[Consortium] LAO stats -- was Re: lao subdomains
robin at linuxaudio.org
Fri Apr 27 14:30:44 UTC 2012
>On 04/26/2012 10:47 PM, Jörn Nettingsmeier wrote:
>>> On 04/26/2012 05:47 PM, Robin Gareus wrote:
>>>> server statistics
>>>> ?? should those be password protected ??
>>>> some of the AWstats may be used to track users (e.g. top 10 host list)
>>> been running awstats for ages because its output is great,
yes and no. It's easily fooled as well, esp. the bandwidth calculation
is usually completely off because of "download accelerators".
>>> but it's a
>>> security nightmare. i've taken to displaying only static pages generated
>>> from a cronjob every hour. not as convenient, and makes browsing of
>>> previous years a lot harder, but there have been soo many XSS attacks
>>> and other gotchas in the past...
>>> imho, it's either that or password-protect it. my logs show numerous
>>> automated scans for vulnerable awstats implementations.
[inlined off-list reply from Steve to Joern]
>On 04/26/2012 10:51 PM, Steve Harris wrote:
>> Yes, and on top of that unscrupulous persons will use your AWStats
>> pages to create links to their malware pages by faking referrer
>> headers, believe it or not.
> oh yeah, i'm getting a few of those. it's not awstats specific,
> though, i guess they do that for all publicly available stats pages.
> stats should definitely be noindex...
Right. noindex it is.
but it looks like we've been lucky so far - most of those referrers were
dwarfed by legitimate requests. As for hacking: we're riding on debian's
security updates. No awstats incident on LAO so far, but we've also only
published statically generated pages.
NTL, I've just password protected the awstats.
Those who are in the "laodev" group on linuxaudio.org
(ico,rgareus,mobarre,thorwil,franky,fons,jeremy) can read the password
If anyone else is interested, please ask Ico or me about it.
Other stats (MRTG, email) are still in the open.
More information about the Consortium