fpoyavo
asked on
Big problem
Hi Experts,
I accidentally found that when open site as http://myip/ without directory and page name it opens up my root and all directories under it :))) BTW it is our production server that I did not setup...some guy did :))) So the question is how to make sure that it will be protected in the future ? For any directory of course.
Thank you.
I accidentally found that when open site as http://myip/ without directory and page name it opens up my root and all directories under it :))) BTW it is our production server that I did not setup...some guy did :))) So the question is how to make sure that it will be protected in the future ? For any directory of course.
Thank you.
Owens,
I think that this person mentions "/" when he says root, and not "/root".
It looks like the person wh did the setup added some virtual hosts, and screwed up the default site setup.
Owens is right. Just change the DocumentRoot directive to any place where there's nothing.
Also do the same with the cgi-bin dir if it's aliased.
I think that this person mentions "/" when he says root, and not "/root".
It looks like the person wh did the setup added some virtual hosts, and screwed up the default site setup.
Owens is right. Just change the DocumentRoot directive to any place where there's nothing.
Also do the same with the cgi-bin dir if it's aliased.
ASKER
Yep. It is not / it is root of tomcat / appache.
ASKER
Hm....DocumentRoot is already pointing to place where not much to look at.
What else I could check ?
What else I could check ?
"DocumentRoot is already pointing to place where not much to look at."
Where is it pointing to?
Where is it pointing to?
ASKER
TO opt/myapplication/www
ASKER
Correction,
The only directories and files that are in danger when you do :
http://myip:8080/sample/
here myapp located in opt/myapplication/tomcat/w ebapps/sam ple
Thank you.
The only directories and files that are in danger when you do :
http://myip:8080/sample/
here myapp located in opt/myapplication/tomcat/w
Thank you.
for a quick starters put an index.html in your root directory. It can be empty
touch index.html
That will block quite a bit of accidental use.
touch index.html
That will block quite a bit of accidental use.
ASKER
What about when somebody attempts to run crawler against my server ? Is there way to make site protected ?
ASKER
willy134,
You were right but I had to place this index.html in every folder of of application. Is there way to make it easier ?
Thank you.
You were right but I had to place this index.html in every folder of of application. Is there way to make it easier ?
Thank you.
ASKER
Another surprise I have found today...:))) o Man I used a free tool to make site mirroring (they call it so) ....basically you can point it to any IP and get everything
and more from there if it is not properly protected. Just for fun I have pointed to our production site...O yeeee I have gotten code, files and my manager's personal record :))))) too
Guys just tell me is there any way to make me sleep in peace tonigth and ooo well this Server boy ?
Thank you.
and more from there if it is not properly protected. Just for fun I have pointed to our production site...O yeeee I have gotten code, files and my manager's personal record :))))) too
Guys just tell me is there any way to make me sleep in peace tonigth and ooo well this Server boy ?
Thank you.
Have a look at http://www.javascriptkit.com/howto/htaccess.shtml
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Use explicit permissions based on IPs in your .htaccess file (Beware: IPs can be spoofed!):
order allow,deny
allow from 123.45.6.7
allow from 012.34.5.
deny from all
order allow,deny
allow from 123.45.6.7
allow from 012.34.5.
deny from all
ASKER
stefan73,
I have tried to set password file, create .htaccess but it is still not protected :(( I have used link from apache site and did step by step
restarted Apache and nothing ....I can still access everything everywhere without password ????
May be I am missing some point ?
Thank you.
I have tried to set password file, create .htaccess but it is still not protected :(( I have used link from apache site and did step by step
restarted Apache and nothing ....I can still access everything everywhere without password ????
May be I am missing some point ?
Thank you.
I did realize that adding the index.html files would not lead to total absoultion but it is a quick way to deter small peeping toms.
What does your httpd.conf look like? You should be able to easily move the root location to somewhere else. Are you sure it is reading the right httpd.conf? Can you look at the logs and verify this? I haven't read my logs for a while but it might state where it reads its config.
/var/log/httpd
Look at the init script does it point to a different httpd conf?
/etc/init.d/httpd
does it have a httpd2.conf....
What does your httpd.conf look like? You should be able to easily move the root location to somewhere else. Are you sure it is reading the right httpd.conf? Can you look at the logs and verify this? I haven't read my logs for a while but it might state where it reads its config.
/var/log/httpd
Look at the init script does it point to a different httpd conf?
/etc/init.d/httpd
does it have a httpd2.conf....
ASKER
The conf file could be found in : https://www.experts-exchange.com/questions/20955960/BAD-BAD-THING.html
I was looking into /var/log/httpd ------- DOES NOT EXISTS
/etc/init.d/httpd ----- DOES NOT EXISTS
Is it good or bad ?
I was looking into /var/log/httpd ------- DOES NOT EXISTS
/etc/init.d/httpd ----- DOES NOT EXISTS
Is it good or bad ?
However, even if you change the documentroot option, the user apache (I assume you are using apache?) is run as still shouldnt have access to your /root directory.