[thelist] Red Hat / Apache / General Security Reviews?
Joe Crawford
jcrawford at avencom.com
Sun Apr 22 13:16:30 CDT 2001
Daniel J. Cody wrote:
> One thing you wanna make sure you have turned off is the
> 'IncludesNOEXEC' option of the <directory> directive. If you have that
> enabled, someone could upload a CGI script(e.g. perl script) that could
> let them do all sorts of nasty things..
This might have been something I did when I made Apache more flexible. I
forget the options I chose exactly.
> Also, are you sure it was apache that got cracked? Do you have anything
> else on that box(DNS, NFS, rsync, MySQL) that could have allowed the
> crackers to get in? Apache itself is very secure when config'd properly..
The things I *know* we were running were apache (with php and mysql support
folded in), mysql, samba, sendmail (but locked down to the outside). But no,
I don't think we know what route we took in. But the time proximity in time
(add virtual host to apache, 2 hours later box hacked) makes me suspicious.
But this is not verified at all.
> Give some more details and we'll track it down :)
Thanks djc -- and also Anthony - will be passing those links along
internally to our admin. Looks like really good tips to keep current.
As always, appreciate the heck out of this list.
- Joe Crawford <http://artlung.com/>
More information about the thelist
mailing list