension,

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele such as the conventional .shtml. This helps keep server load at a

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele minimum and allows for easier management of risk.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Another solution is to disable the ability to run scripts and

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele programs from SSI pages. To do this replace <code>Includes</code>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele with <code>IncludesNOEXEC</code> in the <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="core">Options</directive> directive. Note that users may

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele still use &gt;--#include virtual="..." --&lt; to execute CGI scripts if

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele these scripts are in directories desginated by a <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="mod_alias">ScriptAlias</directive> directive.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="cgi">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>CGI in General</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>First of all, you always have to remember that you must trust the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele writers of the CGI scripts/programs or your ability to spot potential

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele security holes in CGI, whether they were deliberate or accidental. CGI

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele scripts can run essentially arbitrary commands on your system with the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele permissions of the web server user and can therefore be extremely

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele dangerous if they are not carefully checked.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>All the CGI scripts will run as the same user, so they have potential

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele to conflict (accidentally or deliberately) with other scripts e.g. User

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele A hates User B, so he writes a script to trash User B's CGI database. One

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele program which can be used to allow scripts to run as different users is

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <a href="/suexec.html">suEXEC</a> which is included with Apache as of

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele 1.2 and is called from special hooks in the Apache server code. Another

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele popular way of doing this is with

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <a href="http://cgiwrap.unixtools.org/">CGIWrap</a>.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="nsaliasedcgi">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Non Script Aliased CGI</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Allowing users to execute CGI scripts in any directory should only be

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele considered if;</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <ul>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <li>You trust your users not to write scripts which will deliberately

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele or accidentally expose your system to an attack.</li>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <li>You consider security at your site to be so feeble in other areas,

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele as to make one more potential hole irrelevant.</li>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <li>You have no users, and nobody ever visits your server.</li>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </ul>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="saliasedcgi">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Script Aliased CGI</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Limiting CGI to special directories gives the admin control over what

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele goes into those directories. This is inevitably more secure than non

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele script aliased CGI, but only if users with write access to the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directories are trusted or the admin is willing to test each

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele new CGI script/program for potential security holes.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Most sites choose this option over the non script aliased CGI

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele approach.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="systemsettings">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Protecting System Settings</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>To run a really tight ship, you'll want to stop users from setting

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele up <code>.htaccess</code> files which can override security features

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele you've configured. Here's one way to do it.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>In the server configuration file, put</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Directory /&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele AllowOverride None <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;/Directory&gt;

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>This prevents the use of <code>.htaccess</code> files in all

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele directories apart from those specifically enabled.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="protectserverfiles">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Protect Server Files by Default</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>One aspect of Apache which is occasionally misunderstood is the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele feature of default access. That is, unless you take steps to change it,

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele if the server can find its way to a file through normal URL mapping

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele rules, it can serve it to clients.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>For instance, consider the following example:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele # cd /; ln -s / public_html <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Accessing <code>http://localhost/~root/</code>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>This would allow clients to walk through the entire filesystem. To

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele work around this, add the following block to your server's

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Directory /&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Order Deny,Allow <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Deny from all <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;/Directory&gt;

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>This will forbid default access to filesystem locations. Add

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele appropriate <directive module="core">Directory</directive> blocks to

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele allow access only in those areas you wish. For example,</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Directory /usr/users/*/public_html&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Order Deny,Allow <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Allow from all <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;/Directory&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Directory /usr/local/httpd&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Order Deny,Allow <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Allow from all <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;/Directory&gt;

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Pay particular attention to the interactions of <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="core">Location</directive> and <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="core">Directory</directive> directives; for instance, even

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele if <code>&lt;Directory /&gt;</code> denies access, a <code>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Location /&gt;</code> directive might overturn it</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>Also be wary of playing games with the <directive

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele module="mod_userdir">UserDir</directive> directive; setting it to

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele something like "./" would have the same effect, for root, as the first

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele example above. If you are using Apache 1.3 or above, we strongly

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele recommend that you include the following line in your server

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele configuration files:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele UserDir disabled root

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <section id="watchyourlogs">

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <title>Watching Your Logs</title>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>To keep up-to-date with what is actually going on against your server

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele you have to check the <a href="/logs.html">Log Files</a>. Even though

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the log files only reports what has already happend, they will give you

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele some understanding of what attacks is thrown against the server and

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele allows you to check if the necessary level of security is present.</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>A couple of examples:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele grep -c "/jsp/source.jsp?/jsp/ /jsp/source.jsp??" access_log <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele grep "client denied" error_log | tail -n 10

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>The first example will list the number of attacks trying to exploit the

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <a href="http://online.securityfocus.com/bid/4876/info/">Apache Tomcat

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Source.JSP Malformed Request Information Disclosure Vulnerability</a>,

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele the second example will list the ten last denied clients, for example:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele [Thu Jul 11 17:18:39 2002] [error] [client foo.bar.com] client denied

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele by server configuration: /usr/local/apache/htdocs/.htpasswd

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>As you can see, the log files only report what already has happend, so

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele if the client had been able to access the <code>.htpasswd</code> file you

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele would have seen something similar to:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele foo.bar.com - - [12/Jul/2002:01:59:13 +0200] "GET /.htpasswd HTTP/1.1"

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <p>in your <a href="/logs.html#accesslog">Access Log</a>. This means

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele you probably commented out the following in your server configuration

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele file:</p>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele <example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Files ~ "^\.ht"&gt; <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Order allow,deny <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele Deny from all <br />

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele &lt;Files&gt;

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </example>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele </section>

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele

4ab980a06412fd86f52a6d054fb7e26de155c530erikabele</manualpage>