From: Trevor H. <tre...@th...> - 2006-09-17 10:05:15
|
Luke wrote: > On Sun, 17 Sep 2006, GeorgeOsvald wrote: > >> I have had servers on line for the last three years. No problems so far. It >> works very well for me. I asked a question some time ago during all the >> commotion if anyone ever had any security breaches. So far zippo. > > I have had many servers on line for years as well. While I haven't, that > I know of, had direct attacks against SL: almost from the week that > our static IP addresses were assigned to machines, various machines have > been under attack. > > The most common are attacks against apache (hard to prove), and definite > attacks against our necessary public FTP server and name servers. > > I have no doubt, that it is only a matter of time before SL gets attacked. > SSL does not prevent it, and we can't really block based upon IP > addresses, because of mobile client users. > For the same reason, it is difficult to implement any kind of htaccess > authorization scheme, unless I write one that interfaces with SL's > existing authorization system. > > It is not always possible, or reasonable, to bullet-proof a server as you > claim to have done. > > Luke > For clarification. A .htaccess file in /usr/local/sql-ledger containing something like: AuthType Basic AuthName "Accounts" AuthUserFile /var/www/passwd/passwords Require valid-user Add a line in the sql-ledger-httpd.conf file under: <Directory /usr/local/sql-ledger> SSLRequireSSL Create the usernames and passwords using Apache's htpasswd utility -stored in /var/www/passwd/passwords referred to in the .htaccess file above. Choose sensible usernames and passwords - preferably different to the those used for SQL-Ledger login. Create a Digital certificate, and make sure httpd/apache uses it. Block port 80, open port 443 This assumes you are using a recent version of Apache/httpd Or for a lot of users make httpd authenticate access against an LDAP or AD server. You will have two usernames and passwords to enter to use SQL-Ledger, but your server will be much more secure. Regards Trevor Hennion http://www.infocentrality.co.uk |