OdesÃlatel: Stuart Robinson <r.s.robinson@ntlworld.com> I'm having my second 'play' with zope, this time round however I've go it
exposed to the world through port 80 (running on port 80), firewalled etc.
hmmm......
I notices in Zope's output stream in the terminal window this evening a curious "ZServer Bad HTTP request: 'GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX%u9090% u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090% u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0'" .. which if I'm not mistaken is a deliberate or scripted attack?
It is lame attack. My zope mail me all errors and exactly these errors are in 80% of all. Others thinks that I have /disk_c or so under my Linux server :-)))))
1st question: This is nothing to worry about with zope, right?
not as much. Sometimes it cause zope stops to responding or go to death (in windows occurs 1-2 times per week, under Linux I was run zope in wild inet without proxy for one month without problem :-). I reccomend you to use minimalistic but powerfull pound reverse proxy before (www.apsis.ch/pound/).
2nd question: is runing zope behind Apache any help?, and if so (while I appreciate it is not trivial), what sort of things should I look out for?
yes, it helps, but you could have potential security problem with apache. Use pound instead if you dont need apache.
Does anyone know of an 'everymans[!] guide to setting up apache and not doing it the WRONG way'? (sorry that's probably my quota of questions tonight I
know!) :-)
Yes, today I was find that info in early morning somewhere at www.zopera.org (i think, not sure), but it is in french. But I think that these infos are in zope.org too, but use google for that searching. I mean old zope site, not new, because new site has problems with howto and products section (it shows only first 100 instead all). Regards JL.