Security actions before going LIVE

[balisto]

Hi,

I'm quite sure I once saw a document here in the forums or somewhere else on elxis.org with all the points to keep in mind BEFORE going live with a exlis-site (like which folders should be chmod unwritable and how to hide the admin-panel access etc). Does anybody know what I'm talking about. Does this kind of documentation still exist. I couldn't find it. Or was it a dream?

Cheers,
Chris

[rentasite]

and how to hide the admin-panel access etc).

Don't know what documentation u r talking about, but here is a link with a post about Login Cloak

https://forum.elxis.org/index.php?topic=1876.msg11109#msg11109

[datahell]

Regarding files/folders permissions:
Only 2 folders needs to be absolutely writeable (777): tmpr and cache.
If you have enabled Elxis defender or floodblocker then make sure their log files/directories are also writeable as these tools run before Elxis and they don't have FTP support. You will find them in administrator/tools/ directory.

Elxis can work fine if everything is writeable only for the local user (permissions 755/644) if you have enabled ftp access over files in Elxis global configuration.
https://www.elxis.org/guides/general-guides/proper-elxis-installation.html

Elxis shell pre-installer applies the best permissions on files/folders automatically:
https://www.elxis.org/guides/developers-guides/elxis-shell-pre-installer-how-to.html
You can tell your hosting company to install elxis for you using that script. It is a matter of seconds to run a perfect Elxis setup with Elxis shell pre-installer.

[balisto]

Thanks for your replies. Will check all this!

[boghy]

Depending how knowledgeable you are, you can secure more your "site.tld/administration" with mod_rewrite.
As an idea what you can do is to put a .htaccess file in the root of your "site.tld/administration" with some rewrite conditions that would restrict any visitor including you to access your publicly know site "site.tld/administration", then create a subdomain "mysubdomain.site.tld/administration" pointed to the same location on the HDD where your website files are. In order for this to work you will have to use vhost.conf from apache and call a different file like .htpasswords .
By doing this you can get:
1- all users that access including you  "site.tld/administration" they are redirected to "site.tld"
2- any user that would find out "mysubdomain.site.tld/administration" will get a server login prompt before even seeing any page

I use this method on all my sites and i have no problem with things like brute force attack.

[datahell]

OK, if this makes you feel safer. But I would like to tell to Elxis users that a simple login page cloak is enough to exclude everyone else from your administration. Why? Because the login is done on the index.php file, only. If no one knows where it is how he can login? He can not even attack you with brute force attack or with sql injection. There is no need to add more security layers, no one can enter your Elxis administration with direct login attempt, I guarantee that. Off course there are other ways, i.e. session highjack, but this is up to how securely you use internet in general.

[rentasite]

And also, if someone has a Static IP he can use the "Allowed IP addresses" function for the backend. 

[datahell]

Yes, if you have static IP it is even better  Even if they know the username/password they can not login.

[rentasite]

I'm using the "Allowed IP addresses" feature for a specific site. And from where i'm administrating this site i use WiFi and of course STATIC IP.

One day... my laptop got automatically connected on a different wireless router from the one it should. RESULT: Different IP from the one allowed. So i was trying to login into the Administration area and i couldn't. I couldn't also understand why...  It took us some time to realize what happened. CRAZY!!!