https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262634#M11745 hi Stuart<BR /><BR />and where can I find "cgiwrap" ?<BR /><BR />greetings<BR />chris Fri, 30 Apr 2004 18:35:29 GMT 'chris' 2004-04-30T18:35:29Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262630#M11741 hi<BR /><BR />I have linux SuSE 8.2 with Apache 2<BR />and I've setup many virtual server<BR /><BR />following example:<BR /><BR /><VIRTUALHOST x.x.x.x=""><BR />DocumentRoot "/srv/www/htdocs"<BR />ServerName domain.com:80<BR />Scriptalias /cgi-bin/ "/srv/www/cgi-bin/"<BR /></VIRTUALHOST><BR /><BR />how to secure cgi ?<BR /><BR />kind regards<BR />chris Thu, 29 Apr 2004 05:54:55 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262630#M11741 'chris' 2004-04-29T05:54:55Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262631#M11742 What do you meant with "secure cgi" ?<BR /><BR />Peace, R.<BR /> Thu, 29 Apr 2004 07:40:13 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262631#M11742 Roberto Polli 2004-04-29T07:40:13Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262632#M11743 Step 1:<BR /><BR />make sure permissions on the scripts in the cgi-bin directory are as stingy as possible. chmod a+x *<BR />chmod o-w *<BR />chmod a+r *<BR /><BR />that o-w statment makes sure the world outside your server can't change them. If they can change them, the spammers WILL use the scripts to send spam mail.<BR /><BR />Step 2<BR /><BR />Have a robots.txt file<BR /><BR />It looks like this.<BR /><BR />User-agent: * <BR />Disallow: /cgi-bin<BR />Disallow: /server-cgi<BR />Disallow: /images<BR /><BR />This prevents people from directly executing, your cgi scripts without running the form that is supposed to call it in a post/get.<BR /><BR />If they try and use them directly and they will with names like hostform.cgi and form.cgi and formail.cgi it will show up in the httpd error log.<BR /><BR />At that point you can process those logs into firewall entries and keep the spammers off your servers.<BR /><BR />SEP Thu, 29 Apr 2004 09:40:14 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262632#M11743 Steven E. Protter 2004-04-29T09:40:14Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262633#M11744 You might also want to look into 'cgiwrap' to get users to be able to create/own their own.. Thu, 29 Apr 2004 20:40:42 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262633#M11744 Stuart Browne 2004-04-29T20:40:42Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262634#M11745 hi Stuart<BR /><BR />and where can I find "cgiwrap" ?<BR /><BR />greetings<BR />chris Fri, 30 Apr 2004 18:35:29 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262634#M11745 'chris' 2004-04-30T18:35:29Z https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262635#M11746 <A href="http://cgiwrap.unixtools.org/" target="_blank">http://cgiwrap.unixtools.org/</A> Sat, 01 May 2004 08:58:28 GMT https://community.hpe.com/t5/operating-system-linux/own-cgi-scripts-and-security-by-apache-2/m-p/3262635#M11746 Stuart Browne 2004-05-01T08:58:28Z