From: eldy <> Date: Tue, 5 Mar 2002 03:26:07 +0000 (+0000) Subject: Added a page about security tips in documentation. X-Git-Tag: AWSTATS_4_0_BETA~62 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=162ebb3c742f3c21ecd111e9383889489aaa5ec3;p=thirdparty%2FAWStats.git Added a page about security tips in documentation. --- diff --git a/docs/awstats_faq.html b/docs/awstats_faq.html index a4b8c48b..8e185db2 100644 --- a/docs/awstats_faq.html +++ b/docs/awstats_faq.html @@ -83,7 +83,7 @@ FAQ-COM550 Can I safely remove an line in AWStats history Here, you can find the common questions about security problems when setting or using AWStats.
 @@ -550,20 +550,13 @@ No. AWStats use a filter to remove all scripts codes that was included in an URL log analyzer report page.

-
FAQ-SEC200 : HOW TO MANAGE LOG FILES (AND STATISTICS) CORRUPTED BY 'CODE RED VIRUS LIKE' ATTACKS ?
diff --git a/docs/awstats_security.html b/docs/awstats_security.html new file mode 100644 index 00000000..209e89e3 --- /dev/null +++ b/docs/awstats_security.html @@ -0,0 +1,117 @@ + + + + + + + +AWStats Documentation - Security page + + + + + + + + + + + + + + + +
+
+AWStats logfile analyzer 4.0 Documentation
+
+		 +  +
+ + +

Little tips about Security

+ +A lot of AWStats users have several web site to manage. This is particularly true for web hosting providers. +The most common things you would like to do is to prevent user xxx (having a site www.xxx.com) to see +statistics of user yyy (having a site www.yyy.com).
+
+This is example of possible way of working:
+
+1) HIGHLY SECURED
+Policy:
+All statistics pages for a config/domain file are built in static html files using -output -staticlinks option.
+There is no CGI use of AWStats and static built pages are stored in a web protected realm to +be securely viewed by correct allowed users only (or sent by mails).
++: Highly secured.
+-: Statistics are static, No way to have dynamic update/view.
+Note: With this policy, AWStats database files can have their own permissions. +So, set all AWStats database files built by the update process for config/domain1 to have read/write for user1 +(or an admin user) and NO read and/or NO write for any other users. +If AWStats database files for config/domain1 are read protected, only allowed users can see statistics for config/domain1.
+If AWStats database files for config/domain1 are write protected, only allowed users can update statistics for config/domain1.
+This is a very good choice for web hosting providers with important customers.
+
+2) MEDIUM SECURED
+Policy: Statistics pages for a config/domain file can be read dynamically from a browser (with AWStats working as a CGI).
+Use of awstatsusers file to list config/domain a particular user can see/update.
+awstats.pl file must be saved in a web protected realm to allow awstats to get the username when running as CGI.
++: Statistics are dynamic.
+-: AWStats database files must be readable by anonymous web server user, so if an experimented user can have an access to +the server (telnet, ftp), he will be able to install and run a hacked version of AWStats that does not check permissions into the awstatsusers.
+Note: With this policy, you must first create a text file called awstatsusers. This file is a text file +with several records that contains two fields separated by a ";". +First field is the user name allowed to read statistics from a browser.
+Second field is a list (separated by comma ",") of all visible config/domain allowed for this user.
+Example of awstatsusers file:
+user1;*
+user2;www.domain2.com
+user3;www.domain3a.com,www.domain3b.com
+ +Example of directives you can add into Apache to have awstats.pl in a web protected realm:
+<Files "awstats.pl">
+AuthUserFile /path/to/.passwd
+AuthGroupFile /path/to/.group
+AuthName "Restricted Area For Customers"
+AuthType Basic
+require valid-user
+</Files> +
+
+Save the awstatsusers file in the DirData directory (directory where AWStats save its database) and put on this file "read only" +permissions for everyone.
+
+3) LOW SECURED
+Policy: Same as 2 with no use of awstatsusers.
++: Setup is very easy (No need of particular setup). Statistics are dynamic.
+-: No way to prevent stats for config/domain to be seen by a user that known the +config/domain name and the url syntax to see stats of a particular config/domain.
+Note: This is the most common way of working for all users that have only one hosts +and no restricted accounts to manage.
+ + + + + +
+ + +
+
+ + + + + diff --git a/docs/index.html b/docs/index.html index f7c55f13..873ad647 100644 --- a/docs/index.html +++ b/docs/index.html @@ -33,49 +33,52 @@
- -
+ + - - - + +
- +
- Release Notes +Release Notes
What is AWStats / Features
New Features / Changelog
Comparisons with other log analyzers -
-AWStats License
-
+		 - +
Reference manual
Setup and Run AWStats
+Security setup +
Configuration Directives/Options
-		 +
- +
Other Topics -
-Frequently Asked Questions -
-Benchmarks -
-XML Portable Application Descriptor
+
+ +Frequently Asked Questions
+Benchmarks + +		 + +AWStats License
+AWStats XML PAD File +