Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#25 2008-11-03 22:32:59

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,745
Website

Re: What do you do to secure "/textpattern"?

Well, now I’m thinking that wiki page’s title is a bit misleading, as if you can make it more secure. Maybe it should be Site Security Nice-tries. :)

Last edited by Destry (2008-11-03 22:33:44)

Offline

#26 2008-11-03 23:03:52

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: What do you do to secure "/textpattern"?

Bloke wrote:

I tried something else and found your login page on the 1st attempt…

Me too. Lol. I would say that it’s the most common backend path, minus systems that use defaulty their trademarks in the dir name. Even most of other older/smaller CMSes us that dir. Other common are myadmin, control, sys etc.

Also hiding textpattern path is quite odd, when there is also host’s default sys-admin port/dir in use :P

The advange is really notable! It’s non. Maybe we should also change ftp conntections addresses too, or disable it completely. As we know ftp address, and usually also the sys-admin username for it (most hosts use domain name or part of it). And that can be archieved by looking whois; that will tell who hosts you. Maybe you wanna change those too then ;)

And what comes to password cracking: it’s idiotic. It doesn’t need professional – you just need a computer, software, set what to crack and where. Exe the program it starts to crack the password, from pass variation to other. And if you don’t stop it somehow, eventually that “cracker” will get the correct one – with out doing anything, just by executing automatic password variation app.

But if the password is strong, it takes a lot of time – and if you watch your logs, you will spot it. And ofcourse you can use automatic banners. Who would make 500 000 requests in couple of minutes? No one, and that is easily prevented. Also, no worries, most hosts keep on eye (automatic but anyway) their servers too ;)

Last edited by Gocom (2008-11-03 23:18:37)

Offline

#27 2008-11-03 23:54:09

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

To be honest I really doubt anyone would want to hack my site, I just hide the txp folder cos I don’t want it called that. I’m curious your saying that you saw a 403 and assumed I was lying? Or just read it here and decided to delve further, and what was it did to find it?


~ Cameron

Offline

#28 2008-11-04 02:24:37

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: What do you do to secure "/textpattern"?

I’d think you’d be better off with /textpattern then what you’ve changed it to.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#29 2008-11-04 03:51:11

artagesw
Developer
From: Seattle, WA
Registered: 2007-04-29
Posts: 227
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks. Why should Textpattern need to be more secure than that?? I just don’t get it.

The difference is that your bank is securing that page with SSL, and you are likely not doing the same with your Txp site. Therefore, your user name and password are sent in the clear every time you log in, and can be intercepted by anyone who might be listening.

What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.

Offline

#30 2008-11-04 08:05:36

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,745
Website

Re: What do you do to secure "/textpattern"?

artagesw wrote:

What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.

Hi artagesw, would you be willing to elaborate on that a bit more in instructional format for someone doing SSL for the first time, and add it as a new section here?

Contact me (must be logged on to the forum) with an email if you need a wiki account. Or post them here and I’ll transfer them over.

Offline

#31 2008-11-04 10:23:52

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: What do you do to secure "/textpattern"?

artagesw wrote:

The difference is that your bank is securing that page with SSL, and you are likely not doing the same with your Txp site. Therefore, your user name and password are sent in the clear every time you log in, and can be intercepted by anyone who might be listening.

“Anyone who might be listening”… that requires access to a router on the path from your computer to the server where TXP is installed. Sure, it’s possible, but a bank is typically a more interesting target than the average TXP install. POP3 also works with plain text authentication, but you rarely hear about intercepted user/pass there.

I think the risk of a dictionary attack on weak user/pass combinations is greater than someone being able to sniff the user/pass due to the use of a non-secure connection. And using SSL doesn’t prevent a keylogger from grabbing the username/password when you enter it on your own computer nor does it protect users from phishing attacks.

Last edited by ruud (2008-11-04 10:39:05)

Offline

#32 2008-11-04 15:13:42

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Hey artagesw How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?


~ Cameron

Offline

#33 2008-11-04 15:34:13

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: What do you do to secure "/textpattern"?

How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?

It’s fairly possible, ‘cause it’s just subdomain. Just conf it to read textpattern’s admin dir.

Offline

#34 2008-11-04 16:28:20

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Gocom wrote:

bq. How could you have textpattern at admin.domain.com/ but your site at domain.com/ ?

It’s fairly possible, ‘cause it’s just subdomain. Just conf it to read textpattern’s admin dir.

So what’s going where filewise?


~ Cameron

Offline

#35 2008-11-04 16:40:29

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: What do you do to secure "/textpattern"?

driz wrote:

So what’s going where filewise?

It really depends on how your host handles sub domains. Mine will let me easily point my subdomain to ANY directory which would make this easy. It would then just be a matter of blocking access from the other domain.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#36 2008-11-05 12:58:22

wet
Developer
From: Lenzing, Austria
Registered: 2005-06-06
Posts: 3,267
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

Evil hackers using such a Google dork usually look for something like this. That’s the downside of a monoculture…

Offline

Board footer

Powered by FluxBB