Securing PyDoc and CGIHTTPserver
Harry George
harry.g.george at boeing.com
Thu Jul 10 13:23:54 EDT 2003
Peter Hansen <peter at engcorp.com> writes:
> Jon Schull wrote:
> >
> > PyDoc's author Ka-Ping Yee has suggested that PyDoc be patched to
> > prevent access from unauthorized IP addresses
> > (https://sourceforge.net/tracker/?func=detail&atid=305470&aid=672656&group_id=5470),
> > and that without such a patch, its not " suitable for running on boxes
> > that aren't behind firewalls"
> >
> > It's hard to know how much to worry about such things (Comments?).
> >
> > However, even with the patch, IP addresses can be spoofed. Here is an
> > additional security tactic that might be adopted.
> >
> > The port number used by pydoc is currently set by the user at the
> > command line. Many people probably use the example given in the
> > python module documentation : "python -p 1234" However, if the port
> > were chosen at random and printed out, then only pydoc and the user
> > would know how to access the pydoc server.
> >
> > I'm considering a similar strategy for a server based on the
> > CGIHTTPServer module, so comments would be welcome.
>
> My suggestion: don't attempt to mix security into each individual
> application in a piecemeal manner. Use the proper tools for the
> job, such as firewalls. Setting up a firewall on Linux or WinXP
> is nearly trivial at this point, and the learning experience is
> worth the effort for those who are new to this, so there's not
> much excuse for doing it properly, IMHO.
>
Here, we have lots of COTS *NIX behind the corporate firewalls, and
want to provide internal security. We do this with SSL'd
communications. I can see how a firewall denies/allows specific IP
addresses (or at least claimed IP addresses), but not how it solves
sniffing, spoofing, man-in-the-middle, etc., where encryption
protocols are needed.
> -Peter
--
harry.g.george at boeing.com
6-6M31 Knowledge Management
Phone: (425) 294-8757
More information about the Python-list
mailing list