You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Patrick Donker <li...@webpagina.nu> on 2005/05/29 16:12:15 UTC
[users@httpd] Best way to host scripts
Guys,
What is the best way, security wise, to host cgi, perl or php scripts?
Should I start using a jail or are there other ways to keep my server
from being a worm or spam platform. Links to howtos or other threads are
most welcomed.
Thanks
-Patrick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Best way to host scripts
Posted by Abu Hurayrah <ab...@almaghrib.org>.
Patrick Donker wrote:
> Abu Hurayrah wrote:
>
>> Patrick Donker wrote:
>>
>>> Guys,
>>>
>>> What is the best way, security wise, to host cgi, perl or php
>>> scripts? Should I start using a jail or are there other ways to keep
>>> my server from being a worm or spam platform. Links to howtos or
>>> other threads are most welcomed.
>>> Thanks
>>> -Patrick
>>>
>>>
>> What exactly do you mean by hosting your scripts? Are you referring
>> to where to put them on your server, physically, in relation to your
>> DOCUMENT_ROOT?
>>
>> Also, if the script is going to be useful, it's going to be
>> accessible from the web, so it doesn't really matter where you host
>> them on your server, as they'll all be equally visible in order to be
>> executable.
>>
>> Lastly, some of these scripting engines, such as PHP, have a "safe
>> mode" feature that helps to prevent common exploits, but that is only
>> effective if you are running an unsafe setup in the first place, and
>> moreover, is oftentimes very restrictive to most scripts.
>>
>> Let us know some of these details, and maybe we can help out some more.
>
>
> Right, ok, maybe I should've given more info.
> Well then, it mostly concerns mailto forms accessable from the web or
> other feedback scripts. Maybe lookup or dataentry scripts into a mysql
> database. Clearly there shouldnt be very much of a problem running
> scripts that are called from html pages, as in dynamic contents. What
> you could think of is clients making an online calculation and
> submitting this through email as an order. Sounds like a shopping cart
> kinda script, but such a broad application isnt needed. What I would
> like to know is what the best approach is to secure a server to avoid
> it becoming a launch platform for all sorts of nasty things.
> Lastly I'd like to know how to avoid people peeking into data of other
> vhosts that might be running on the same server. I'm not very keen on
> running different instances; I'd like to keep things as simple as
> possible. I'm not a big time isp or something, I just host some small
> websites for small companies, but now they have asked me if it
> possible to make their sites somewhat interactive.
> I hope that it is more clearly now what I mean. If not, please say so
> and I'll try to elaborate more
> Thanks
> Patrick
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
Well, what you're asking essentially amounts to "how do I secure my
server", which is a really involved question. Some simply guidelines,
however, are the following (and I hope others will elaborate, as I'm not
a security expert):
1) Check ALL data types - do not assume anything submitted to your
script is already well-formed. Check for both value and type, if necessary.
2) Fail safe - that is, if your script should fail, let it fail in a
non-catastrophic way. To do this, you should only execute AFTER
confirming that a value is what it should be. Also, let your default
case be one of safety, and not one of trusting input data. If you pass
filenames as a URL parameter (not very smart in the first place), then
ensure that the filename belongs to a list of acceptable names first,
and then continue processing. For example, "if not in ( array(
'index.php', 'home.php', 'contact.php' ) ) exit(); else continue" - I
hope my pseudocode was understandable.
3) Be careful of resource usage - this is one way a malicious attacker
can wreak havoc acting "normal" - be mindful of how much processing time
a script takes, any database connections that need to be made, how much
memory is consumed, etc.
4) Read up on Apache's security information:
http://httpd.apache.org/docs-2.0/misc/security_tips.html (this if for
2.0, read the documentation for your appropriate version first).
The issues your brought seem unlikely unless your script explicitly
allows them - for example, your concern of a "people peeking into data
of other vhosts" etc...how would that happen exactly?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Best way to host scripts
Posted by Patrick Donker <li...@webpagina.nu>.
Abu Hurayrah wrote:
> Patrick Donker wrote:
>
>> Guys,
>>
>> What is the best way, security wise, to host cgi, perl or php
>> scripts? Should I start using a jail or are there other ways to keep
>> my server from being a worm or spam platform. Links to howtos or
>> other threads are most welcomed.
>> Thanks
>> -Patrick
>>
>>
> What exactly do you mean by hosting your scripts? Are you referring
> to where to put them on your server, physically, in relation to your
> DOCUMENT_ROOT?
>
> Also, if the script is going to be useful, it's going to be accessible
> from the web, so it doesn't really matter where you host them on your
> server, as they'll all be equally visible in order to be executable.
>
> Lastly, some of these scripting engines, such as PHP, have a "safe
> mode" feature that helps to prevent common exploits, but that is only
> effective if you are running an unsafe setup in the first place, and
> moreover, is oftentimes very restrictive to most scripts.
>
> Let us know some of these details, and maybe we can help out some more.
Right, ok, maybe I should've given more info.
Well then, it mostly concerns mailto forms accessable from the web or
other feedback scripts. Maybe lookup or dataentry scripts into a mysql
database. Clearly there shouldnt be very much of a problem running
scripts that are called from html pages, as in dynamic contents. What
you could think of is clients making an online calculation and
submitting this through email as an order. Sounds like a shopping cart
kinda script, but such a broad application isnt needed. What I would
like to know is what the best approach is to secure a server to avoid it
becoming a launch platform for all sorts of nasty things.
Lastly I'd like to know how to avoid people peeking into data of other
vhosts that might be running on the same server. I'm not very keen on
running different instances; I'd like to keep things as simple as
possible. I'm not a big time isp or something, I just host some small
websites for small companies, but now they have asked me if it possible
to make their sites somewhat interactive.
I hope that it is more clearly now what I mean. If not, please say so
and I'll try to elaborate more
Thanks
Patrick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Best way to host scripts
Posted by Abu Hurayrah <ab...@almaghrib.org>.
Patrick Donker wrote:
> Guys,
>
> What is the best way, security wise, to host cgi, perl or php scripts?
> Should I start using a jail or are there other ways to keep my server
> from being a worm or spam platform. Links to howtos or other threads
> are most welcomed.
> Thanks
> -Patrick
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
What exactly do you mean by hosting your scripts? Are you referring to
where to put them on your server, physically, in relation to your
DOCUMENT_ROOT?
Also, if the script is going to be useful, it's going to be accessible
from the web, so it doesn't really matter where you host them on your
server, as they'll all be equally visible in order to be executable.
Lastly, some of these scripting engines, such as PHP, have a "safe mode"
feature that helps to prevent common exploits, but that is only
effective if you are running an unsafe setup in the first place, and
moreover, is oftentimes very restrictive to most scripts.
Let us know some of these details, and maybe we can help out some more.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] Best way to host scripts
Posted by Jacob Miller <ja...@denjak.com>.
I was trying to do the same thing. I settled on running one apache per
virtualhost, and proxy-ing them through the main virtualhost. This way each
apache only has permission to use it's own files, and only one server is
comprimised if someone writes a security hole into their php/perl scripts.
You will have to run each apache as a different user.
Jake
-----Original Message-----
From: Patrick Donker [mailto:list@webpagina.nu]
Sent: Sunday, May 29, 2005 10:12 AM
To: users@httpd.apache.org
Subject: [users@httpd] Best way to host scripts
Guys,
What is the best way, security wise, to host cgi, perl or php scripts?
Should I start using a jail or are there other ways to keep my server
from being a worm or spam platform. Links to howtos or other threads are
most welcomed.
Thanks
-Patrick
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info. To
unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org