[GLLUG] apache security, file permissions and screen settings
Matt Graham
danceswithcrows at usa.net
Fri Dec 5 18:13:12 EST 2003
On Friday 05 December 2003 11:03, after a long battle with technology,
Seth Bembeneck wrote:
> I just checked my apache log and saw these entrees:
You have entreés in your logfiles? C'est bon; vous pourrez manger votre
fiches!
> 68.113.22.41 - - [04/Dec/2003:23:32:57 +0000] "GET
> /_mem_bin/..%255c../..%255c../..%255c../winnt/system32/cmd.exe?/c+dir
> HTTP/1.0" 404 392 "-" "-"
[snip]
> Looks to me like some one trying to access my system, am I right?
Well, yeah, the access_log file keeps a record of all the documents
requested from the Apache webserver. This is some sort of Windows
worm, and no Apache running on Linux is vulnerable to this particular
worm, so I wouldn't worry about these particular requests.
> This made me start to question how secure my system is.
> Can any one give any steps on how to make sure it is secure?
0. Unplug machine.
1. Discharge firearms at motherboard.
...There is no such thing as a totally secure machine. If it's
accessible over the network, a Real Hacker can find a way in given
enough time. Fortunately, Real Hackers generally have more
constructive things to do, and script kiddies, worms, and trojans cause
most of the real trouble.
You can minimize vulnerabilities by:
0. Turning off all unneeded services
1. Using ssh and scp instead of telnet and ftp
2. Keeping your software up to date--most distros release security
updates for various packages regularly
3. Using nmap and ethereal to check out your own system and see if you
see anything suspicious
4. Subscribing to some of the mailing lists about security on Bugtraq or
SecurityFocus--careful, some of these could be high-traffic or more
technical than you'd like
5. Using Tripwire or an equivalent piece of software that'll detect
unauthorized changes in executable files
> Any tests that can be run?
"chkrootkit" is quite useful if you think you might have a rootkit on
your machine.
> Second: File permissions (probabely could also go under number 1):
> What should the permissions be for the /var/www/localhost/cgi-bin
> folder be?
The user apache is running as must be able to access the directory, so
it probably needs to be 0755.
> For the scripts in side the folder?
They probably need the execute bit set.
> I just got an LCD monitor. How do I change the resolution and refresh
> rate for the x server?
LCDs behave as if they had a Vrefresh of 60 Hz. They have one native
resolution, which you typically want to use since everything else will
look fuzzy. However, if you want to run at a resolution different from
the LCD's native resolution, you may have to change the Hsync and Vsync
ranges to values far in excess of what the LCD can really do. (No
joke; I had to do that on my Thinkpad A22p to get it to work at
anything other than 1600x1200.) This doesn't harm the LCD or the
graphics chipset; the days of the killer poke are long gone.
You can edit your /etc/X11/XF86Config file directly and change the
values in the Monitor section to something else manually. There's also
an interactive tool called xvidtune that might help for generating
modelines, but it shouldn't be necessary with X's better grasp of DDC
now.
> For all of the above, I'm using Gentoo as my OS.
Excellent choice :-) .
--
*** Hire me! http://crow202.dyndns.org/~mhgraham/resume/
Hope is gone and she confessed / When you lay your dreams to rest
You can get what's second best / But it's hard to get enough...
--David Wilcox, "Eye of the Hurricane"
There is no Darkness in Eternity/But only Light too dim for us to see
More information about the linux-user
mailing list