RedHat 6.0 cachemgr.cgi

RedHat Linux 6.0 installs by default a squid cache manager cgi script with no restricted access permissions. This script could be used to perform a port scan from the cgi-host machine.

If you are not using the box as a Squid www proxy/cache server then uninstall the package by executing: /etc/rc.d/init.d/squid stop, rpm -e squid If you want to continue using the Squid proxy server software, make the following actions to tighten security access to the manager interface: mkdir /home/httpd/protected-cgi-bin mv /home/httpd/cgi-bin/cachemgr.cgi /home/httpd/protected-cgi-bin/ And add the following directives to /etc/httpd/conf/access.conf and srm.conf: --- start access.conf segment --- # Protected cgi-bin directory for programs that # should not have public access order deny, allow deny from all allow from localhost #allow from .your_domain.com AllowOverride None Options ExecCGI --- end access.conf segment --- --- start srm.conf segment --- ScriptAlias /protected-cgi-bin/ /home/httpd/protected-cgi-bin/ --- end srm.conf segment ---