Web hosting security?

[Daniel Robitaille]

On Thu, Jun 26, 2008 at 9:28 PM, geo <yaktur at yahoo.com> wrote:
> How does this work then?
>
> On my computer the web directory is /var/www/
>
> On the internet someone types in http://something.whatever or an ip address.
>
> What prevents a person on the internet (read: Hacker) from crawling up my computer's directory tree from /var/www/ to /var/ to /
>
> Can anyone explain this?

Apache will take care of it.  So if your web documents are in /var/www
then going to http://yourip/  will only display what's in /var/www

So if you have a directory named "files" in /var/www (so
/var/www/files), then Apache will allow people accessing
http://yourip/files to see what is physically on your system in
/var/www/files

But someone will not be able to go up in the directory tree from
/var/www, i.e to /var/ or to /. Apache will not allow this.



> Do I need to do anything to make the computer defended? I am behind a firewall (D-Link) and only have port 80 open.
>
> Do I need a software firewall like Firestarter? Or will Apache take care of itself?
>
> How does this work?

If your router acts as a firewall with only port 80 open, then the
only way someone will be able to talk to your computer is via port 80;
and if you have Apache running, then Apache will be the application
listening to these requests from the outside world via that port and
do whatever needs to be done (essentially serving web pages).

You can install a software firewall if you want; but essentially if
your router is setup properly, then the software firewall will block
the exact same ports than the hardware firewall (i.e., anything but
port 80).

One way to test which ports are actually open on your router is to do
a scan of your IP address  using "ShieldsUp" at grc.com, or by using
the nmap command from another computer than yours and scan your IP
address from that external computer.

Daniel

-- 
Daniel Robitaille
 http://friendfeed.com/robitaille