Linux Security

Linux Security Tips

December 10, 2009 – 18:58 — fonant

The following “fixes” resulted from a SecurityMetrics scan of one of my servers, as part of the PCI DSS complicance audit:

AWstats Path Disclosure

Most AWstats installations will disclose server paths if someone calls the script with a non-valid config file argument. Find the line in awstats.pl with the offending text “after searching in path” and edit to remove the path display:

 # "Couldn't open config file \"$PROG.$SiteConfig.conf\" nor \"$PROG.conf\" after searching in path \""
 #                         . join( ',', @PossibleConfigDir )
 #                         . "\": $!" );
"Couldn't open config file \"$PROG.$SiteConfig.conf\" nor \"$PROG.conf\""
                          . "\": $!" );

Apache TRACE Enabled

This apparent spoof vulnerability is easily fixed with “TraceEnable Off” in an Apache conf file.

SVN Directory Disclosure

This is potentially embarrassing, as it can lead to your lovely site source code being available to anyone who wants to see it. Make sure you disable serving of files from within .svn directories with this in your Apache conf:

<DirectoryMatch "^/.*/\.svn/">
   Order deny,allow
   Deny from all
</DirectoryMatch>

I now have a file called /etc/httpd/conf.d/security.conf with these contents:

# Disallow browsing of Subversion working copy administrative dirs.
# see http://subversion.tigris.org/faq.html
<DirectoryMatch "^/.*/\.svn/">
   Order deny,allow
   Deny from all
</DirectoryMatch>

# Disallow TRACE HTTP requests
# see http://www.apacheweek.com/issues/03-01-24
# see http://www.kb.cert.org/vuls/id/867593
TraceEnable Off