www: security in unlinked directories

Hello *,

I've set up an apache server and this server needs to generate secure
dynamic content. In order to protect it from remote access the server
renders the content and stores it in newly created dirctory consisting
of 10 random characters. Only the right users get the complete link to
this directory.
How easy is it to find this dir? It will stay only for aprox 2 hours
before being deleted. Is there a real change to find it?
(26+26+10)^10=839299365868340224 that to much for brute-force, isn't it?
Or are there other ways to find the dir?

any hints very welcome...


thanks
Henning

Of course there is always the possibility of hidden bugs somewhere. If
I remember correctly somewhen around Apache 1.3.19 there was a bug
which revealed the contents of a directory - i.e. what you don't want.
Of course _this_ bug is fixed now.. - but who knows when the next will
be found?
j.

"Henning Meyer" <Henning_Meyer123@gmx.net> wrote in message
news:beelal$3r16j$1@ID-105195.news.dfncis.de...

> I've set up an apache server and this server needs to generate secure
> dynamic content. In order to protect it from remote access the server
> renders the content and stores it in newly created dirctory consisting
> of 10 random characters. Only the right users get the complete link to
> this directory.
> How easy is it to find this dir? It will stay only for aprox 2 hours
> before being deleted. Is there a real change to find it?
> (26+26+10)^10=839299365868340224 that to much for brute-force, isn't it?
> Or are there other ways to find the dir?

So long as you configure the server & code the contents of your website
well, there should be no way for them to see the folder.

As for the brute forceability, pretty slim chance. First off think who your
potential hackers are. Are they going to know that the format of your
directory structure to even be able to start a brute force attack? If not
it's pretty safe anyway. Are you expecting someone to leak this information?
If so then it isn't safe anyway, but at least they will only be able to
access it for two hours. If you really suspect someone will try to brute
force it, you could always ban IP addresses that make too many failed
requests.

There really are much better ways to restrict access to information on a
webserver. The only reason I can think you would choose this way over (or as
well as) standard password protection would be to time limit access to
authorised users. But these people have access for two hours? Isn't that
long enough to do whatever it is you seem concerned to secure them against?

I'd be interested to hear what kind of application you would find this
useful for, if it's not too sensitive.

Richard.

"Henning Meyer" <Henning_Meyer123@gmx.net> wrote in message
news:beelal$3r16j$1@ID-105195.news.dfncis.de...
> Hello *,
>
> I've set up an apache server and this server needs to generate secure
> dynamic content. In order to protect it from remote access the server
> renders the content and stores it in newly created dirctory consisting
> of 10 random characters. Only the right users get the complete link to
> this directory.
> How easy is it to find this dir? It will stay only for aprox 2 hours
> before being deleted. Is there a real change to find it?
> (26+26+10)^10=839299365868340224 that to much for brute-force, isn't it?
> Or are there other ways to find the dir?
>
> any hints very welcome...
>
>
> thanks
> Henning

If you can access it from the web a determined - or maybe not so
determined - hacker can too. Password protection be danged.

The single most common way I have seen for folks to access stuff they aren't
supposed to be able to see on Apache servers is that the folks in charge
forget to put a nice blank html page named index.htm inside every single
folder. If you don't do that then someone needs only know the name of the
folder - or make a good guess - to get a complete list of every file in the
folder.

There are some very neat tricks you can use with Apache though. Read up on
htaccess - there are a couple of good tutorials online as well as tons of
info at Apache.