LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Closed Thread
 
Search this Thread
Old 03-06-2005, 03:36 PM   #1
linuxfanatics
LQ Newbie
 
Registered: Mar 2005
Posts: 4

Rep: Reputation: 0
Idea on how to improve apache security at www.linuxfanatics.org


This is a copy of an email sent to the Apache Group to improve the security of their web server. There have been no reply from them so far. Please go over this document and if you find this idea useful we might be able to get the folks at the Apache Group to pay attention.




Date: 1/16/2005 23:44:20 -0500
From: "webmaster@linuxfanatics.org" <webmaster@linuxfanatics.org>
Reply-to: webmaster@linuxfanatics.org
To: apache@apache.org
CC: webmaster@linuxfanatics.org
Subject: suggestion for improvement
First of all I would like to congratulate all the persons collaborating with the Apache Group for making such a reliable and great product.

I am a software developer and webmaster of linuxfanatics.org a site still under development which hopefully will be a good linux resource for everything Linux related and more, and specially for how-to's with an step by step approach where pro's an beginners alike will be delighted.

The scenario I am thinking is a private PHP application, not available to the general public, but which must be available nevertheless over the internet to company users or other users that must have access to such web enable application [this scenario is not very uncommon by the way in business settings].

As far as I know, by default a web server answers all requests with either a valid page or some kind of error.

What I am proposing here is a web server which replies ONLY when user knows in advance which web page they need and in which 'secret' [more on this later] folder it is located.

Let's pretend we have the following file structure on the web server.


a) /var/www

b) /var/www/xy179239Pya3Aik/index.php

Here /xy179239Pya3Aik/ is the 'secret' folder name.

Apache is serving pages from root folder a). However for the application to be secure there will NEVER be any page available on the root folder.
When user browses to b) xy179239Pya3Aik/index.php the index page will be returned.

If a cracker or any other non-authorized user hits the root server NO documents will be server by default. There will be no listings of the root folder [or maybe any other folder] under any circumstance, in other words, the 'secret' folder will be invisible unless you know how to get there. Also, there will be no error codes for bad requests like 404 error codes, etc.

To further improve on this idea web browsers will have to be modified so that when printing from within browser there will be no url shown at the bottom of the page, so that only company users know how to get to the url.

Should you guys decide to implement this idea the only way [theoretically] for a cracker to break a web server configured as described above would be to physically go into your company and take a look at the'secret' folder [somehow which your regular cracker and script kiddie is very unlikely to do] or to someone get this information from someone within the company. Also, maybe there could be a way so that the browser does not display 'secret' folders in the address bar.

This setup could be described as "I'll give what you want ONLY if you tell me where it is" .

Also, there may be a way where some folders are public, while other are protected by a 'secret' folder as mentioned before.

I will be very pleased to know what you think about this and whether
this is something that could be implemented.

Thanks,


Juan Carlos

webmaster@linuxfanatics.org


P.S. Just securing a folder with a username and password will not work in this scenario because user must be validated using information stored in a MySQL table and because of the way SESSION variables must be accessed by application.

I was thinking that if something like this could be implemented Denial of Service attacks against payment processors or similar companies could be diminished because they will only provide the 'secret' folder to the companies they need to deal with.

Again, thanks for taking the time to read this. Take care.
 
Old 03-06-2005, 04:14 PM   #2
Bruce Hill
HCL Maintainer
 
Registered: Jun 2003
Location: Tupelo, MS
Distribution: Gentoo
Posts: 6,926

Rep: Reputation: 124Reputation: 124
Will be glad to see you banned from LQ for breaking
the rules at will -- posting the same advertisement
in 4 forums...
 
Old 03-06-2005, 04:45 PM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
I imagine that you could implement this on the current Apache platform by turning off indexing and suppressing error code generation. For what it's worth, your http server would be pretty non-compliant with RFC specifications , so the likelihood of Apache implementing something like that is pretty low. Also I don't really see this as a better alternative to any of the current authentication and access control features that are currently available in Apache. I also don't understand what you're getting at with the comment about username/paswords and MySQL. Apache has several authentication mechanisms that don't require a database at all.

//Moderator note: This thread looks like one big advertisement in the guise of a question, Continued advertising on our site will result in banning. So please avoid posting un-necessary urls. A small link in your signature is acceptable.

http://www.linuxquestions.org/rules.php
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
An idea to improve security, for hacked PC's andrade Linux - Security 12 09-27-2005 01:11 AM
Announcement: www.linuxfanatics.org find security info and HOWTOs here linuxfanatics Linux - General 2 03-06-2005 04:47 PM
Announcement: www.linuxfanatics.org find security info and HOWTOs here linuxfanatics Linux - Distributions 3 03-06-2005 04:45 PM
Announcement: www.linuxfanatics.org find security info and HOWTOs here linuxfanatics Linux - Security 1 03-06-2005 04:11 PM
Important info from www.apache.org Whitehat General 4 08-31-2003 03:51 PM


All times are GMT -5. The time now is 04:31 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration