Protected MODX Revolution
Hello friends!
Many articles have been written and rewritten about how to protect MODX, but in this article I will describe not only the standard recommendations for the protection of the instance of MODX Revolution (I will write just MODX, because MODX Evolution branch is a dead — end branch of "evolution" which is the rudiment does not deserve the attention of modern developers), but also some new methods of "covering up tracks".
Let's start the most important.
There are two types of installer MODX is Traditional and Advanced.
What's the difference?
Traditional is an easy option to install on any hosting suitable recommendations for installing MODX, where the kernel is installed directly in the root public folder of your site. A simple "siteclip" put the version of the Tradtiional, do not close the directory from view, and in the end all site content, including service directories, gets the index of the search engines. Not going to fantasize about where this might lead. Here everything is clear.
Advanced — the version for guys who at least "watched a movie about nija". This installer allows you to place the MODX core outside of the public folder, hiding it from attacks. For major projects this is the recommended option, but personally I use it always.
Security kernel
To protect the core in two ways:
1. On a normal hosting — to make the core of public folder and can't rename, and don't configure it .htaccess file lying in this directory (on VDS do not forget about setting access rights of the user who runs Apache).
2. The stupid hosting to rename the directory of the kernel using, for example, a generator of passwords (no special characters, of course — only letters and numbers) And during the installation to specify the physical path to the directory of the kernel. That is why it is best to use Advanced installer.
Security service directory
It is no secret that in addition to the kernel, other service directories must remain in the public folder of the server.
What can we do to protect against hacking attempts via connectors and attempts to enter the admin panel? Standard name catalog connectors /connectors, and for the admin — /manager, and is pale.
During installation you will be prompted to change these names. This will help us, right, generator of passwords, and, oddly enough, in the case of admin own head. The name of the directory the admin better do to human readable, but not /admin, of course :)
You might want to ask: Why don't we hide /assets?
And, I might answer: why? All images and scripts are in /assets, and in the code page has all the links to images and scripts :)
Protected database tables
During installation, database configuration, the default value is the table prefix "modx_". So it will not work. And again, we will help password generator (Remember, comrade? Only letters and numbers!). Change the standard prefix for the gibberish at the end of which we put the lower underlining. For Example, "IU1xbp4_".
anti definition CMS
Services automatic determination of CMS sites, of course, do not know what MODX is a CMF, but this does not prevent them to determine what content on the site steers it MODX. It would seem that we have hidden all that is necessary. And here and there.
First, if you are installing MODX Revolution, you must disable the checkbox "X-Powered-By", which is enabled by default (pictured below). This is necessary in order to MODX is not "palilis," sending the header information that the site made in MODX.
Also not be amiss to hide the configuration files.
To hide this file you can use .htaccess by adding:
the
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} ^(.*)config.core.php$
RewriteRule ^(.*)$ [R=404]
</IfModule>
Something else
In addition to the described techniques, you can apply a small trick to divert possible attackers on the wrong track. Some "pop" CMS added metatags indicating the name of the CMS:
the
<meta name="generator" content="WordPress x.x.x" />
You can safely add to your code this tag and create a fake standard input page in admin area specified version of the simulated CMS.
Autooriginate will interpret our MODX like Wordpress, but if bullies want to get into the admin panel, it will be long and tedious to try to pick up the master key from a simple lock to the retinal scanner ( it's a metaphor :) ).
what if the website is already installed?
In the hour of least load, rename all of these directories (/core, if you have a hosting, to take from the public).
Change the existing prefix, use the phpMyAdmin:
the
-
the
- in the left part of phpMyAdmin click on the name of the desired database; the
- in the main pane displays a list of all the tables, below which it is necessary to mark the checkbox "select all"; the
- to the right of the checkbox the combobox "States:" where it is necessary to choose "Replace table prefix"; the
- in a new window to specify the old prefix and new prefix, which should replace the old.
Then, if you have a Traditional, but you want to replace on Advanced, then on top of content /core (or as you new called) it is necessary to record the contents of the directory /core archive Advanced installer, and at the root of the site to place /setup.
Check eligibility and access (directories 755, files 644).
To start the installation process.
During installation, you will need to specify the physical path to the kernel.
IMPORTANT select the installation option "Extended update (database settings)" because after the data entry database, you will see a dialog for renaming directories.
You can, of course, was to get into config.inc.php and edit everything there. But why to do something, if this can not be done? :)
That's about it. If the information from this article will prove useful to You — super. If you want to ask something, or just to add a snarky welcome to the comments!
Комментарии
Отправить комментарий