e107.org: Forums / Core Support / 'Hardening' e107 installation

e107.org :: Forums :: e107 Support :: Core Support		<< Previous thread \| Next thread >>
'Hardening' e107 installation

Go to page [1] 2
Moderators: jalist, McFly, bkwon, streaky, C6Dave, SecretR, steved, bugrain, AndyDev, Hansi64, nlstart

Author

Post

VR6Pete

Tue Jun 08 2010, 04:22AM

Registered Member #2353

Joined: Mon Jul 28 2003, 01:21PM
Location:
Posts: 582

Given the latest attacks against e107 based websites, I am just creating this post so people can share information on how you have 'hardened' your installation, and any additional security you have applied to your installation / server.

If you are running anything less than e107 0.7.22, upgrade to the very latest release, as soon as you can.

[ Edited Tue Jun 08 2010, 01:08PM ]

C6Dave

Tue Jun 08 2010, 04:45AM

AKA 2dopey

Registered Member #9506

Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298

Use the enhanced eCaptcha plugin with reCaptcha instead of the core image code as it's more secure

Change the folder names to remove the e107_ prefix - makes a site harder to find

Re name the admin folder to something else completely

Keep file permissions as low as possible - avoid 777 unless absolutely vital

Put blank index.html files in all folders to deny directory listing

Use cPanels 'Error Page' function to display a message and stop constant look ups of the mysql

Remove all unused plugins and themes - reduces the opportunity to find holes

Only use non core plugins from trusted sources - if you don't need them, don't upload or install them

Don't allow the [ php ] bbcode to anyone

Don't allow html posting unless you really have to

Keep allowed filetypes to a minimum

Don't allow Public Uploads - Only allow public uploads as attachments to the forums if you really need to

Check any installation for updates (e107 core and plugins) on a regular basis and apply a.s.a.p.

Be prepared to pay for a good pro active, security concious hosting service (like Fused) - it's worth the extra

Make regular data base backups (nightly via a cron if you can) and have a complete mirror of site files (especially any you have moddified) on your pc so you can get back online quickly in case all the above fail

Install 'Banhelper' plugin and set to restrict new members ability to post links or images (spam) in comments and forum posts

Don't give anyone admin rights unless you are sure they are trustworthy and capable

Check your site regularly and use file inspector to search for non core files on a regular basis that could have been maliciously uploaded

Use secure passwords for admin, mysql and FTP and change them regularly.

Install Zbblock

Restrict code posting or disable it altogether (e107 v0.7.23+)

In other words, use some common sense.

[ Edited Thu Sep 02 2010, 01:47AM ]

"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995

ChicksHateMe

Tue Jun 08 2010, 06:06AM

Registered Member #14644

Joined: Mon Feb 14 2005, 06:20PM
Location: Leominster, MA USA
Posts: 453

Put blank index.html files in all folders to deny directory listing

I noticed this when I went through a lot of plugins, I was able to get in and see directory structures easily. Plugin developers should be aware to add this file. And as you said, anyone using plugins should look through their directories to make sure they have one of these files in it.

This might be a good thing to add to the filechecker???

Check any installation for updates (e107 core and plugins) on a regular basis and apply a.s.a.p.

I saw a sticky post by 2dopey from a few years ago asking about a mailing list for notification.

It does show how to turn it on for the admin to see one is available in the sites admin section, but it really doesn't email you. In light of this latest incident, it may be good to have a security alert newsletter or emailing to give a heads up on these, rather than find out from an attack, which is how I found it. OR, possibly a mass PM to all users, which inturn would email us.

Other Hardening Ideas...

Use STRONG and DIFFERENT passwords for;

Hosting Site Login
FTP users
mySQL database
ADMINS
Admins email

I put in a Idea to have as many root files as possible put in a renameable "main" directory that can be renamed on install to make it difficult for script kiddies to find files so easily.

[ Edited Tue Jun 08 2010, 05:28PM ]

I am SOOOO old, I still do all my graphic designs on the original Lite-brite.

ChatBox II ~ Sight FX ~ Simple Pref Menu (Store Hours) ~ Tourney Management Systems (Cards. etc..) ~ More coming soon

C6Dave

Tue Jun 08 2010, 06:34AM

AKA 2dopey

Registered Member #9506

Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298

Did you miss this newspost by McFly

"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995

ChicksHateMe

Tue Jun 08 2010, 06:43AM

Registered Member #14644

Joined: Mon Feb 14 2005, 06:20PM
Location: Leominster, MA USA
Posts: 453

2dopey,

You're AWESOME. Thanks!!

