1
hnn_gerd
Security
  • 2008/6/13 21:15

  • hnn_gerd

  • Just popping in

  • Posts: 48

  • Since: 2008/5/24


Not sure if the topic is right in this forum, but hope admins will move to the right place.

I have a serious question about security!

I had to move my website heathernova.net, based on old XOOPS software and upgraded it as the new server has a newer version of mysql, php and so on.

What I am currently facing is lots of attacks to the new server. I am quite shocked! I so far succeded in fighting against attacks!

What I really wonder is still that I have to set permissions for templates_c cache and some more directories as well to make uplads and stuff available.
Is there no other way to make XOOPS and modules work by having directories permission 777?
I'm sorry but I think most of the problems i am facing are still of having write access for everyone to lots of directories!

My question, is there a better solution?
whttp://www.heathernova.net - "it's the spirit in you, that i want to find." (heather nova)

2
btesec
Re: Security
  • 2008/6/13 22:33

  • btesec

  • Friend of XOOPS

  • Posts: 623

  • Since: 2007/2/20


as a support, do the directores that come with XOOPS download have correct permissions set?

3
zyspec
Re: Security
  • 2008/6/14 13:16

  • zyspec

  • Module Developer

  • Posts: 1095

  • Since: 2004/9/21


One of the things you can do to help lock things down a bit is to put an htaccess file in the directories to prevent others from viewing the directories/subdirectories and only allowing specific file types to be downloaded.

Depending on the directory you can also use directives which will only allow your local server to access the contents - this doesn't help prevent 'other' things from happening on a shared server but it will help with downloaded contents.

4
Anonymous
Re: Security
  • 2008/6/14 13:49

  • Anonymous

  • Posts: 0

  • Since:


Do you have GIJOE's Protector Module installed?

If not then you should.

5
Peekay
Re: Security
  • 2008/6/14 14:50

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Quote:

hnn_gerd wrote:
What I am currently facing is lots of attacks to the new server...

What kind of attacks? I mean, have you had files hacked or added to your site?.
A thread is for life. Not just for Christmas.

6
hnn_gerd
Re: Security
  • 2008/6/14 22:50

  • hnn_gerd

  • Just popping in

  • Posts: 48

  • Since: 2008/5/24


I got help from the person who actually build up HNN (heathernova.net) in the past and hosted it on his server. A very experienced guy.

So we analyzed lots of log files, looking what kind of attacks they are and finally build up IP tables to reject any of those requests and attacks to the server, starting from disabling unnessary tools and services to blocking IP addresses that tried to attack.

So since two days heathernova.net is quite stable!

Installing the Protector Module didn't yet work like explained in the manual unfortunatelly. We will try to install.

Looking at the description of the tool, it is so much necessary to protect Xoops! I am a bit concerned of the problems that could happen.

Quote:
Xoops Protector is a module to defend XOOPS2 from various and malicious attacks.

This module can protect a various kind of attacks like:

- DoS
- Bad Crawlers (like bots collecting e-mails...)
- SQL Injection
- XSS (not all though)
- System globals pollution
- Session hi-jacking
- Null-bytes
- Directory Traversal
- Some kind of CSRF (fatal in XOOPS <= 2.0.9.2)
- Brute Force
- Camouflaged Image File Uploading (== IE Content-Type XSS)
- Executable File Uploading Attack
- XMLRPC's eval() and SQL Injection Attacks
- SPAMs for comment, trackback etc.

Xoops Protector defends you XOOPS from these attacks, and it records into its log.

Of course, all vulnerablities can't be prevented.
Be not overconfident, please.

However, I strongly recommend installing this module to all XOOPS sites with any versions.


whttp://www.heathernova.net - "it's the spirit in you, that i want to find." (heather nova)

7
hnn_gerd
Re: Security
  • 2008/6/14 22:56

  • hnn_gerd

  • Just popping in

  • Posts: 48

  • Since: 2008/5/24


As the upload are from apache, doesn't it make sense to change the group to apache for the upload directories, so the world permission could be avoided? Means those who where able to hack ssh or ftp or sftp cannot go to those directories and upload files there?

permissions could be then 770 or even 570. Does it makes sense?
whttp://www.heathernova.net - "it's the spirit in you, that i want to find." (heather nova)

8
gediminasbyt
Re: Security

If I hack your ssh session prolly do much more damage than upload couple files to uploads directory...

there is .htaccess you may want to look at locking down some directories. In most cases 777 is not needed if you configure apache user to read/write to those directories.

9
hnn_gerd
Re: Security
  • 2008/6/15 21:01

  • hnn_gerd

  • Just popping in

  • Posts: 48

  • Since: 2008/5/24


good idea. thank you.
whttp://www.heathernova.net - "it's the spirit in you, that i want to find." (heather nova)

Login

Who's Online

403 user(s) are online (285 user(s) are browsing Support Forums)


Members: 0


Guests: 403


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits