Textpattern CMS support forum

You are not logged in. Register | Login | Help

#11 2008-11-03 19:06:51

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple. Not only that, but most people will be fooled into thinking that you HAVEN’T renamed the folder (meaning they won’t try to guess the new directory) they will just assume that you have blocked access but to certain person’s

Here is mine for a quick example: http://simplecandy.com/textpattern/

Last edited by driz (2008-11-03 19:09:43)


~ Cameron

Offline

#12 2008-11-03 19:08:57

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,251
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

The way I do this, is rename my textpattern/ folder and then create a section/page called ‘textpattern’ add <txp:txp_die status=“403” />
That way you people who know where the Txp folder is be default will be greeted with a Forbidden page :) simple.

Here is mine for a quick example: http://simplecandy.com/textpattern/

Wouldn’t a 404 be better than a 403?


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#13 2008-11-03 19:10:52

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Wouldn’t a 404 be better than a 403?

NO! Because that means you have changed the name, and they will continue to look for it, if it shows a 403 they will think it’s still the same just they can’t access it, subtle trickery. x

just tried adding index.php to the url and it still throws the 403, works a charm, although now i’ve revealed the secret :D

Last edited by driz (2008-11-03 19:17:07)


~ Cameron

Offline

#14 2008-11-03 19:39:01

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,251
Website

Re: What do you do to secure "/textpattern"?

It would be possible to hide the fact that it’s even textpattern by returning a 404. 403 still confirms that textpattern is there.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#15 2008-11-03 19:56:42

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: What do you do to secure "/textpattern"?

Destry wrote:

This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security.

I initially thought this was a good idea, but soon I abandoned it, because as the article mentions, choosing non-obvious user names and good passwords provides plenty of security.

Anyway, another simple step would be to remove any give-aways from the source code, that hint at Textpattern such as the default css link:

<link rel="stylesheet" type="text/css" media="all" href="http://domain.com/textpattern/css.php?s=default" />

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

Offline

#16 2008-11-03 19:58:06

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404. 403 still confirms that textpattern is there.

I don’t follow? Pretending that your NOT using textpattern doesn’t secure it in my book, a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern. Chances are even if you throw a 404 they could and will find out what CMS your using, plus I like to promote Txp as the CMS of choice so it’s common knowledge.

But using this technique, of creating a section/page called textpattern you can use the txp_die function to throw either 403 or 404, or even create a whole new access panel, possibilities are endless. x


~ Cameron

Offline

#17 2008-11-03 20:01:59

Gocom
Plugin Author
Registered: 2006-07-14
Posts: 4,524
Website

Re: What do you do to secure "/textpattern"?

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404

Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.

First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.

Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.

Last edited by Gocom (2008-11-03 20:12:37)

Offline

#18 2008-11-03 20:33:07

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Gocom wrote:

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404

Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.

First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.

Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.

Yeah but my point was, by using a 403 people wouldn’t think that you’d hidden it all, they’d think it had been protected using .htaccess, and therefore they wouldn’t be looking for it as they’d think they’d found it, just they can’t get in.


~ Cameron

Offline

#19 2008-11-03 20:55:15

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,251
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#20 2008-11-03 21:17:22

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

I initially thought this was a good idea, but soon I abandoned it, because as the article mentions, choosing non-obvious user names and good passwords provides plenty of security.

I’ve never done anything extra in the years I’ve used Txp except change my p-words from time-to-time. :/

However, being I’m a little concerned with TxB at the moment, maybe we should rename that page to something more generic (say Making the Textpattern Installation More Secure), and then add all the ideas showing up in this thread as different sections in that article. They can then be ranked by a perceived effectiveness or whatever in a top-to-bottom order. Clearly that one article there now is not the only way, nor seemingly the best way either.

Last edited by Destry (2008-11-03 21:58:55)


The text persuades, the *notes prove。

Offline

Board footer

Powered by FluxBB