[2325] in WWW Security List Archive
Re: REMOTE_HOST and REMOTE_ADDR security
daemon@ATHENA.MIT.EDU (Micah Brandon)
Fri Jul 5 16:10:04 1996
Date: Fri, 05 Jul 1996 11:53:07 -0400
To: =?iso-8859-1?Q?J=FCri_Kaljundi_=3Cjk=40stallion.ee=3E=2C?=.www-security@ns2.rutgers.edu
From: Micah Brandon <brandon@vv.com>
Errors-To: owner-www-security@ns2.rutgers.edu
At 07:10 PM 6/25/96 +0300, J=FCri Kaljundi wrote:
>The question is, how safe can I be in assuming, that in case I know the
>user coming from a certain machine (using REMOTE_HOST or _ADDRESS), can I
>be sure nobody else can make my server think they are coming from the same
>machine? There will be no proxies in between, the connection will be
>between the clients PC and www server (Apache).
I would say because you have absolutely no control over these
variables, you wouldn't want to put a security system in place where your IP
was your password. However, statistically speaking, you'd have a pretty
good representation of who was hitting your server if you only wanted to log
remote hosts & IPs...since MOST people aren't spoofing their address.
If you want to put something in place like remote administration of
your web server, I would restrict it to certain IPs within your network,
enable packet filtering on your router, and require a login/password to your
web server. Basically, don't just have one level of security, but several.
--
Micah Brandon
brandon@vv.com
