help i've been hacked. :(
Eris Caffee
eris-redhat-list at eldalin.com
Mon Aug 22 13:50:03 UTC 2005
> Eris Caffee <mailto:eris-redhat-list at eldalin.com>
> on Sunday, August 21, 2005 8:21 AM said:
>
>> One other thing I would suggest would be that if you install cacti on
>> the new server you should edit your httpd.conf and restrict access to
>> it and it's subdirectories to add another layer of protection.
>> Really, anything that isn't for the general public ought to be
>> restricted, of course.
>
> That's a good idea.
>
> Does this mean that if someone tries to reach www.domain.com/cacti that
> they will be denied access? Is based on IP address or rights based? What
> about internal network users?
There are several ways to do it. You could use a .htaccess file in the
cacti directory and set up passwords, but a simpler way to restrict access
is to use the "Allow" directive in your http.conf file. Here's an
example:
<Location /server-info>
SetHandler server-info
Order deny,allow
Deny from all
Allow from 192.168.0.1
</Location>
This set of directives not only set the url
http://sitename.com/server-info to provide information about the server,
but it also restricts access to that url. Only someone running on a
machine whose IP is 192.168.0.1 will be allowed access to the server-info
page.
Of course, since IP addresses might be spoofed, it is even safer to use
both this _and_ .htaccess paswords. The best security has many layers,
each one of which has to be pierced individually.
Eris Caffee
More information about the redhat-list
mailing list