26 Apr
2012
26 Apr
'12
10:47 p.m.
On 04/26/2012 05:47 PM, Robin Gareus wrote:
Hi *,
There's a whole lot of v-hosts below linuxaudio.org. The recent
migration of vhosts gave rise to rethink and hopefully consolidate others.
Let me first list the "good ones" and them move on to suggestions for
the cruft. Please comment on my suggestions there. If you don't, you
forfeit your right to complain later :-)
i'm with you on all items, but want to comment on this one:
http://stats.linuxaudio.org/
server statistics
?? should those be password protected ??
some of the AWstats may be used to track users (e.g. top 10 host list)
been running awstats for ages because its output is great, but it's a
security nightmare. i've taken to displaying only static pages generated
from a cronjob every hour. not as convenient, and makes browsing of
previous years a lot harder, but there have been soo many XSS attacks
and other gotchas in the past...
imho, it's either that or password-protect it. my logs show numerous
automated scans for vulnerable awstats implementations.
--
Jörn Nettingsmeier
Lortzingstr. 11, 45128 Essen, Tel. +49 177 7937487
Meister für Veranstaltungstechnik (Bühne/Studio)
Tonmeister VDT
http://stackingdwarves.net