| View previous topic :: View next topic |
| Author |
Message |
vbgunz
-
Joined: 02 Feb 2003
Posts: 615
Location: Florida
|
 Posted: Tue Feb 18, 2003 9:49 pm Post subject: How to lock your server in a best effort against hackers? |
 |
|
I would like for everyone to input as best they can a security method which should protect as much as possible against hackers... Heres a question to help lead the direction. Please participate to help others knowledgable against the threats of attack...
I've just did a count of the folders in my public and alias directories and I've got 1,723 directories with 17,550 files...
Can you imagine trying to password protect everything *yet* still allow access to certain pages? It sounds like a daunting task and I am wondering if anyone has implemented some really good tight security onto their server... Would any body be kind enough to reveal their secrets that will help block anybody from trying to access any file not explicitly permissioned?
Abyss is great but somewhat does what I wish in reverse... You can't really protect everything and *yet* allow access to certain directories or better yet files alone... You can only protect directories but within some of the directories are files which should be made public and within some directories are files which should remain private...
Any suggestions, ideas and comments are welcomed... Thank you for reading this thread :)
_________________
Victor B. Gonzalez
http://aeonserv.com |
|
| Back to top |
       |
 |
Dark Raver
-
Joined: 20 Feb 2003
Posts: 4
Location: Ont, Canada
|
| Posted: Thu Feb 20, 2003 11:28 pm Post subject: |
|
|
You want to restrict access to a folder but allow access to certain folders or files within it? but you don't want to do it one item at a time?
don't get me wrong but those contradict each other.
i think the security is just fine, if you restrict access to a folder than everything inside that folder should be restricted.
why don't you just create a private and a public area.
it might require you to move things around but makes for a simple solution. |
|
| Back to top |
|
|
vbgunz
-
Joined: 02 Feb 2003
Posts: 615
Location: Florida
|
| Posted: Thu Feb 20, 2003 11:58 pm Post subject: |
|
|
This is a real life scenario...
htdocs/base/fort/frontline
Believe this or not some scripts require sensitive data in the base folder while making the frontline folder public...
You're semi right in what you said... But sometimes thiers sensitive data right in the same directory that cannot be moved...
I know it sounds wierd but its true... I am just looking for more ways than one to skin a cat...
My point though is how many ways are there to secure your server? Inside and outside tactics are welcomed. I'd like to hear it all, It doesn't just have to be what Abyss can provide but can count on third party tools and scripts if necessary...
_________________
Victor B. Gonzalez
http://aeonserv.com |
|
| Back to top |
|
|
Pulsar is Here
-
Joined: 23 Feb 2003
Posts: 1
Location: ME
|
| Posted: Sun Feb 23, 2003 1:37 am Post subject: read this |
|
|
8O All you hafta do is take and make your self a webpage saying that this folder is not accesable from here or sumthing, and then name it either index.htm or index.html
put it in all the folders that do not have a file named 1 of those( if it has 1 you shouldnt need to add anuther, so in the main folder with your index.htm./.html as the main page dont add one...)
now if they try to go into your /cgi-bin/ and look thru ur files and stuff they will recieve that error once it loads that file.
LIKE SAY: you have a cgi file or sumthing you want to make private only to you or select freinds. Because it is a cgi you will need to put it in the
/cgi-bin/. Now lets say it is a Instant Mesage script. Make a folder inside of the /cgi-bin/ named InstantMessage. Now with the instant message script usualy comes a folder that is named data or sumthing like that. Inside this data file is a list that the cgi script will use to recognize the SN of the user and password. so you will put a index.html inside that data folder. I like to do this because they might think they are exploiting by searching the cgi-bin or what ever, but in reality if you actualy know somewhat what you are doing an what the files are then you will know what folder will need protected
now with all this said and dun... give your freinds a link to the im sign on page and tell them to remember the directory...exmpl.:www.heyther.com/cgi-bin/InstantMessange/im.cgi
now if ppl try to use the directory searching to find personal data or sumthing that dont need to be given out they will have no way to know it is there
|
|
| Back to top |
|
|
vbgunz
-
Joined: 02 Feb 2003
Posts: 615
Location: Florida
|
| Posted: Sun Feb 23, 2003 6:02 pm Post subject: |
|
|
Hey that sounds like a good idea... Do you think if I add a file named "44magnitudehxz.html" to the Abyss index files and then add that file to folders that do not contain an index file of any kind (asp, php, etc) it'll serve just like the blank index file you're talking about?
I am interested in any security tricks any body else is implementing. After all I am just in search of ideas and suggestions... Thanks for that one Pulsar... I am going to check on that... ;)
_________________
Victor B. Gonzalez
http://aeonserv.com |
|
| Back to top |
|
|
|
