Textpattern CMS support forum

You are not logged in. Register | Login | Help

#21 2008-11-03 21:29:59

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: What do you do to secure "/textpattern"?

I don’t do anything to secure TXP after installing it; I just keep it up-to-date. That should be enough. If it’s not, that would be a bug.

Offline

#22 2008-11-03 21:56:56

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: What do you do to secure "/textpattern"?

I agree, but you’ll always have people who want to go the extra distance. So for that reason I start Making the Textpattern Installation More Secure. I’ve rewritten the intro to present both sides of the coin. A user can go from there.

Ruud, if you want to add a dev statement to the “Default Install” paragraph that it’s “dev approved’ or something, by all means.

That former page is now deleted. All other secure methods can be added to the new page as separate sections.


The text persuades, the *notes prove。

Offline

#23 2008-11-03 21:59:46

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: What do you do to secure "/textpattern"?

MattD wrote:

I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.

Neither do I, but those that are a bit paranoid might.

To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks.

Why should Textpattern need to be more secure than that?? I just don’t get it.

Last edited by masa (2008-11-03 22:04:51)

Offline

#24 2008-11-03 22:05:32

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 8,460
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern

As a seasoned — if noble — hacker in my heydey, may I just point out that when your /textpattern/ folder came back with a 403, I tried something else and found your login page on the 1st attempt ;-) So it begs the question, what’s the point of going to the trouble of hiding the textpattern folder in the first place? Reminds me of a phrase about security through obscurity being no security at all… discuss!

That’s not a personal attack on you. It’s just that, until quantum computers become more useful, a good password is plenty secure in a well-designed system. Use a shit password and you get what’s coming to ya… the sad thing is if you give me half an hour talking with any person from well over half the computer-using population I could pretty much guarantee I’d find a password, a PIN or some security tidbit that would allow me to gain access to more than one facet of their lives. I don’t because I’m a decentish bloke (and I’ve got better things to do!), but I could. Heck, just spend an afternoon on Facebook and you’ve got a whole notebook’s worth of stuff to go on.

People tend to become lazy when it comes to electronic security because of bad software and bad IT policies such as forcing you to change your password every month, which does nothing but breed bad passwords. And bad passwords then rub off onto other well-designed (from a security standpoint) systems such as TXP. The password, the photo, the signature, the biometric thumbprint, the iris scan, or whatever single piece of identity is required to authenticate a user is the weak link in any automated system. Always has been, always will be. I’d save your energy: set a good password and concentrate on the site content instead :-)

P.S. good idea about the page rewrite Destry. Now people who want to rename the folder (probably purely for aesthetic reasons) can put in their tips. Nice.

Last edited by Bloke (2008-11-03 22:09:28)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

#25 2008-11-03 22:32:59

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: What do you do to secure "/textpattern"?

Well, now I’m thinking that wiki page’s title is a bit misleading, as if you can make it more secure. Maybe it should be Site Security Nice-tries. :)

Last edited by Destry (2008-11-03 22:33:44)


The text persuades, the *notes prove。

Offline

#26 2008-11-03 23:03:52

Gocom
Plugin Author
Registered: 2006-07-14
Posts: 4,524
Website

Re: What do you do to secure "/textpattern"?

Bloke wrote:

I tried something else and found your login page on the 1st attempt…

Me too. Lol. I would say that it’s the most common backend path, minus systems that use defaulty their trademarks in the dir name. Even most of other older/smaller CMSes us that dir. Other common are myadmin, control, sys etc.

Also hiding textpattern path is quite odd, when there is also host’s default sys-admin port/dir in use :P

The advange is really notable! It’s non. Maybe we should also change ftp conntections addresses too, or disable it completely. As we know ftp address, and usually also the sys-admin username for it (most hosts use domain name or part of it). And that can be archieved by looking whois; that will tell who hosts you. Maybe you wanna change those too then ;)

And what comes to password cracking: it’s idiotic. It doesn’t need professional – you just need a computer, software, set what to crack and where. Exe the program it starts to crack the password, from pass variation to other. And if you don’t stop it somehow, eventually that “cracker” will get the correct one – with out doing anything, just by executing automatic password variation app.

But if the password is strong, it takes a lot of time – and if you watch your logs, you will spot it. And ofcourse you can use automatic banners. Who would make 500 000 requests in couple of minutes? No one, and that is easily prevented. Also, no worries, most hosts keep on eye (automatic but anyway) their servers too ;)

Last edited by Gocom (2008-11-03 23:18:37)

Offline

#27 2008-11-03 23:54:09

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

To be honest I really doubt anyone would want to hack my site, I just hide the txp folder cos I don’t want it called that. I’m curious your saying that you saw a 403 and assumed I was lying? Or just read it here and decided to delve further, and what was it did to find it?


~ Cameron

Offline

#28 2008-11-04 02:24:37

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,251
Website

Re: What do you do to secure "/textpattern"?

I’d think you’d be better off with /textpattern then what you’ve changed it to.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#29 2008-11-04 03:51:11

artagesw
Developer
From: Seattle, WA
Registered: 2007-04-29
Posts: 227
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks. Why should Textpattern need to be more secure than that?? I just don’t get it.

The difference is that your bank is securing that page with SSL, and you are likely not doing the same with your Txp site. Therefore, your user name and password are sent in the clear every time you log in, and can be intercepted by anyone who might be listening.

What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.

Offline

#30 2008-11-04 08:05:36

Destry
Moderator
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,021
Website

Re: What do you do to secure "/textpattern"?

artagesw wrote:

What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.

Hi artagesw, would you be willing to elaborate on that a bit more in instructional format for someone doing SSL for the first time, and add it as a new section here?

Contact me (must be logged on to the forum) with an email if you need a wiki account. Or post them here and I’ll transfer them over.


The text persuades, the *notes prove。

Offline

Board footer

Powered by FluxBB