Frackin script kiddies!!

[Jarod Wilson]

On Mon, Aug 2, 2010 at 10:48 PM, Matthew Gillen <me-5yx05kfkO/aqeI1yJSURBw at public.gmane.org> wrote:
> On 08/02/2010 10:20 PM, Dan Ritter wrote:
>> On Mon, Aug 02, 2010 at 08:49:43PM -0400, David Kramer wrote:
>>> Long story short, the MythTV mailing list folks pointed out that
>>> AutoExpire could not have done this, and it was more likely my MythWeb
>>> interface was left unprotected, and some script kiddie had some fun
>>> deleting it all.  And they were right.  After some update my .htaccess
>>> file disappeared, and I never noticed I didn't need a password anymore.
>>
>> I don't have an .htaccess file.
>>
>> That's because my MythTV isn't listening to any ports from the
>> outside world. If I want to jigger it remotely, I have to SSH in
>> to my main machine, then tunnel over to the MythTV.
>>
>> If you can afford to have a gateway machine on all the time --
>> and a $99 SheevaPlug only sips about 12W -- I do recommend this
>> approach.
>
> More and more, I believe hiding behind ssh tunnels is the only way to stay
> sane.  Precisely because David is probably a much better sys-admin than me
> (daily snapshots!), and problems like he described are so hard to predict:
> unless you know to look for it, why would you set up cron jobs to watch for
> disappearing .htaccess files?.

Well, personally, I think a sane mythweb package puts a config file
into apache's config includes directory, not in a .htaccess file. And
then you enable authentication and wrap it with ssl. I'm not paranoid
enough to worry about requiring a vpn link or ssh tunnels, I've got
https access from anywhere.

-- 
Jarod Wilson
jarod-ajLrJawYSntWk0Htik3J/w at public.gmane.org