HPE Community
Operating System - Linux
1830226 Members
1591 Online
109999 Solutions
New Discussion

own cgi scripts and security by Apache 2

 
SOLVED
Go to solution
'chris'
Super Advisor

‎04-28-2004 10:54 PM

‎04-28-2004 10:54 PM

own cgi scripts and security by Apache 2

hi

I have linux SuSE 8.2 with Apache 2
and I've setup many virtual server

following example:


DocumentRoot "/srv/www/htdocs"
ServerName domain.com:80
Scriptalias /cgi-bin/ "/srv/www/cgi-bin/"


how to secure cgi ?

kind regards
chris
0 Kudos
Reply
5 REPLIES 5
Roberto Polli
Trusted Contributor

‎04-29-2004 12:40 AM

‎04-29-2004 12:40 AM

Re: own cgi scripts and security by Apache 2

What do you meant with "secure cgi" ?

Peace, R.
0 Kudos
Reply
Steven E. Protter
Exalted Contributor

‎04-29-2004 02:40 AM

‎04-29-2004 02:40 AM

Solution

Re: own cgi scripts and security by Apache 2

Step 1:

make sure permissions on the scripts in the cgi-bin directory are as stingy as possible. chmod a+x *
chmod o-w *
chmod a+r *

that o-w statment makes sure the world outside your server can't change them. If they can change them, the spammers WILL use the scripts to send spam mail.

Step 2

Have a robots.txt file

It looks like this.

User-agent: *
Disallow: /cgi-bin
Disallow: /server-cgi
Disallow: /images

This prevents people from directly executing, your cgi scripts without running the form that is supposed to call it in a post/get.

If they try and use them directly and they will with names like hostform.cgi and form.cgi and formail.cgi it will show up in the httpd error log.

At that point you can process those logs into firewall entries and keep the spammers off your servers.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
Stuart Browne
Honored Contributor

‎04-29-2004 01:40 PM

‎04-29-2004 01:40 PM

Re: own cgi scripts and security by Apache 2

You might also want to look into 'cgiwrap' to get users to be able to create/own their own..
One long-haired git at your service...
Reply
'chris'
Super Advisor

‎04-30-2004 11:35 AM

‎04-30-2004 11:35 AM

Re: own cgi scripts and security by Apache 2

hi Stuart

and where can I find "cgiwrap" ?

greetings
chris
0 Kudos
Reply
Stuart Browne
Honored Contributor

‎05-01-2004 01:58 AM

‎05-01-2004 01:58 AM

Re: own cgi scripts and security by Apache 2

http://cgiwrap.unixtools.org/
One long-haired git at your service...
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.