Yes I missed it. My e107 sites have run so well, save this little hiccup, I rarely come back here except for when someone needs help on ChatBox II.

Going into my profile to add myself to 'Releases' now.

Thanks again!

I am SOOOO old, I still do all my graphic designs on the original Lite-brite.

ChatBox II ~ Sight FX ~ Simple Pref Menu (Store Hours) ~ Tourney Management Systems (Cards. etc..) ~ More coming soon

Nowwhat

Tue Jun 08 2010, 08:49AM

Registered Member #38024

Joined: Thu Jul 05 2007, 02:08PM
Location: Lost in the south of France
Posts: 1208

ChicksHateMe wrote ...

Going into my profile to add myself to 'Releases' now.

That's one step.

You will soon (er or later) see what happens: I received the "0.7.22 is ready for you" mail a couple of days ago.

Knowing where you are helps if you want to know where to go.

rgk

Tue Jun 08 2010, 05:01PM

Registered Member #21870

Joined: Tue Oct 25 2005, 06:07PM
Location: NY
Posts: 1132

install suhosin

make sure you have the correct permission setup also.
i haven't had a problem with e107 security, nothing at all.

[ Edited Tue Jun 08 2010, 05:01PM ]

-rgk

MadGizmo.com | MadGizmo.org

Curious

Tue Jun 08 2010, 09:23PM

Also known as: Shawnydawgg, Rude and Impolite

Registered Member #55308

Joined: Sat Mar 20 2010, 07:14PM
Location:
Posts: 104

rgk wrote ...

install suhosin

make sure you have the correct permission setup also.
i haven't had a problem with e107 security, nothing at all.

Hmmm, maybe I can use this to protect my site, well, my site isn't worth protecting right now, building a template, then i'll add stuff to the site. But anyway, where'd you find this and what permissions are suppose to be allowed?

Account Suspended By Admin

VR6Pete

Wed Jun 09 2010, 05:27AM

Registered Member #2353

Joined: Mon Jul 28 2003, 01:21PM
Location:
Posts: 582

I rebuilt my dedicated server last night and have installed suhosin.

nlstart

Wed Jun 09 2010, 07:38AM

nlstart

Registered Member #29855

Joined: Fri Aug 18 2006, 03:12AM
Location:
Posts: 4239

@2dopey; I used your list to feed this Wiki article:

ChicksHateMe

Wed Jun 09 2010, 08:41AM

Registered Member #14644

Joined: Mon Feb 14 2005, 06:20PM
Location: Leominster, MA USA
Posts: 453

I noticed on the suhosin site that news and advisories hadn't changed since 2007, so I did a google search. Some articles I read about it were recent and good, but mentioned a number of issues people may run into. I think it's worth researching and possibly starting another thread on suhosin installs because a mass dash to install suhosin may create more new issues.

Articles I read.

I am SOOOO old, I still do all my graphic designs on the original Lite-brite.

ChatBox II ~ Sight FX ~ Simple Pref Menu (Store Hours) ~ Tourney Management Systems (Cards. etc..) ~ More coming soon

C6Dave

Wed Jun 09 2010, 10:26AM

AKA 2dopey

Registered Member #9506

Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298

nlstart wrote ...

@2dopey; I used your list to feed this Wiki article:

Good idea!

If we think of anything else we can add it there

"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995

VR6Pete

Wed Jun 09 2010, 10:28AM

Registered Member #2353

Joined: Mon Jul 28 2003, 01:21PM
Location:
Posts: 582

how about adding known attacking IP's / sources to an aricle to consider blocking ?

Duce

Wed Jun 09 2010, 01:41PM

Registered Member #38832

Joined: Fri Aug 03 2007, 09:10AM
Location: Centurion, South Africa
Posts: 189

How about a link on the front page to this thread perhaps? Would make it easy to find for new users.

Here are some of the IP's part of this attack:
213.17.153.11
75.125.205.82
195.199.243.114
204.10.38.244
193.226.30.130
91.199.120.11
212.227.118.21
195.249.40.23
78. 138.88.234
79.14.43.2
84.247.49.62
212.227.118.21
87.229.24.67
206.174.210.10
85.94.197.34
87.210.197.1

You can't touch this!

rgk

Wed Jun 09 2010, 03:37PM

Registered Member #21870

Joined: Tue Oct 25 2005, 06:07PM
Location: NY
Posts: 1132

ShawyDawgg wrote ...

rgk wrote ...

install suhosin

make sure you have the correct permission setup also.
i haven't had a problem with e107 security, nothing at all.

