Thanks for the replies! Please see below for additional comments.
On Aug 19, 2013, at 9:42 AM, David Chapman wrote:
> On 8/19/2013 9:07 AM, Scott Frankel wrote:
>> Hi all,
>> I'm new to SVN server configuration and find myself setting up a CentOS 6.4 server with svn version 1.6.1, following the red-bean book.
>> I'm having difficulty with authorization &/or authentication: my repo appears to be accessible by anyone in spite of requiring "valid-user" and specifying digest authentication. I believe this because 1) I can download a full working copy of the repo to a 3rd-party logged into a foreign computer, and 2) I have dozens of entries in apache's logfiles, like these from this morning, *prior* to any known/legitimate access to my repos today:
> Step 1: Take the real repo offline until you get the security problems resolved. Every IP address on the Internet is scanned every single day, and your repo is vulnerable right now.
> Step 2: Run experiments with a dummy repo to resolve the security problems.
> Don't ever run security experiments with production data. Put production data online only after you know that all security problems have been resolved.
Good points! My repo currently being downloaded by whomever is a testProj with absolutely nothing of value in it.
>> [19/Aug/2013:00:46:32 +0000] - checkout-or-export / r1 depth=infinity
> This does not look good at all. It's quite possible that someone else has downloaded your repository. The access_log file may tell you the IP address from which the request was made; with luck it's the one you were experimenting with and the time stamp matches your access.
>> 220.127.116.11 - - [19/Aug/2013:07:23:50 +0000] "GET /w00tw00t.at.blackhats.romanian.anti-sec:) HTTP/1.1" 404 319 "-" "ZmEu"
> If you watch access_log over time, as I do, you will see these sorts of probes constantly. Too many to list, they are meant to check for known vulnerabilities in older versions of Apache or tools installed (SQL administration, PHP administration, etc.). These will never go away. Get used to them. They should all fail; if not then you have other security problems to fix.
OK. Getting used to common log entries is important.
>> [Mon Aug 19 07:23:51 2013] [error] [client 18.104.22.168] File does not exist: /var/www/html/MyAdmin
>> This doesn't look good at all. My Location directive follows below. The /etc/svn-auth.htdigest exists and appears to be valid. My goal is to setup the repo, serve it via Apache, provide access to only a small number of people that I approve, use cmd-line svn and do so securely.
> These are standard goals.
Good. I mention them in hopes it whittles-down in advance any suggestions you might have. eg: the red-bean book has quite a lot to say about tunneling svnserve, which is not germane to my setup.
>> This is my first brush with Apache, OpenSSL, and general server config. Thanks in advance for your suggestions! BTW, I'm not subscribed and would appreciate being cc'd on any replies.
>> <Location /svn>
>> DAV svn
>> SVNParentPath /var/svn
>> # Authentication: Digest
>> AuthName "Subversion repository"
>> AuthType Digest
>> AuthUserFile /etc/svn-auth.htdigest
>> # Authorization: Authenticated users only
>> Require valid-user
> How many repositories do you have? You shouldn't use SVNParentPath if you have only one repository; use SVNPath. I don't know if that is the direct cause of your problem, but you should fix it.
I chose to use SVNParentPath on purpose. As soon as I have a secure, working server config, I'll be hosting multiple repos. Daniel and Thomas, thanks for your suggestions.
> You can also try working with AuthType Basic, creating passwords with /usr/sbin/htpasswd, until you figure things out. I have more experience with that than AuthType Digest, so I can't help you there.
I'll try that to see what I discover; but ultimately my research so far points to Digest mode being more secure.
Thanks for the suggestions!
> David Chapman dcchapman_at_acm.org
> Chapman Consulting -- San Jose, CA
> Software Development Done Right.
Received on 2013-08-19 21:14:23 CEST