Preface:
This guide is a brief summary of all security hints found digging in CMSMS forum, wiki and other website. This guide won’t be exaustive, is open to wide contributions, and could be subject to errors, please add your feedback.


System Settings: (unix like)

1. Keep your system always update (use cron to notify new system update via mail).

2. Run your apache system in chrooted-jail mode.

3. Use strong password for root, and never login as root, use sudo.

4. Login remotely to server only via secure tunnel (SSH).

5. Protect your server with a firewall/DMZ and monitor all access with SNORT.

6. Install only needed software and remove all unneeded services/software/daemon.

7. Expose only needed ports (80, 443), not others.

8. If you want to install a db manager tools like phpmyadmin, rename default program directory with a fake name (eg. "/pma39xRlklkLK3d") and protect directory with .htaccess and .htpassword (find more on apache website and other nice site.

9. Check often apache logfile (access.log and error.log) and system log files.

Start 2008/02/21 addition
10. Backup is your last chance. So backup, backup and then backup again. (GOTO 10.)
Make a full backup of your system. You can use a tools that build a bootable image of your HDD (or a copy of your virtual server image file).
Backup often your mysql dump and your CMSMS files (/images, /uploads and other specific).
Use a rotate schema for backup

Note for paranoid users: create mutiple backup copy and keep the medium in separate places far away from each other.
End 2008/02/21 addition

PHP settings:

1. Use this minimal security settings in your php.ini


Note: The first row should be commented out only during some particular module operations that require to use those functions.
Start 2008/02/21 addition
2. If you haven't special needs while running PHP, you can uninstall all unnecessary/additional PHP modules (e.g. CLI). Some functions (like GD) will stop to run, so make some tests before removing all.

3. Remove unused extension directive in php.ini

4. Check php.ini file permission and file owner for your specific system.
End 2008/02/21 addition

Apache Settings:

Create if not exist a file in your root CMSMS installation named .htaccess with this section:



Start 2008/04/18 addition

End 2008/04/18 addition




Start 2008/02/21 addition

End 2008/02/21 addition

Start 2008/03/19 addition
Prevent indexing of particular files by search engines, adding some lines to /robots.txt,

End 2008/03/19 addition

CMSMS Settings:


1. Use a strong password for admin login

2. Never use "admin" or "administrator" as CMSMS admin username. Use a different nickname. Pay attention if you post some news article with admin account, the name is exposed.

3. Rename admin directory with a fake name (e.g. "admin39xRlklkLK3d"). Don’t use a name easy to guess. Remember to change also /config.php with your new name $config['admin_dir'] ="admin39xRlklkLK3d"

4. Protect admin directory with a password.
Many host provider offers a way to do this in their webpage. If you are enabled by your host provider modify apache SSL config
using this setting:


here /admin39xRlklkLK3d /.htpassword



5. Force logging in your CMSMS system using SSL
To achieve this use this settings:
in your admin directory create this file

/admin39xRlklkLK3d /.htaccess



6. Check permission of config.php file.
While installing or upgrade should be 777. As soon as these tasks end, lower file permission to 444 or if it works to 440. If you haven’t SSH access to your server use your FTP or Filemanager via Control Panel (e.g. Plesk)

7. Check permission of /tmp directory.
Try to lower permissions of this directory and related subdir. You can try step by step from 775  to  755 to 750.

8. Check permission of /uploads directory.
Same as above. Check if your website works fine uploading some images and trying to display in your browser http://www.example-site.com/uploads/images/images.jpg
In Global Settings of CMSMS use 002 as umask for creating thumbnail.

9. Don’t expose your CMSMS release number in your site expeciallyin homepage!!!
If you forget to upgrade your system to latest release all the world will know (thanks google

10. Protect your /lib directory
create an /lib/.htaccess file with this code



Good luck
Waiting for you reply
Best Regards
blast

Fantastic!  I'm stickying this.  I'm sure some of those things will need some explanations, but it's a wonderful overview.

_________________
http://about.me/tedkulp

and then there's this:

http://forum.cmsmadesimple.org/index.ph ... 84.15.html

_________________
Web Design Company Directory

The deny access to config.php option is in the wiki with a bit more explanation in the comments, below is that option.

Well done, thank you !
If you are not yet in you might consider joining the documentation team

Pierre M.

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.

I've published this guide in CMSMS wiki howto, and I will keep it update in future.

Many thanks to all contributors.
Best regards.
blast

Thats real nice yo. This review might be of great help dude!

Good advice!

Especially since the 1.2.2 SQL injection exploit is now in the wild and actually being used by criminals.  They hit my wifes little page on Feb 17th and deleted the original data and inserted a link to a banner ad server.  My Apache2 log shows several attempts over the past week on both sites I admin.  If you have an unpatched site and and you see this:

/modules/TinyMCE/content_css.php?templateid=-1/**/UNION/**/SELECT/**/username,1,password/**/FROM/**/cms_users/*

in your Apache2 access.log they have all your user names and the hashed passwords.  If the password is weak (like my wifes) criminals will be able to determine the plaintext password in minutes.  I've tried the hack myself.  It works.  Google shows over 21,000 sites with cms version 1.2.2 .  Everyone needs to patch asap.

Dale

Wow, you're right that is easy to get that info. I'm surprised so many site don't remove the version info. Is it actually that easy to convert the password to plain text though?

_________________
Web Design Company Directory

This is very sad, because huge number of hackable and hacked sites reflects a bad imagine of CMSMS to new and future users, despite the quick release of a patch.

Last night I had an idea for solving this problem.

Why don't warn administrator (and also all backend users) to update their CMSMS system to latest version with a popup while logging to backend system?

It could be a big red blinking popup that remains opens all the time while logged in backend.

With same patch could be possible to remove message that expose release version in footer of default template.

Let's ask Ted what he thinks about this crazy idea!

Regards
blast

Yes it is.  Check out these tools.

http://www.oxid.it/cain.html

http://www.antsight.com/zsl/rainbowcrack/

This is why strong passwords are important.  By strong I mean:

1. Not a dictionary word
2. Upper an lower case
3. Numbers
4. Punctuation
5. Longer the better

I think at least some kind of warning to admin users will be good especially for security related updates like this... If you do not come back to the site all the time, there is no other way of knowing for these 1.2.2 users...

_________________
Web Design Company Directory

Found this but I run on windows 2003 server iis6 - any advice (apart from move to linux!)

Please everybody contribute in the wiki not in this thread which I lock.
Pierre

_________________
-- Pierre, support team member. comodérateur du forum francophone.
Please read "how to submit installation/support requests" before posting. Don't send private messages to ask for support.
Want to contribute to CMSms ? Improve the wiki with your forum account.