Solved

Big problem

Posted on 2004-04-15
17
223 Views
Last Modified: 2010-04-20
Hi Experts,

I accidentally found that when open site as http://myip/  without directory and page name it opens up my root and all directories under it :))) BTW it is our production server that I did not setup...some guy did :))) So the question is how to make sure that it will be protected in the future ? For any directory of course.

Thank you.
0
Comment
Question by:fpoyavo
  • 9
  • 3
  • 2
  • +2
17 Comments
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 10837283
That is a major screwup. You probably need to change the DocumentRoot option in /etc/httpd.conf
However, even  if you change the documentroot option, the user apache (I assume you are using apache?) is run as still shouldnt have access to your /root directory.
0
 
LVL 9

Expert Comment

by:Alf666
ID: 10837367
Owens,

I think that this person mentions "/" when he says root, and not "/root".

It looks like the person wh did the setup added some virtual hosts, and screwed up the default site setup.
Owens is right. Just change the DocumentRoot directive to any place where there's nothing.
Also do the same with the cgi-bin dir if it's aliased.

0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10837717
Yep. It is not / it is root of tomcat / appache.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10837784
Hm....DocumentRoot is already pointing to place where not much to look at.

What else I could check ?
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 10837832
"DocumentRoot is already pointing to place where not much to look at."

Where is it pointing to?
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10837847
TO opt/myapplication/www
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10837894
Correction,

The only directories and files that are in danger when you do :

http://myip:8080/sample/ 

here myapp located in opt/myapplication/tomcat/webapps/sample

Thank you.
0
 
LVL 5

Expert Comment

by:willy134
ID: 10837991
for a quick starters put an index.html in your root directory.  It can be empty

touch index.html

That will block quite a bit of accidental use.
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
LVL 1

Author Comment

by:fpoyavo
ID: 10838274
What about when somebody attempts to run crawler against my server ? Is there way to make site protected ?
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838456
willy134,

You were right but I had to place this index.html in every folder of of application. Is there way to make it easier ?

Thank you.
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10838491
Another surprise I have found today...:))) o Man I used a free tool to make site mirroring (they call it so) ....basically you can point it to any IP and get everything
and more from there if it is not properly protected. Just for fun I have pointed to our production site...O yeeee I have gotten code, files and my manager's personal record :))))) too

Guys just tell me is there any way to make me sleep in peace tonigth and ooo well this Server boy ?

Thank you.
0
 
LVL 17

Expert Comment

by:owensleftfoot
ID: 10840197
0
 
LVL 12

Accepted Solution

by:
stefan73 earned 500 total points
ID: 10841327
Hi fpoyavo,
> I have gotten code, files and my manager's personal record :)))))

Not good at all. Even if you prohibit directory listings (as most comments suggest), this is security by obscurity only. NEVER, EVER rely on this.

Check that your web server is password protected (see http://httpd.apache.org/docs/howto/auth.html).

Re-think your architecture approach. A web server alone is not a suitable place to store confident information. When you can read your boss' record, anyone else can.

Cheers,
Stefan
0
 
LVL 12

Expert Comment

by:stefan73
ID: 10841366
Use explicit permissions based on IPs in your .htaccess file (Beware: IPs can be spoofed!):

order allow,deny
allow from 123.45.6.7
allow from 012.34.5.
deny from all

0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10843900
stefan73,

I have tried to set password file, create .htaccess but it is still not protected :((  I have used link from apache site and did step by step
restarted Apache and nothing ....I can still access everything everywhere without password ????

May be I am missing some point ?

Thank you.
0
 
LVL 5

Expert Comment

by:willy134
ID: 10844611
I did realize that adding the index.html files would not lead to total absoultion but it is a quick way to deter small peeping toms.

What does your httpd.conf look like?  You should be able to easily move the root location to somewhere else.  Are you sure it is reading the right httpd.conf?  Can you look at the logs and verify this?  I haven't read my logs for a while but it might state where it reads its config.

/var/log/httpd
Look at the init script does it point to a different httpd conf?
/etc/init.d/httpd

does it have a httpd2.conf....
0
 
LVL 1

Author Comment

by:fpoyavo
ID: 10845139
The conf file could be found in : http://www.experts-exchange.com/Security/Linux_Security/Q_20955960.html

I was looking into /var/log/httpd ------- DOES NOT EXISTS
                          /etc/init.d/httpd ----- DOES NOT EXISTS

Is it good or bad ?
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

SSH (Secure Shell) - Tips and Tricks As you all know SSH(Secure Shell) is a network protocol, which we use to access/transfer files securely between two networked devices. SSH was actually designed as a replacement for insecure protocols that sen…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now