PDA

View Full Version : issue with server security



bluemonday
31 Mar 2011, 09:38 AM
Hi

We have a web portal that is going to be running under a subdomain (e.g. sub.domain.com) If the DNS A record of the parent domain (e.g. domain.com) was changed in error to point at the server IP address, as well as the subdomain A record, would you normally expect the entire contents of the server to be publically available? This actually happened to us, and I'm trying to determine whether the developers could/should have had some sort of security (an htaccess file?) to prevent the data being made available in this way and whether they were negligent.
I am not a developer, so I apologise for any innacuracies!


thank you

Alan
31 Mar 2011, 12:33 PM
DNS A records must contain IP addresses. Not sure what way your virtual hosts are setup, so I won't comment (as it seems someone is going to get in trouble here).

On a more general note, it's common practice to disable directory indexes (or place blank index files in each directory). Disabling directory indexes in the virtualhost is the cleanest and quickest method. It can also be done in the .htaccess file, but in a production environment .htaccess files should be disabled as they introduce a performance overhead.

e.g.


<VirtualHost *:80>
ServerName webdevforums.com
ServerAdmin postmaster@webdevforums.com
DocumentRoot "/var/web/webdevforums/www"

<Directory "/var/web/webdevforums/www">
Options -Indexes # Disable viewing of directory indexes
AllowOverride None # Disallow .htaccess file
</Directory>
</VirtualHost>