LinuxQuestions.org - Idea on how to improve apache security at www.linuxfanatics.org

This is a copy of an email sent to the Apache Group to improve the security of their web server. There have been no reply from them so far. Please go over this document and if you find this idea useful we might be able to get the folks at the Apache Group to pay attention.

Date: 1/16/2005 23:44:20 -0500
From: "webmaster@linuxfanatics.org" <webmaster@linuxfanatics.org>
Reply-to: webmaster@linuxfanatics.org
To: apache@apache.org
CC: webmaster@linuxfanatics.org
Subject: suggestion for improvement
First of all I would like to congratulate all the persons collaborating with the Apache Group for making such a reliable and great product.

I am a software developer and webmaster of linuxfanatics.org a site still under development which hopefully will be a good linux resource for everything Linux related and more, and specially for how-to's with an step by step approach where pro's an beginners alike will be delighted.

The scenario I am thinking is a private PHP application, not available to the general public, but which must be available nevertheless over the internet to company users or other users that must have access to such web enable application [this scenario is not very uncommon by the way in business settings].

As far as I know, by default a web server answers all requests with either a valid page or some kind of error.

What I am proposing here is a web server which replies ONLY when user knows in advance which web page they need and in which 'secret' [more on this later] folder it is located.

Let's pretend we have the following file structure on the web server.

a) /var/www

b) /var/www/xy179239Pya3Aik/index.php

Here /xy179239Pya3Aik/ is the 'secret' folder name.

Apache is serving pages from root folder a). However for the application to be secure there will NEVER be any page available on the root folder.
When user browses to b) xy179239Pya3Aik/index.php the index page will be returned.

If a cracker or any other non-authorized user hits the root server NO documents will be server by default. There will be no listings of the root folder [or maybe any other folder] under any circumstance, in other words, the 'secret' folder will be invisible unless you know how to get there. Also, there will be no error codes for bad requests like 404 error codes, etc.

To further improve on this idea web browsers will have to be modified so that when printing from within browser there will be no url shown at the bottom of the page, so that only company users know how to get to the url.

Should you guys decide to implement this idea the only way [theoretically] for a cracker to break a web server configured as described above would be to physically go into your company and take a look at the'secret' folder [somehow which your regular cracker and script kiddie is very unlikely to do] or to someone get this information from someone within the company. Also, maybe there could be a way so that the browser does not display 'secret' folders in the address bar.

This setup could be described as "I'll give what you want ONLY if you tell me where it is" :).

Also, there may be a way where some folders are public, while other are protected by a 'secret' folder as mentioned before.

I will be very pleased to know what you think about this and whether
this is something that could be implemented.

Thanks,

Juan Carlos

webmaster@linuxfanatics.org

P.S. Just securing a folder with a username and password will not work in this scenario because user must be validated using information stored in a MySQL table and because of the way SESSION variables must be accessed by application.

I was thinking that if something like this could be implemented Denial of Service attacks against payment processors or similar companies could be diminished because they will only provide the 'secret' folder to the companies they need to deal with.

Again, thanks for taking the time to read this. Take care.