We plan to migrate our SVN server from LAN to Internet.
We need to convince our management, that our setup is secure enough.
Is there any SVN server security scanning t开发者_高级运维ool, to check on the security level of our SVN server?
Thanks. We are using Windows.
using Nessus or OpenVAS(A more free version of Nessus) it is easy to test for known vulnerabilities all Daemon process running on a server(like ssh, Apache or SVN). Load up Nessus or OpenVAS, set the target as your SVN server and enable all plugins. Should take about 15 minutes and it will give you a detailed report.
The most secure way to use SVN over the open internet is svn+ssh and authenticate using SSH keys instead of passwords. However this requires you to setup keys for every developer. Throwing usernames/passwords and source code over the internet in plain text is a (!!!!)EXTREMELY(!!!!) bad idea. At the very least you must make sure you use SVN+HTTPS with a real certificate which will cost you ~$30 a year. Disable http all together, you don't want a developer to accidentally connect via HTTP.
You don't specify how you are intending to secure your SVN server.
Use svnserve + SSH://
No tool is going to completely verify security. You need to set it up using tried and proven techniques.
[...and almost certainly belongs on serverfault: SVN+SSH Security]
You might try using Google and do a search such as:
allinurl:"all-wcprops" inurl:"yoururlhere"
If you then get a match like this at the end:
/.svn/all-wcprops
It means that Apache isn't configured to at the very least keep folks from checking out your repository. This is probably a tool for checking for security failures via apache rather than svn. Hope I've been helpful.
Easy enough to fix in your apache conf:
# Disallow browsing of Subversion working copy administrative dirs.
<DirectoryMatch "^/.*/\.svn/">
Order deny,allow
Deny from all
</DirectoryMatch>
精彩评论