website security

jscjso

Hi,
I read through the forum and could not find anything addressing to my concern.
I am using Window Vista, I wonder how secure my Abyss Web Server set up is. Here is my setting and concern:
- I clicked the Enable Automatic Anit-Hacking Protection in Server configuration.
- I only keep one index file, index.html, in the Index Files in my Host configuration setting.
- I selected Disabled in Directory Listing in Host configuaration.
- all my scripts and data files are in htdocs directory and its subdirectories.
Since the index.html source can be viewed by any browser, anyone can see the pl and html script links the index.html pointing to. Anyone can also see the data filenames and script filenames through the index.html. People can type the URL with the specific filename found in my index.html and access directly to essential all files linked in index.html.
Can hackers use this visibility to copy or view the data files and the pl and html scripts in the htdocs directory?
If I do not select Disabled in Directory Listing, it seems to be even worst because the whole directory listing is shown if index.html does not exist. People can even navigate around the subdirectories and open them.
Pleaes help, my goal is to allow people to execute the index.html and other scripts per the index.html links. But not to allow people to view the pl file source, the data file, and the subdirectories.
jscjso

etorvinen

I don't know if this helps but...
the Anti-Leeching Feature Comes in handy.
Just set the directory you want to protect then
make sure (Refuse Requests with no "Referer" Header) checkbox is checked.

Axis

jscjso--
You can either disable directory listings for the folders in question or simply put a "return to www.xxx.com" index.html file in the folders in question.
Regards,
Axis

jscjso

Etorvinen, Axis,
Thanks for your suggestions.
jscjso

DonQuichote

jscjso wrote
- all my scripts and data files are in htdocs directory and its subdirectories.

That is what I do not want in a secure system, because all the scripts can be called directly. Even the ones that should only be included by another script. Calling an "inclusion" script directly can lead to a few problems:

The script could actually do something, like re-initializing a database or cleaning up an error log.
The script may lack references to other code and fail with all too clear error messages. If you are unlucky, contents of variables and queries could be shown. Very useful to hackers!
You should be able to control what can be called from outside and what is only for internal use.

So my site has most code outside of the web root. In fact, the web root itself contains little more than calls to the code outside the web root. For my setup, see http://www.howtoforge.org/set-up-a-modular-svn-repository-for-php-websites
The above story also reveals another security consideration: Error showing should always be set to maximum teasing and nit-picking on development machines, and set to silent on production servers.
This means that on a production server the errors must not show. They should be logged, send to the developer or whatever.