Solved

File permissions security questions

Posted on 2004-08-03
7
344 Views
Last Modified: 2010-05-18
I am planning to set up a spider trap that will automatically add all bad robots IPs to my .htaccess file. The problem is that in order to achieve that, I will need to make my .htaccess file word-writable (together with another directory which will usually stay empty). Naturally, I don't feel comfortable with that. The .htaccess file is made non-readable for web browsers via httpd.conf (deny from all), but I assume it would still be an unsafe arrangement. Any ideas how I can make it safer without recompiling apache?
0
Comment
Question by:yosmc
7 Comments
 
LVL 23

Accepted Solution

by:
Mysidia earned 250 total points
ID: 11712367
Instead of having a web script edit your .htaccess file, have the script add their host to a special "data file"
that only contains a list of hostnames that were detected and possibly timestamps

And you setup a cron job to periodically verify the integrity of the "bad hosts file", and update the .htaccess file to ban the new hosts if its timestamp is newer than the .htaccess file.

And there are other ways like Unix sockets and IPC.
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 11712382
Another alternative is to run scripts setuid... or use apache SuExec to run CGI scripts and the 'User' directive in the
server's httpd.conf so the scripts for certain hosts run as a different user.
See http://httpd.apache.org/docs/suexec.html
0
 
LVL 40

Expert Comment

by:jlevie
ID: 11712385
Have the "spider trap" drop the bad IP's into a file and run a job from cron, say every 5 minutes, that retrieves any found IP's and adds them to the .htaccess file. The cron job would run as the user that owns the .htaccess file and thus it wouldn't need to be world writable.

Another approach would be to have the "spider trap" write the IP's to a FIFO implemented in say Perl that modifies the .htaccess file.
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 51

Expert Comment

by:ahoffmann
ID: 11713862
chmod 400 .htaccess

then write a script which does (pseudo code follows):
  chmod 600 .htaccess && echo "deny from IP" >> .htaccess; chmod 400 .htaccess

run this scipt as the same user as apache runs, probaly with cron as jlevie suggested
0
 
LVL 16

Expert Comment

by:xDamox
ID: 11758546
why not make your script store the IP somewere and have a crontab
add the IPs to the file :) that way it will be more secure
0
 
LVL 23

Expert Comment

by:Mysidia
ID: 11760319
Few/none of these methods ensures that it's impossible for a third party to inject ip addresses into your ban list, if that's one of the attack models you need to secure against, then you need to use SuExec or a script setuid to a user others can't access or something similar in order to create a privilege isolation between your web scripts and any CGI scripts run/created by other users.

(Or configure apache so only trusted users can deploy CGI scripts)

note that things like 'chmod 600 file && write && chmod 400 file' create a race condition... not that mode 400 as oposed to 600 provides any assurance security, it provides none against any attack model where the user is able to run arbitrary code as the Apache user: like anyone who can deploy their own CGI scripts on the system can.

As for cron script reading a list of ips collected by the web script, here's a possibility...

#!/usr/bin/perl

my %badips;

# New badips list, to be writable by the web script
my $new_badip_file = '/home/blah/new_badips.dat';

# Stored database
my $old_badip_file = '/home/blah/banned_ips.dat';

read_badips($new_badip_file);
read_badips($old_badip_file);
write_badips($old_badip_file);

write_htaccess("/path/to/.htaccess.new");

sub write_htaccess
{
  my $file = shift;
  my $temp = $file . ".tmp$$";

  open HTACCESS, ">$temp" || die "Unable to open $temp";
  print HTACCESS q/
      <LIMIT GET POST>
        order deny, allow
  /;

  for(keys %badips) {
      print HTACCESS "deny from " . $_ . "\n";
  }

  print HTACCESS q%
       </LIMIT>
  %;

  close HTACCESS;
  rename $temp, $file;
}

sub read_badips
{
  my $file = shift;
  open IPS, $file || die "Unable to open file $file";

  while ($line = <IPS>)
  {
     chomp($line);
     if ($line =~ /^([0-9]+\.){3,}[0-9]+$/) {
         $badips{$line} = 1;
     }
  }
  close IPS;
}


sub write_badips
{
    my $out = shift;
    my $temp = "$out" . ".tmp$$";
    open(IPS, ">$temp") || die "Unable to open file $temp";

    for(keys %badips) {
        print IPS $_ . "\n";
    }
    close IPS;
    rename $temp, $out;
}

0
 

Author Comment

by:yosmc
ID: 11916591
Just an update that I am still working on the problem (and thanks for the suggestions so far). I was a little reluctant to enable .htaccess files (I'm the only user and I normally put everything into httpd.conf - makes things faster), so I was looking into perl modules (Apache::BlockAgent, Apache::BlockIP), but unfortunately couldn't get them to work.

Now I'm still looking into my options (maybe there are other more current modules; I also saw an approach that uses mySQL - but should I waste database resources to keep out the bots?) which is why I can't say yet which method for adding IPs will work best.
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to use Rainbow Tables 6 91
Using Htacces to block a link 2 90
Restricting root logins to ESXi from certain subnets? 4 79
wipe a usb using python 5 25
​Being a Managed Services Provider (MSP) has presented you  with challenges in the past— and by meeting those challenges you’ve reaped the rewards of success.  In 2014, challenges and rewards remain; but as the Internet and business environment evol…
Hello EE, Today we will learn how to send all your network traffic through Tor which is useful to get around censorship and being tracked all together to a certain degree. This article assumes you will be using Linux, have a minimal knowledge of …
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now