Welcome,
Guest
.
Please
login
or
register
.
Did you miss your
activation email
?
News:
Did you know that
Elxis 5.x
uses HTML5, CSS3 and pure javascript without external libraries such as jQuery?
Home
Help
Login
Register
Elxis CMS Forum
»
Support
»
Security
»
Security actions before going LIVE
« previous
next »
Print
Pages: [
1
]
Author
Topic: Security actions before going LIVE (Read 10772 times)
balisto
Jr. Member
Posts: 71
Security actions before going LIVE
«
on:
February 09, 2009, 19:50:46 »
Hi,
I'm quite sure I once saw a document here in the forums or somewhere else on elxis.org with all the points to keep in mind BEFORE going live with a exlis-site (like which folders should be chmod unwritable and how to hide the admin-panel access etc). Does anybody know what I'm talking about. Does this kind of documentation still exist. I couldn't find it. Or was it a dream?
Cheers,
Chris
Logged
rentasite
Elxis Community
Hero Member
Posts: 3282
Web Services
Re: Security actions before going LIVE
«
Reply #1 on:
February 09, 2009, 20:05:31 »
Quote from: balisto on February 09, 2009, 19:50:46
and how to hide the admin-panel access etc).
Don't know what documentation u r talking about, but here is a link with a post about
Login Cloak
https://forum.elxis.org/index.php?topic=1876.msg11109#msg11109
Logged
Rent a Site
|
Lelevose
datahell
Elxis Team
Hero Member
Posts: 10353
Re: Security actions before going LIVE
«
Reply #2 on:
February 09, 2009, 22:45:13 »
Regarding files/folders permissions:
Only 2 folders needs to be absolutely writeable (777): tmpr and cache.
If you have enabled Elxis defender or floodblocker then make sure their log files/directories are also writeable as these tools run before Elxis and they don't have FTP support. You will find them in administrator/tools/ directory.
Elxis can work fine if everything is writeable only for the local user (permissions 755/644) if you have enabled ftp access over files in Elxis global configuration.
https://www.elxis.org/guides/general-guides/proper-elxis-installation.html
Elxis shell pre-installer applies the best permissions on files/folders automatically:
https://www.elxis.org/guides/developers-guides/elxis-shell-pre-installer-how-to.html
You can tell your hosting company to install elxis for you using that script. It is a matter of seconds to run a perfect Elxis setup with Elxis shell pre-installer.
«
Last Edit: February 09, 2009, 22:48:17 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
balisto
Jr. Member
Posts: 71
Re: Security actions before going LIVE
«
Reply #3 on:
February 10, 2009, 17:15:50 »
Thanks for your replies. Will check all this!
Logged
boghy
Newbie
Posts: 7
Re: Security actions before going LIVE
«
Reply #4 on:
February 12, 2009, 17:04:52 »
Depending how knowledgeable you are, you can secure more your "site.tld/administration" with mod_rewrite.
As an idea what you can do is to put a .htaccess file in the root of your "site.tld/administration" with some rewrite conditions that would restrict any visitor including you to access your publicly know site "site.tld/administration", then create a subdomain "mysubdomain.site.tld/administration" pointed to the same location on the HDD where your website files are. In order for this to work you will have to use vhost.conf from apache and call a different file like .htpasswords .
By doing this you can get:
1- all users that access including you "site.tld/administration" they are redirected to "site.tld"
2- any user that would find out "mysubdomain.site.tld/administration" will get a server login prompt before even seeing any page
I use this method on all my sites and i have no problem with things like brute force attack.
Logged
datahell
Elxis Team
Hero Member
Posts: 10353
Re: Security actions before going LIVE
«
Reply #5 on:
February 12, 2009, 19:38:55 »
OK, if this makes you feel safer. But I would like to tell to Elxis users that a simple login page cloak is enough to exclude everyone else from your administration. Why? Because the login is done on the index.php file, only. If no one knows where it is how he can login? He can not even attack you with brute force attack or with sql injection. There is no need to add more security layers, no one can enter your Elxis administration with direct login attempt, I guarantee that. Off course there are other ways, i.e. session highjack, but this is up to how securely you use internet in general.
«
Last Edit: February 12, 2009, 19:42:33 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
rentasite
Elxis Community
Hero Member
Posts: 3282
Web Services
Re: Security actions before going LIVE
«
Reply #6 on:
February 12, 2009, 19:41:37 »
And also, if someone has a Static IP he can use the "Allowed IP addresses" function for the backend.
Logged
Rent a Site
|
Lelevose
datahell
Elxis Team
Hero Member
Posts: 10353
Re: Security actions before going LIVE
«
Reply #7 on:
February 12, 2009, 19:43:11 »
Yes, if you have static IP it is even better
Even if they know the username/password they can not login.
«
Last Edit: February 12, 2009, 19:44:51 by datahell
»
Logged
Elxis Team
|
Is Open Source
|
IOS Rentals | IOS AERO
rentasite
Elxis Community
Hero Member
Posts: 3282
Web Services
Re: Security actions before going LIVE
«
Reply #8 on:
February 12, 2009, 23:13:03 »
I'm using the "Allowed IP addresses" feature for a specific site. And from where i'm administrating this site i use WiFi and of course STATIC IP.
One day... my laptop got automatically connected on a different wireless router from the one it should. RESULT: Different IP from the one allowed. So i was trying to login into the Administration area and i couldn't. I couldn't also understand why...
It took us some time to realize what happened. CRAZY!!!
Logged
Rent a Site
|
Lelevose
Print
Pages: [
1
]
« previous
next »
Elxis CMS Forum
»
Support
»
Security
»
Security actions before going LIVE