27 Apr
2012
27 Apr
'12
4:30 p.m.
On 04/26/2012 10:47 PM, Jörn Nettingsmeier wrote:
>> On 04/26/2012 05:47 PM, Robin Gareus wrote:
>>> http://stats.linuxaudio.org/
>>> server statistics
>>> ?? should those be password protected ??
>>> some of the AWstats may be used to track users (e.g. top 10 host list)
>>
>> been running awstats for ages because its output is great,
yes and no. It's easily fooled as well, esp. the bandwidth calculation
is usually completely off because of "download accelerators".
>> but it's a
>> security nightmare. i've taken to displaying only static pages generated
>> from a cronjob every hour. not as convenient, and makes browsing of
>> previous years a lot harder, but there have been soo many XSS attacks
>> and other gotchas in the past...
>>
>> imho, it's either that or password-protect it. my logs show numerous
>> automated scans for vulnerable awstats implementations.
>>
>>
[inlined off-list reply from Steve to Joern]
On 04/26/2012 10:51 PM, Steve Harris wrote:
Right. noindex it is.
http://stats.linuxaudio.org/robots.txt
but it looks like we've been lucky so far - most of those referrers were
dwarfed by legitimate requests. As for hacking: we're riding on debian's
security updates. No awstats incident on LAO so far, but we've also only
published statically generated pages.
NTL, I've just password protected the awstats.
Those who are in the "laodev" group on linuxaudio.org
(ico,rgareus,mobarre,thorwil,franky,fons,jeremy) can read the password
at linuxaudio.org:/home/sites/stats.linuxaudio.org/htpasswd-plaintext
If anyone else is interested, please ask Ico or me about it.
Other stats (MRTG, email) are still in the open.
yours truly,
root
Yes, and on top of that unscrupulous persons will
use your AWStats
pages to create links to their malware pages by faking referrer
headers, believe it or not.
oh yeah, i'm getting a few of those. it's not awstats specific,
though, i guess they do that for all publicly available stats pages.
stats should definitely be noindex...