couple of suggestions
1) Rename all your files - anyone using the opensrs knows all the filenames
and therfore leves a security hole
2) if you have directory browsing allowed then put an index.html in all the
directories something which does not come when you untar the opensrs files
3) rename opensrs.conf to opensrs.cgi so that it cannot be read from the
browser if you have it in your normal http path
ANY OTHER suggestions please add
Best Regards
Bhavin Turakhia
CEO
Direct Information Pvt. Ltd
---------------------------
Ph: 91-22-6236447/6286516
Fx: 91-22-6285922
http://www.directidomains.com
http://www.directihosting.com
---------------------------
> -----Original Message-----
> From: owner-dev-list@opensrs.org [mailto:owner-dev-list@opensrs.org]On
> Behalf Of Grant Kaufmann
> Sent: 29 March 2000 01:35
> To: dev-list@opensrs.org
> Subject: Securing OpenSRS
>
>
> I believe that redurl.com has raised an interesting issue with the people
> using OpenSRS.
>
> How many of the people who are installing OpenSRS are doing so
> with due care
> and consideration for the security of their systems? If someone
> could break
> into your system, they could spend all your RCUs, steal your customer
> database, make updates to your domains and passwords.
>
> I personally have spent a great amount of time devising a method to ensure
> that my OpenSRS.conf is well protected, that the web-server user cannot
> access any files except under my environment control. Am I
> unusual in this?
>
> The OpenSRS source is freely available, and there's no reason why people
> will not try break into insecure installations.
>
> Be careful, spend some time securing your systems, it could save you a
> fortune in time, money and reputation.
>
> --
> Grant
>
>
This archive was generated by hypermail 2.1.3 : Tue Oct 19 2004 - 23:35:22 EDT