[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: server config

From: David Chapman <dcchapman_at_acm.org>
Date: Mon, 19 Aug 2013 09:42:42 -0700

On 8/19/2013 9:07 AM, Scott Frankel wrote:
> Hi all,
>
> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server with svn version 1.6.1, following the red-bean book.
>
> I'm having difficulty with authorization &/or authentication: my repo appears to be accessible by anyone in spite of requiring "valid-user" and specifying digest authentication. I believe this because 1) I can download a full working copy of the repo to a 3rd-party logged into a foreign computer, and 2) I have dozens of entries in apache's logfiles, like these from this morning, *prior* to any known/legitimate access to my repos today:

Step 1: Take the real repo offline until you get the security problems
resolved. Every IP address on the Internet is scanned every single day,
and your repo is vulnerable right now.
Step 2: Run experiments with a dummy repo to resolve the security problems.

Don't ever run security experiments with production data. Put
production data online only after you know that all security problems
have been resolved.

>
> svn_logfile:
> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity

This does not look good at all. It's quite possible that someone else
has downloaded your repository. The access_log file may tell you the IP
address from which the request was made; with luck it's the one you were
experimenting with and the time stamp matches your access.

> access_log
> 93.174.93.213 - - [19/Aug/2013:07:23:50 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu"

If you watch access_log over time, as I do, you will see these sorts of
probes constantly. Too many to list, they are meant to check for known
vulnerabilities in older versions of Apache or tools installed (SQL
administration, PHP administration, etc.). These will never go away.
Get used to them. They should all fail; if not then you have other
security problems to fix.

>
> error_log
> [Mon Aug 19 07:23:51 2013] [error] [client 93.174.93.213] File does not exist: /var/www/html/MyAdmin
>
>
> This doesn't look good at all. My Location directive follows below. The /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup the repo, serve it via Apache, provide access to only a small number of people that I approve, use cmd-line svn and do so securely.

These are standard goals.

>
> This is my first brush with Apache, OpenSSL, and general server config. Thanks in advance for your suggestions! BTW, I'm not subscribed and would appreciate being cc'd on any replies.
> Scott
>
>
>
> <Location /svn>
> DAV svn
> SVNParentPath /var/svn
>
> # Authentication: Digest
> AuthName "Subversion repository"
> AuthType Digest
> AuthUserFile /etc/svn-auth.htdigest
>
> # Authorization: Authenticated users only
> Require valid-user
> </Location>
>
>

How many repositories do you have? You shouldn't use SVNParentPath if
you have only one repository; use SVNPath. I don't know if that is the
direct cause of your problem, but you should fix it.

You can also try working with AuthType Basic, creating passwords with
/usr/sbin/htpasswd, until you figure things out. I have more experience
with that than AuthType Digest, so I can't help you there.

-- 
     David Chapman      dcchapman_at_acm.org
     Chapman Consulting -- San Jose, CA
     Software Development Done Right.
     www.chapman-consulting-sj.com
Received on 2013-08-19 18:43:30 CEST

This is an archived mail posted to the Subversion Users mailing list.