> What are the security implications of a default installation of dwww? My > understanding is that an http daemon must be active to use dwww. Is this > correct? I have yet to set up my own http servers on Linux boxes because > I am not confident in my understanding of the security issues. > > Thanks. Syrus. Well, it's probably a good idea to restrict access to dwww to just your PC or your local area network. The dwww CGI script should not be an issue (except if you have a version before 1.4.1, which had a minor flaw, which could be major if you configured your CGI scripts to run as root). However, if an attacking party can view dwww, they can determine what software packages are installed on your machine, and use that information to search for vulnerabilities. Theoretically, an up-to-date Debian machine should have no vulnerabilities -- but that might not be the case with brand new security bugs, misconfigured software, or a system that hasn't been updated for a while. Restricting access to dwww is dependent on what web server you are running. For Apache or NCSA, add the following to your configuration files: <Directory /var/www> order deny,allow deny from all allow from .jimpick.com </Directory> (replace the allow from clause with whatever is appropriate for your site) I should add this information to dwww. It would also be nice if dwww could automatically configure all this automatically for whatever web server is installed -- but then we get the situation where the installation script is a larger program than the program it is installing (if it isn't already). Cheers, - Jim
Attachment:
pgpaxA1isPDd3.pgp
Description: PGP signature