Hi, I have had a couple of my sites hacked since I started using CMSMS. The most recent was a phishing scam that had been uploaded to a site within the tmp directory. Luckily this was only a semi dead site for my brother. However it started me looking at how to secure my sites. This is when I have run into problems. I have followed the Security Wiki advice, but most of the tips and tricks don't seem to be compatible with my sites.
Firstly, I would say that I am not a programmer/developer as such, but an experienced designer who has endeavored to learn as much as I can about php and the basic services that run a website.
Tip one: Really haven't gone there. I can't get my head around chrooted-jail mode etc. My sites sit on Webfusion VPS packages, so I have some access to the basic software running the system but getting to grips with command lines and SSH are a bit beyond me (at the moment, I am trying).
Tip Two: Similar as above for PHP settings.
Tip Three: This might be operator error, but I tried the settings recommended in the htaccess file, but seemed to break the site every time.
Tip Four: Yep done that, apart from the forced SSL.
Oh, and the permissions on the tmp directory (which from my last expereince could be critical). I have tried all types of settings on the tmp, but only 777 works.
I know longer expose what is running the site, but would be grateful for any other suggestions. If anybody could suggest information resources so that I could get up to speed on the server basics that would be great.
I have a suspicion the other settings might be down to permissions and owner privilages. Although, the VPS is "nearly" a server with full access it still shares services and I have had to get the server company to alter some settings as I can't get access to certain root directories etc.
Should I attempt to alter the PHP settings? - I can get to the php.ini.
Trouble is I have found a little knowledge is a dangerous thing.
Security and hacking [solved]
Security and hacking [solved]
Last edited by howey on Fri Feb 03, 2012 2:01 pm, edited 1 time in total.
-
replytomk3
Re: Security and hacking
htaccess is ridiculously easy on breaking your website. I have found that I can never include any php statements to disable display of errors, etc.howey wrote: Tip Three: This might be operator error, but I tried the settings recommended in the htaccess file, but seemed to break the site every time.
Those statements on top of the htaccess file? Comment them out with "#" until you find out which ones your server does not like.
Re: Security and hacking
Older versions of CMSMS do have a vulnerability in them that was just recently found and fixed in ver. 1.9.4.2, please upgrde ASAP to be secure...
Re: Security and hacking
Hi, I think the point about upgrading is probably the best advice. I am in the process at the moment of upgrading sites.
Tip to myself for the future: Upgrade regularly, a little bit a a time is a whole lot better than having to upgrade from version 1.6. I have taken the view that I shall upgrade incrementally ie 1.6 to 1.7 etc.
I shall still go back to the security tips and try setting things as tight as I can.
Tip to myself for the future: Upgrade regularly, a little bit a a time is a whole lot better than having to upgrade from version 1.6. I have taken the view that I shall upgrade incrementally ie 1.6 to 1.7 etc.
I shall still go back to the security tips and try setting things as tight as I can.
