Security of site

[Fresh Start]

Hello all,

 

I am looking for advice from this forum on the subject of site security. To begin, I have changed the name of the Admin folder and have password protected it. I have added and tested Security Pro v2 and it appears to be working. I am looking at the following contributions, but am of the view that some may not be required due to the previous changes / additions I have already reported here, as follows; Site Monitor; IP Trap; Anti XSS & .htaccess measures.

 

Would those contributors with the necessary knowledge of this area please inform me if I have already done enough, or do I need to add more security. The reason for such a question is so that I do not add a further contribution to my site, which does not need to be there, due to my current security measures resolving the issues, which each additional contribution is meant to resolve, if you see what I mean?

[Xpajun]

Peter, on the question of security you can never have enough (so they say)

 

With 2.3.1 Security Pro is an easy add-on to do as is file safe (both from FWR) file safe monitors the site using a cron job or you can run it whenever you want

 

I've used Bad Behavior rather than IP Trap and Anti XSS BB will ban anyone trying to cross script or access your whole site (not just osC) in a way not appropriate while Security Pro will reduce XSS attempts to harmless characters anyway.

 

Bad Behavior tells the poster that they have been banned, this visual notification eventually gets the message through and hacking attempts tend to dry up over the course of a month

[Fresh Start]

Peter, on the question of security you can never have enough (so they say)

 

With 2.3.1 Security Pro is an easy add-on to do as is file safe (both from FWR) file safe monitors the site using a cron job or you can run it whenever you want

 

I've used Bad Behavior rather than IP Trap and Anti XSS BB will ban anyone trying to cross script or access your whole site (not just osC) in a way not appropriate while Security Pro will reduce XSS attempts to harmless characters anyway.

 

Bad Behavior tells the poster that they have been banned, this visual notification eventually gets the message through and hacking attempts tend to dry up over the course of a month

 

Xpajun,

 

Many thanks, this is just the type of information I need - saves me hours of study! So, I will be looking for File Safe and probably Bad Behaviour tomorrow. Will update once I have tested.

[Fresh Start]

Xpajun,

 

Many thanks, this is just the type of information I need - saves me hours of study! So, I will be looking for File Safe and probably Bad Behaviour tomorrow. Will update once I have tested.

 

Due to other matters, I have only just managed to install 'KISS File Safe' and have set a Cron Job for midnight. Manual method appeared to work - sent me an email with the number of files and no changes (at that point). Once I had set the Cron Job I was not able to manually test the system again - considered that the Cron Job was taking the lead and would not allow interference, unless I cancelled the Cron Job. Will see how things pan out tonight / tomorrow. Thanks everyone, I will feedback once I know more.

[Xpajun]

Once I had set the Cron Job I was not able to manually test the system again - considered that the Cron Job was taking the lead and would not allow interference, unless I cancelled the Cron Job.

 

Interesting point... ask Rob (FWR Media) about it on his filesafe post in the general add on board, because if that is so you won't be able to do a reset either

[Fresh Start]

Hello all,

 

Kiss File Safe update. Cron Job appeared to work well, as did the File Safe contribution. It pointed out 5 additional files / changes to the site, which I made yesterday, including an executable image file, which I queried elsewhere in this forum in another context, again yesterday.

 

One thing that I did note (yesterday) is that File Safe would not process my manual input request, if I did not leave the permissions on one particular folder as 0777. Will this cause problems, leaving as is? Thinking about it, I will change this ahead of the next scheduled Cron Job, to see if it processes the request. If not, I will change it back to 0777.

 

Another question; the .htaccess changes referred to in the install notes.

 

php_flag engine off

<Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">

deny from all

</Files>

 

I looked into the current .htaccess file in 'images' and noted that it is similar to what has been suggested should be in there;

 

# $Id$

#

# This is used to restrict access to this folder to anything other

# than images

 

# Prevents any script files from being accessed from the images folder

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">

Order Deny,Allow

Deny from all

</FilesMatch>

 

If using File Safe, should we delete the current .htaccess content and replace with the KISS File Safe version, or copy it beneath the original? As well, apart from the image / cache directories, which others should be amended in this way.

[Xpajun]

Hello all,

 

Kiss File Safe update. Cron Job appeared to work well, as did the File Safe contribution. It pointed out 5 additional files / changes to the site, which I made yesterday, including an executable image file, which I queried elsewhere in this forum in another context, again yesterday.

 

One thing that I did note (yesterday) is that File Safe would not process my manual input request, if I did not leave the permissions on one particular folder as 0777. Will this cause problems, leaving as is? Thinking about it, I will change this ahead of the next scheduled Cron Job, to see if it processes the request. If not, I will change it back to 0777.

 

Another question; the .htaccess changes referred to in the install notes.

 

php_flag engine off

<Files ~ "\.(php*|s?p?html|cgi|pl|ini)$">

deny from all

</Files>

 

I looked into the current .htaccess file in 'images' and noted that it is similar to what has been suggested should be in there;

 

# $Id$

#

# This is used to restrict access to this folder to anything other

# than images

 

# Prevents any script files from being accessed from the images folder

<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">

Order Deny,Allow

Deny from all

</FilesMatch>

 

If using File Safe, should we delete the current .htaccess content and replace with the KISS File Safe version, or copy it beneath the original? As well, apart from the image / cache directories, which others should be amended in this way.

 

Peter,

 

Ask your question about KISS Filesafe here You will get all the answers you need for the author himself ;)

[Fresh Start]

 

Thanks again Xpajun,

 

I appear to be lost in the maze :rolleyes:

 

Hope he reads it here, rather than my repeating the question elsewhere?