To access the contents, click the chapter and section titles.
Perl CGl Programming: No experience required.
(Publisher: Sybex, Inc.)
Author(s): Erik Strom
ISBN: 0782121578
Publication Date: 11/01/97
Skill 13 Security on Your Web Site
- Understanding the security issues
- Protecting Web pages with passwords
- Maintaining a secure Web site
We like to think of the World Wide Web as a generally nice place. But, like the world itself, there are things out there that arent so nice. Vandals come in all stripes; some of them are quite expert with computers and, given a chance, they will do as much harm as they can to your Web site and the machine on which it runs.
Intruders usually pick the easiest targets, however. In this skill, youll learn how to make things more difficult for trolls bent on destruction.
Specifically, youll learn how to look for security holes in your system and tighten them up; how to use Perl to protect pages or whole areas of your Web site using encrypted passwords; and how to set up maintenance modules that are accessible only to your site administrators.
How worried should you be about security on a Web site? Its up to you, of course. Lets explore some of the security issues and find an answer to the question.
Understanding the Security Issues
Making a computer totally secure from intruders is easy. You just pull the plug out of the wall.
Turning the machine off is not an option most people will consider. However, every step you take from there toward bringing up a server and actually running a Web site opens your doors to the world a little more. And face it: It will be impossible to make your site completely secure if your plan is to allow anyone to drop by for a visit.
You may not be particularly concerned about it, and thats fine. You may be having nightmares about little trolls busting into your computer and trashing the placethats not fine. Calm down. The fact is, there are many security options available to you that will protect your equipment from most harm and still allow you to run a Web site thats accessible to everyone.
Finding Security Holes in Your System
Old-time data processing professionals, the mainframe guys, would be aghast at the very concept of a World Wide Web. The idea that anyone in the world could gain access to even a small part of their machinery was anathema to people who viewed computers and software systems as something that existed to be protected from the people who used them.
Now that most computer users have more power sitting on their desks than the mainframe guys had in the whole shop, attitudes have changed, too. We tend to think of everything as being accessible, and well we might. A consultant living in Pennsylvania might find himself working on HTML pages for a firm in San Francisco that runs its Web server on a computer in Atlanta. Thats a lot of traveling in one day, yet we tend to be pretty blasé about it.
There has been a lot of interest lately in security on the Web, primarily because of the inherent openness of the Internet. The security solutions that can be imposed on a site range from nothingprobably not wiseto password-only access with 1024-bit encryption going both ways between server and visitorprobably not wise, either.
To begin an assessment of how secure or insecure your system is, you can answer a few basic questions:
- Is it possible to gain access to your computer over the Internet by signing on to it?
- Can you configure your Web server to restrict visitors to certain directories?
- If your Web server is SSI-capable, have you enabled the #exec directive?
- Are you running other server software, such as FTP or Telnet, that gives people access to your system from the outside?
- Does your operating system allow you to set different levels of authority and permissions on files and directories?
- Are you running programs through CGI on your Web server?
The answers to these questions will give you a very good idea of how vulnerable you are to a break-in. Well go over them in order.
Signing On from the Internet
The easiest and best way to get into a computer is by logging in to it. UNIX and Windows NT systems require a user name and a password to get that far, and if you dont have both, you wont get in.
Logging in to a UNIX system over the Internet is basically the same as sitting down to a terminal or workstation on the system. Most UNIX systems run Telnet servers or other utilities that allow users to log in by giving a name and password. Enter the correct information and youre in.
Compared with UNIX, an improperly secured Windows NT system is even easier to get into from another machine running NT or Windows 95. If you know the remote NT systems IP address, you simply run it, either from the command line or the Run menu dialog box, as depicted in Figure 13.1.
Figure 13.1: Entering a Windows NT system over the Internet
It takes a little bit of time, depending on the speed of your Internet connection, but soon a window will appear on your Desktop containing every shared folder on the remote NT system.
TIP: You can also use command-line network directives to mount shared remote NT volumes on your own system. For example, net use d: \\127.0.0.1\ SharedStuff would make the remote systems SharedStuff directory accessible to you as the D: drive on your system. Heres another tip: To prevent people from seeing the shared volumes on your system, put dollar signs on either side of the names. In other words, rename SharedStuff to $SharedStuff$.
Both UNIX and NT systems allow the system administrator to impose a hierarchy of user authorities, which means that some users can do everything and other users cant. Both operating systems have facilities for setting permissions on directories and files, too, which means you can structure the system in a totally Draconian fashionno one except the system administrator can get into anythingor you can allow access to everyone. NT also lets the system administrator set passwords for shared folders.
The default administrative user on UNIX, known as the super-user, is root; on NT, its administrator. You can give administrative authority to any user, of course, but these are the common names. These users are the key to your system: Anyone who knows the password for your administrative user can do anything in your system, including wrecking it.
WARNING: You decided not to give a password to your root or administrator user? Shame on you!
|