[ Pobierz całość w formacie PDF ]
.Such traffic might include authentication information,proprietary business information, personnel data, and many other kindsof sensitive data.&' The intruder cannot get to internal hosts, or obtain detailed informationabout them.The Sacrificial Lamb configuration guards against these two threats, and keeps theWeb server isolated from the internal network and its traffic.TipIn this configuration, it is wise to turn off source routing at the router.This way, theWeb server host cannot be used to forward packets to hosts in the internal network.Some people like putting the Web server behind the firewall.In such a configura-Cautiontion, the firewall becomes the gateway for both the internal LAN and for Web traf-fic, and the firewall configuration becomes complex.I believe that such complexitycan lead to security holes in the firewall, which defeats its purpose.The Paranoid ConfigurationThis configuration is for Apache administrators who are paranoid about security.Itis the most restrictive configuration among the configurations discussed in thischapter.Here is what I consider paranoid configuration for Apache.&' No Common Gateway Interface (CGI) script support.As mentioned before,CGI scripts are typically the cause of most Web security incidents andtherefore they have no place in a paranoid configuration.&' No SSI support.Similar to CGI scripts SSI pages are often problematic andtherefore have no place in a paranoid configuration.&' Allowing Web sites per user.Using the http://www.domain.com/~usernameURL scheme introduces many security issues such as a user not takingappropriate cautions to reduce the risk of exposing file system informationto the rest of the world; user mistakes making nonpublic disk areas of theserver become publicly accessible; and the like.So per-user Web site has noplace in a paranoid configuration.&' No status information via Web.Apache provides a status module that offersvaluable status information about the server via the Web.This informationcan give clues to vandals if they have access to it.The paranoid way to makesure they don t have access to such information is to not have the moduleinstalled in the first place.i4821-2 ch18.F 2/22/02 10:30 AM Page 511Chapter 18 &' Web Security511The paranoid configuration can be achieved by using the following configurationcommand:./configure --prefix=/home/apache \--disable-module=include \--disable-module=cgi \--disable-module=userdir \--disable-module=statusAfter you have run the above configuration command from the srcdirectory of theApache source distribution, you can make and install Apache (in /home/apache)with paranoid configuration.TipMany paranoid administrators have been seen to run Apache on nonstandardports such as 8080 or 9000.If you want to run Apache on such ports, change thePort directive in the httpd.conf.However, be warned that vandals usually useport scanner software to detect HTTP ports and that using nonstandard portsmakes good users work harder because they have to type the :port number(http://www.domain.com:port/) at the end of the very first URL used toenter your Web site.Protecting Your Web ContentsYour Web contents are your assets, and as such they need to be protected fromvandalism and hack attacks.A poor or missing content publishing policy can resultin security risks for your contents.In this section I discuss a content publishingpolicy with security focus.Also if some of your Web contents should not be indexedby Web search engines (that is, their robots) then you can use the robot or spiderprogram control techniques discussed to be quite useful.Content-publishing guidelinesCreating a content-publishing policy is one thing and enforcing it is another.Afteryou have created your own publishing policy, discuss this with the people whoshould be using it.Get their feedback on each policy item and, if necessary, refineyour policy to make it useful.Contents publishers and script developers should know and adhere to the followingguidelines:&' Whenever storing a content file, such as an HTML file, image file, sound file,video clip, and so on, the publisher must ensure that the file is readable bythe Web server (that is, the username specified for Userdirective).No onebut the publisher-user should should be permitted write access to the filesand directory.i4821-2 ch18.F 2/22/02 10:30 AM Page 512Part IV &' Securing Your Web Site512&' Any file or directory that can not be displayed directly on the Web browserbecause it contains information that is indirectly accessed by using anapplication or script should not be located in a DocumentRoot-specifieddirectory.For example, if one of your scripts needs to access a data file thatshould not be directly accessed from the Web, do not keep the data file insidethe document tree.Keep the file outside the document tree and have yourscript access it from there, because even if there is no link to these files fromany other viewable content, it may still be accessible to others.&' Any temporary files created by dynamic-content generators, such as CGIapplications, should reside in a single subdirectory where the generatorshave write access.This directory must be kept outside the content area toensure that a bug in the application does not mistakenly wipe out any existingcontent file.In other words, do not have a Web server-writable directorywithin your document tree.This ensures that a bug in a script does notaccidentally write over an existing file in the document tree.&' To enforce clear copyright on the content, there should be both visible andembedded copyright notices on the content pages.The embedded copyrightmessage should be kept at the beginning of a document, if possible.Forexample, in an HTML file, you can use a pair of comment tags to embed thecopyright message at the beginning of the file.For example, can be embeddedin each page.If you plan to update your copyright messages often, you mightconsider an SSI solution using the #includedirective.&' If you have a great deal of graphical content (images) that you want to protectfrom copyright theft, consider using watermarking technology.This technologyinvisibly embeds information in images to protect the copyright.The idea isthat if you detect a site using your graphical contents without permission, youmight be able to verify the theft by looking at the hidden information.If theinformation matches your watermark ID, you can clearly identify the thief andproceed with legal action.The strength of the currently available watermarkingtools is questionable, as many programs can easily remove the originalcopyright owner s watermarks [ Pobierz całość w formacie PDF ]