Protected MODX Revolution

MODX-Logo

Hello friends!


Many articles have been written and rewritten about how to protect MODX, but in this article I will describe not only the standard recommendations for the protection of the instance of MODX Revolution (I will write just MODX, because MODX Evolution branch is a dead — end branch of "evolution" which is the rudiment does not deserve the attention of modern developers), but also some new methods of "covering up tracks".

Let's start the most important.

There are two types of installer MODX is Traditional and Advanced.
What's the difference?

Traditional is an easy option to install on any hosting suitable recommendations for installing MODX, where the kernel is installed directly in the root public folder of your site. A simple "siteclip" put the version of the Tradtiional, do not close the directory from view, and in the end all site content, including service directories, gets the index of the search engines. Not going to fantasize about where this might lead. Here everything is clear.

Advanced — the version for guys who at least "watched a movie about nija". This installer allows you to place the MODX core outside of the public folder, hiding it from attacks. For major projects this is the recommended option, but personally I use it always.

Security kernel


To protect the core in two ways:

1. On a normal hosting — to make the core of public folder and can't rename, and don't configure it .htaccess file lying in this directory (on VDS do not forget about setting access rights of the user who runs Apache).

2. The stupid hosting to rename the directory of the kernel using, for example, a generator of passwords (no special characters, of course — only letters and numbers) And during the installation to specify the physical path to the directory of the kernel. That is why it is best to use Advanced installer.

Security service directory


It is no secret that in addition to the kernel, other service directories must remain in the public folder of the server.

What can we do to protect against hacking attempts via connectors and attempts to enter the admin panel? Standard name catalog connectors /connectors, and for the admin — /manager, and is pale.

During installation you will be prompted to change these names. This will help us, right, generator of passwords, and, oddly enough, in the case of admin own head. The name of the directory the admin better do to human readable, but not /admin, of course :)

You might want to ask: Why don't we hide /assets?
And, I might answer: why? All images and scripts are in /assets, and in the code page has all the links to images and scripts :)

Protected database tables


During installation, database configuration, the default value is the table prefix "modx_". So it will not work. And again, we will help password generator (Remember, comrade? Only letters and numbers!). Change the standard prefix for the gibberish at the end of which we put the lower underlining. For Example, "IU1xbp4_".

anti definition CMS


Services automatic determination of CMS sites, of course, do not know what MODX is a CMF, but this does not prevent them to determine what content on the site steers it MODX. It would seem that we have hidden all that is necessary. And here and there.

First, if you are installing MODX Revolution, you must disable the checkbox "X-Powered-By", which is enabled by default (pictured below). This is necessary in order to MODX is not "palilis," sending the header information that the site made in MODX.

image

Also not be amiss to hide the configuration files.

To hide this file you can use .htaccess by adding:

the 
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} ^(.*)config.core.php$
RewriteRule ^(.*)$ [R=404]
</IfModule>

Something else


In addition to the described techniques, you can apply a small trick to divert possible attackers on the wrong track. Some "pop" CMS added metatags indicating the name of the CMS:

the 
<meta name="generator" content="WordPress x.x.x" />

You can safely add to your code this tag and create a fake standard input page in admin area specified version of the simulated CMS.

Autooriginate will interpret our MODX like Wordpress, but if bullies want to get into the admin panel, it will be long and tedious to try to pick up the master key from a simple lock to the retinal scanner ( it's a metaphor :) ).

what if the website is already installed?


In the hour of least load, rename all of these directories (/core, if you have a hosting, to take from the public).

Change the existing prefix, use the phpMyAdmin:

the
    the
  • in the left part of phpMyAdmin click on the name of the desired database;
    • the
  • in the main pane displays a list of all the tables, below which it is necessary to mark the checkbox "select all";
    • the
  • to the right of the checkbox the combobox "States:" where it is necessary to choose "Replace table prefix";
    • the
  • in a new window to specify the old prefix and new prefix, which should replace the old.

Then, if you have a Traditional, but you want to replace on Advanced, then on top of content /core (or as you new called) it is necessary to record the contents of the directory /core archive Advanced installer, and at the root of the site to place /setup.

Check eligibility and access (directories 755, files 644).

To start the installation process.

During installation, you will need to specify the physical path to the kernel.

IMPORTANT select the installation option "Extended update (database settings)" because after the data entry database, you will see a dialog for renaming directories.

You can, of course, was to get into config.inc.php and edit everything there. But why to do something, if this can not be done? :)

That's about it. If the information from this article will prove useful to You — super. If you want to ask something, or just to add a snarky welcome to the comments!
Article based on information from habrahabr.ru

Комментарии

Отправить комментарий

Популярные сообщения из этого блога

The release of the new version of the module modLivestreet 0.3.0-rc

Изображение
Continuing our theme of the binding module MODX and Livestreet, present a new version of the module modLivestreet: livestreet-0.3.0-rc.transport.zip What's new? Yes, almost all :-) the Module is rewritten from scratch. 1. Seriously changed (improved) the logic of processing requests LiveStreet. 2. Added synchronized registration of users in MODX and LiveStreet. Now registering user through the admin panel of MODX, the user is automatically created in LiveStreet, and processing the request for LiveStreet on the user registration, the registration is using MODX, which in turn also provides for the simultaneous registration of the user in both engines. This feature can be disabled through configuration. Under the cut diagram (simplified) MODX in the standard version and module modLivestreet and a more detailed description of the synchronous registration of users in MODX and Livestreet (Scheme, how has the registration in the MODX upload later), as well as the sourc
Далее...

mSearch: search + filter for MODX Revolution

Изображение
Something blog MODX habré completely withered, we need to spice things up. I want to introduce you to your component, which has recently been almost completely rewritten and expanded. It's called mSearch and originally conceived as a simple site search with account of morphology of the Russian language. That is, you had a quick and easy solution for any site without installing Sphinx and other major systems. In the process gugleniya, I came across a interesting this task by phpMorphy . Full text search on a table with an index, with the generation of different word forms. The idea I liked, by my criteria it came up and I wrote my solution, basing this method. the mSearch This snippet and plugin. The snippet is looking for the plug-in index documents when saving. Installation, as usual, from the repository, in 4 clicks. At the same time, you will be prompted to download and install for phpMorphy dictionaries of the Russian language — do not give up.
Далее...

Emulator data from GNSS receiver NMEA

Изображение
Introduction I had the need to test an application that uses the GNSS data NMEA. was Due to the fact that worked on the project navigation of the aircraft, test the air expensive naturally on earth to drive a car with a GNSS receiver is not particularly convenient, that like sitting at the table to have a virtual parallel port data Protocol NMEA allegedly moving equipment. First, search for different software had to try and find something suitable, but most paid and control of the emulation data is not very convenient, although practically emulate all settings of the NMEA standard. But I needed something simple emulating coordinates, speed, in principle, nothing more was required quite convenient and logical control. So I had to write an app of this kind in C#. Fly_nmea NMEA ("National Marine Electronics Association") — the full name is "NMEA 0183" is a text communication Protocol, marine (typically navigation) equipment together. Data is transmit
Далее...