Safety checklist for Mambo

[beuvema]

Dear Mambers

reading through some forums I noticed several sites that might have been hacked!

Does anyone have a checklist with items pointing toward a safe mambo environment. Or does anyone know in what forum I can find a discussion on it?

eg. - configuration.php attributes set to?
- white index.php in every map?
- changing passwords on FTP, MySQL

ect.

We all want to have a safe site maybe we can help other mambers with a Security Checklist for Mambo! (Probably exists but can't find it)

Greetz Beuvema

[keliix06]

The core install of Mambo has a blank index.html file in every folder. You can turn of directory listings using .htaccess, so that is not an issue anyway.

If you don't need to change your configuration.php file you can leave it at 0644. In some environments that will still allow Mambo to write to it, in others not. Permissions will be totally controlled by your hosting environment.

Not sure why you would ever need to change those. Just make sure it's at least 8 characters and a mix of: uppercase, lowercase, numbers, special characters. That is plenty secure.

The reason a checklist can't exist is because every server can be different.

[beuvema]

Thx for your quick response,

Of course different installations are possible, but aren't most installations done on Apache / Linux servers? And this must be merely used as a guideline!

For the htaccess part I need some assistance. Is a .htaccess file with following code safe enough? or should something be added?

Code:

order allow,deny
allow from all
require valid-user
Authname Enter_Your_Password        
Authtype Basic
AuthUserFile /home/sites/www.sitename.com/web/hta/.htpasswd

Greetz Beuvema

[keliix06]

No need for the last 4 lines, that's only if you want to use .htaccess authentication.

Most servers running apache and some flavor of nix (there are tons that people use: rhel, red hat, centos, fedora, etc). The control panel has more to do with permissions than anything else. And the same control panel on a different OS will have different bahaviors regarding permissions.

[gharding]

Most security holes are out of reach of the client. Mambo itself seems pretty secure. The problem are when you install 3rd part components/modules which might have SQL injection problems, the server's software may be outdated and vulnerable, entirely other clients hosted on the same server as you vulnerable to SQL injection (in conjunction with a vulnerability in the server), weak passwords, and tons more. You're really not going to be able to secure much with just .htaccess.

Might this be in part because of that XML-RPC bug that came up a little while ago? Mambo uses XML-RPC.. so has anyone checked to see whether it's vulnerable?

[beuvema]

Thx for the responses so far...

in General, security can be increased by:

- Using secure passwords
- .htaccess file (turning off directory listings)
- configuration.php attributes at 0644

on the .htaccess file
the folder to place it in is the mambo root folder?
Are the following lines sufficient to turn off directory listings, and are they inherited?

Code:

order allow,deny
allow from all

Greetz Beuvema

[beuvema]

www.opensourcematters.org

Mambo belongs to everyone !!! HANDS OFF !!!

[MystaMax]

LOL. Good one