Complete.Org: Mailing Lists: Archives: linux-help: July 2000:
[linux-help] Re: web server security
Home

[linux-help] Re: web server security

[Top] [All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index] [Thread Index]
To: linux-help@xxxxxxxxx
Subject: [linux-help] Re: web server security
From: Jeff Schaller <schaller@xxxxxxxxxxxxx>
Date: Mon, 31 Jul 2000 11:32:30 -0500 (CDT)
Reply-to: linux-help@xxxxxxxxx

On Mon, 31 Jul 2000, John Reinke wrote:

> I finally sat down and learned how to set up htaccess and htpasswd for
> password protecting web pages. While it shouldn't have surprised me, I
> hadn't realized that since the web server would have to read the web pages
> AND the password files, all these files must have 644 permissions. This is
> not good, since anyone with access to the system can access the supposedly
> password protected web pages!
> 
> Are there an alternative way to set this up to make it more secure? Are
> there any alternatives to htaccess for protecting web pages?

1) don't give shell accounts on the web server
2) run the web server as a particular user (not nobody, not root)
3) put the htpasswd file outside the doc root of the web server
4) don't run an ftp server on the web server (see apache's
   defacement)
5) others...

-jeff




-- This is the linux-help@xxxxxxxxx list.  To unsubscribe,
visit http://tmp2.complete.org/cgi-bin/listargate-aclug.cgi


[Prev in Thread] Current Thread [Next in Thread]