Click Here!
home account info subscribe login search My ITKnowledge FAQ/help site map contact us


 
Brief Full
 Advanced
      Search
 Search Tips
To access the contents, click the chapter and section titles.

Perl CGl Programming: No experience required.
(Publisher: Sybex, Inc.)
Author(s): Erik Strom
ISBN: 0782121578
Publication Date: 11/01/97

Bookmark It

Search this book:
 
Previous Table of Contents Next


Skill 13
Security on Your Web Site

  Understanding the security issues
  Protecting Web pages with passwords
  Maintaining a secure Web site

We like to think of the World Wide Web as a generally nice place. But, like the world itself, there are things out there that aren’t so nice. Vandals come in all stripes; some of them are quite expert with computers and, given a chance, they will do as much harm as they can to your Web site and the machine on which it runs.

Intruders usually pick the easiest targets, however. In this skill, you’ll learn how to make things more difficult for trolls bent on destruction.

Specifically, you’ll learn how to look for security holes in your system and tighten them up; how to use Perl to protect pages or whole areas of your Web site using encrypted passwords; and how to set up maintenance modules that are accessible only to your site administrators.

How worried should you be about security on a Web site? It’s up to you, of course. Let’s explore some of the security issues and find an answer to the question.

Understanding the Security Issues

Making a computer totally secure from intruders is easy. You just pull the plug out of the wall.

Turning the machine off is not an option most people will consider. However, every step you take from there toward bringing up a server and actually running a Web site opens your doors to the world a little more. And face it: It will be impossible to make your site completely secure if your plan is to allow anyone to drop by for a visit.

You may not be particularly concerned about it, and that’s fine. You may be having nightmares about little trolls busting into your computer and trashing the place—that’s not fine. Calm down. The fact is, there are many security options available to you that will protect your equipment from most harm and still allow you to run a Web site that’s accessible to everyone.

Finding Security Holes in Your System

Old-time data processing professionals, the mainframe guys, would be aghast at the very concept of a World Wide Web. The idea that anyone in the world could gain access to even a small part of their machinery was anathema to people who viewed computers and software systems as something that existed to be protected from the people who used them.

Now that most computer users have more power sitting on their desks than the mainframe guys had in the whole shop, attitudes have changed, too. We tend to think of everything as being accessible, and well we might. A consultant living in Pennsylvania might find himself working on HTML pages for a firm in San Francisco that runs its Web server on a computer in Atlanta. That’s a lot of traveling in one day, yet we tend to be pretty blasé about it.

There has been a lot of interest lately in security on the Web, primarily because of the inherent openness of the Internet. The security solutions that can be imposed on a site range from nothing—probably not wise—to password-only access with 1024-bit encryption going both ways between server and visitor—probably not wise, either.

To begin an assessment of how secure or insecure your system is, you can answer a few basic questions:

  Is it possible to gain access to your computer over the Internet by signing on to it?
  Can you configure your Web server to restrict visitors to certain directories?
  If your Web server is SSI-capable, have you enabled the #exec directive?
  Are you running other server software, such as FTP or Telnet, that gives people access to your system from the outside?
  Does your operating system allow you to set different levels of authority and permissions on files and directories?
  Are you running programs through CGI on your Web server?

The answers to these questions will give you a very good idea of how vulnerable you are to a break-in. We’ll go over them in order.

Signing On from the Internet

The easiest and best way to get into a computer is by logging in to it. UNIX and Windows NT systems require a user name and a password to get that far, and if you don’t have both, you won’t get in.

Logging in to a UNIX system over the Internet is basically the same as sitting down to a terminal or workstation on the system. Most UNIX systems run Telnet servers or other utilities that allow users to log in by giving a name and password. Enter the correct information and you’re in.

Compared with UNIX, an improperly secured Windows NT system is even easier to get into from another machine running NT or Windows 95. If you know the remote NT system’s IP address, you simply run it, either from the command line or the Run menu dialog box, as depicted in Figure 13.1.


Figure 13.1:  Entering a Windows NT system over the Internet

It takes a little bit of time, depending on the speed of your Internet connection, but soon a window will appear on your Desktop containing every shared folder on the remote NT system.


TIP:  You can also use command-line network directives to mount shared remote NT volumes on your own system. For example, net use d: \\127.0.0.1\ SharedStuff would make the remote system’s SharedStuff directory accessible to you as the D: drive on your system. Here’s another tip: To prevent people from seeing the shared volumes on your system, put dollar signs on either side of the names. In other words, rename SharedStuff to $SharedStuff$.

Both UNIX and NT systems allow the system administrator to impose a hierarchy of user authorities, which means that some users can do everything and other users can’t. Both operating systems have facilities for setting permissions on directories and files, too, which means you can structure the system in a totally Draconian fashion—no one except the system administrator can get into anything—or you can allow access to everyone. NT also lets the system administrator set passwords for shared folders.

The default administrative user on UNIX, known as the super-user, is root; on NT, it’s administrator. You can give administrative authority to any user, of course, but these are the common names. These users are the key to your system: Anyone who knows the password for your administrative user can do anything in your system, including wrecking it.


WARNING:  You decided not to give a password to your root or administrator user? Shame on you!


Previous Table of Contents Next


Products |  Contact Us |  About Us |  Privacy  |  Ad Info  |  Home

Use of this site is subject to certain Terms & Conditions, Copyright © 1996-2000 EarthWeb Inc.
All rights reserved. Reproduction whole or in part in any form or medium without express written permission of EarthWeb is prohibited.