<- that will hopefully help

I patched PHP (Gentoo use flags make it so easy

) but it can be two ways.

the only real problems are the restrictions it puts on PHP, but for security reasons. You can tweak all its options so you may have to play around with it depending on a few things.

-rgk

MadGizmo.com | MadGizmo.org

ircanuck

Wed Jun 09 2010, 04:03PM

Registered Member #56626

Joined: Wed Jun 09 2010, 03:54PM
Location:
Posts: 2

2dopey wrote ...
Change the folder names to remove the e107_ prefix - makes a site harder to find

I'm doing most, if not all, of the other things listed in the recommendations except this one. So, here's my total n00b question (and heck, it may even have been answered a hundred times elsewhere, if so just point me that way), but, what issues might I run into if I decide to go this route.

Will I need to edit a lot (or any) php (I'm not too hot with the php)?
Will this complicate future updates (having to re-edit all the php, change directory names prior to unzipping on the server, etc)?
Things I haven't even begun to think of?

Thanks,

Dan

ircanuck

Wed Jun 09 2010, 04:08PM

Registered Member #56626

Joined: Wed Jun 09 2010, 03:54PM
Location:
Posts: 2

Duce wrote ...

How about a link on the front page to this thread perhaps? Would make it easy to find for new users.

Here are some of the IP's part of this attack:
213.17.153.11
75.125.205.82
195.199.243.114
...

Those IP's are just the IP's of websites that are using e107 and have been infected. My hosting service informed me that, before they disabled my site, it was part of the attack. If you do a reverse IP trace on those, you'll find there hosts with e107 websites on them. Heck, when that list gets expanded my website IP might just plop in there...

Dan

rgk

Wed Jun 09 2010, 05:41PM

Registered Member #21870

Joined: Tue Oct 25 2005, 06:07PM
Location: NY
Posts: 1132

ircanuck wrote ...

2dopey wrote ...
Change the folder names to remove the e107_ prefix - makes a site harder to find

...

Will I need to edit a lot (or any) php (I'm not too hot with the php)?
Will this complicate future updates (having to re-edit all the php, change directory names prior to unzipping on the server, etc)?
Things I haven't even begun to think of?

Thanks,

Dan

You won't need to edit a lot at all.
You will only have to change folder names, thats it.

<- just read that, its extremely simple.

-rgk

MadGizmo.com | MadGizmo.org

C6Dave

Thu Jun 10 2010, 01:17AM

AKA 2dopey

Registered Member #9506

Joined: Sat Jul 31 2004, 02:57AM
Location: North East UK
Posts: 9298

rgk wrote ...

You won't need to edit a lot at all.
You will only have to change folder names, thats it.

<- just read that, its extremely simple.

Maybe not strictly correct depending on how many internal site links you have to images etc.

If there hard coded to full url's which include the e107_ prefix then your going to have to modify them all

That's why it's always best to use the special 'Constants' for internal links aka the wiki here

Example:

{ e_IMAGE } { e_FILE } etc so [img]mysite/e107_images/cars/image.jpg[/img] becomes [img]{e_image}cars/image1.jpg[/img]

That way the links don't break even if you change the site name.

For upgrades, as has been said, you just need to remember to remove the folder e107_ prefixs (or change the names to match those on site) when you unzip the patch files BEFORE uploading to your server

"The irony of the Information Age is that it has given new respectability to uninformed opinion" - John Lawton 1995

Duce

Thu Jun 10 2010, 01:51AM

Registered Member #38832

Joined: Fri Aug 03 2007, 09:10AM
Location: Centurion, South Africa
Posts: 189

ircanuck wrote ...

Those IP's are just the IP's of websites that are using e107 and have been infected. My hosting service informed me that, before they disabled my site, it was part of the attack. If you do a reverse IP trace on those, you'll find there hosts with e107 websites on them. Heck, when that list gets expanded my website IP might just plop in there...

Dan

Probably yes. But firewalling it on my server won't affect those websites or you in any way. You won't be browsing my server using those IP's see. It only protects me from receiving countless hits from compromised websites then and killing my server.

You can't touch this!

Go to page [1] 2
Jump: Back to top



e107, because you need choice
Home Downloads Forums Misc Bugtracker Documentation/Wiki Plugins Themes Hosting Reviews