Textpattern CMS support forum
You are not logged in. Register | Login | Help
- Topics: Active | Unanswered
Re: What do you do to secure "/textpattern"?
MattD wrote:
It would be possible to hide the fact that it’s even textpattern by returning a 404. 403 still confirms that textpattern is there.
I don’t follow? Pretending that your NOT using textpattern doesn’t secure it in my book, a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern. Chances are even if you throw a 404 they could and will find out what CMS your using, plus I like to promote Txp as the CMS of choice so it’s common knowledge.
But using this technique, of creating a section/page called textpattern you can use the txp_die function to throw either 403 or 404, or even create a whole new access panel, possibilities are endless. x
~ Cameron
Offline
Re: What do you do to secure "/textpattern"?
MattD wrote:
It would be possible to hide the fact that it’s even textpattern by returning a 404
Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.
First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.
Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.
Last edited by Gocom (2008-11-03 20:12:37)
Offline
Re: What do you do to secure "/textpattern"?
Gocom wrote:
MattD wrote:
It would be possible to hide the fact that it’s even textpattern by returning a 404
Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.
First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.
Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.
Yeah but my point was, by using a 403 people wouldn’t think that you’d hidden it all, they’d think it had been protected using .htaccess, and therefore they wouldn’t be looking for it as they’d think they’d found it, just they can’t get in.
~ Cameron
Offline
Re: What do you do to secure "/textpattern"?
masa wrote:
And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!
I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: What do you do to secure "/textpattern"?
masa wrote:
I initially thought this was a good idea, but soon I abandoned it, because as the article mentions, choosing non-obvious user names and good passwords provides plenty of security.
I’ve never done anything extra in the years I’ve used Txp except change my p-words from time-to-time. :/
However, being I’m a little concerned with TxB at the moment, maybe we should rename that page to something more generic (say Making the Textpattern Installation More Secure), and then add all the ideas showing up in this thread as different sections in that article. They can then be ranked by a perceived effectiveness or whatever in a top-to-bottom order. Clearly that one article there now is not the only way, nor seemingly the best way either.
Last edited by Destry (2008-11-03 21:58:55)
Offline
Re: What do you do to secure "/textpattern"?
I don’t do anything to secure TXP after installing it; I just keep it up-to-date. That should be enough. If it’s not, that would be a bug.
Offline
Re: What do you do to secure "/textpattern"?
I agree, but you’ll always have people who want to go the extra distance. So for that reason I start Making the Textpattern Installation More Secure. I’ve rewritten the intro to present both sides of the coin. A user can go from there.
Ruud, if you want to add a dev statement to the “Default Install” paragraph that it’s “dev approved’ or something, by all means.
That former page is now deleted. All other secure methods can be added to the new page as separate sections.
Offline
#23 2008-11-03 21:59:46
- masa
- Member
- From: North Wales, UK
- Registered: 2005-11-25
- Posts: 1,095
Re: What do you do to secure "/textpattern"?
MattD wrote:
I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.
Neither do I, but those that are a bit paranoid might.
To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks.
Why should Textpattern need to be more secure than that?? I just don’t get it.
Last edited by masa (2008-11-03 22:04:51)
Offline
Re: What do you do to secure "/textpattern"?
driz wrote:
a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern
As a seasoned — if noble — hacker in my heydey, may I just point out that when your /textpattern/ folder came back with a 403, I tried something else and found your login page on the 1st attempt ;-) So it begs the question, what’s the point of going to the trouble of hiding the textpattern folder in the first place? Reminds me of a phrase about security through obscurity being no security at all… discuss!
That’s not a personal attack on you. It’s just that, until quantum computers become more useful, a good password is plenty secure in a well-designed system. Use a shit password and you get what’s coming to ya… the sad thing is if you give me half an hour talking with any person from well over half the computer-using population I could pretty much guarantee I’d find a password, a PIN or some security tidbit that would allow me to gain access to more than one facet of their lives. I don’t because I’m a decentish bloke (and I’ve got better things to do!), but I could. Heck, just spend an afternoon on Facebook and you’ve got a whole notebook’s worth of stuff to go on.
People tend to become lazy when it comes to electronic security because of bad software and bad IT policies such as forcing you to change your password every month, which does nothing but breed bad passwords. And bad passwords then rub off onto other well-designed (from a security standpoint) systems such as TXP. The password, the photo, the signature, the biometric thumbprint, the iris scan, or whatever single piece of identity is required to authenticate a user is the weak link in any automated system. Always has been, always will be. I’d save your energy: set a good password and concentrate on the site content instead :-)
P.S. good idea about the page rewrite Destry. Now people who want to rename the folder (probably purely for aesthetic reasons) can put in their tips. Nice.
Last edited by Bloke (2008-11-03 22:09:28)
The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.
Hire Txp Builders – finely-crafted code, design and Txp
Online
Re: What do you do to secure "/textpattern"?
Well, now I’m thinking that wiki page’s title is a bit misleading, as if you can make it more secure. Maybe it should be Site Security Nice-tries. :)
Last edited by Destry (2008-11-03 22:33:44)
Offline
Re: What do you do to secure "/textpattern"?
Bloke wrote:
I tried something else and found your login page on the 1st attempt…
Me too. Lol. I would say that it’s the most common backend path, minus systems that use defaulty their trademarks in the dir name. Even most of other older/smaller CMSes us that dir. Other common are myadmin, control, sys etc.
Also hiding textpattern path is quite odd, when there is also host’s default sys-admin port/dir in use :P
The advange is really notable! It’s non. Maybe we should also change ftp conntections addresses too, or disable it completely. As we know ftp address, and usually also the sys-admin username for it (most hosts use domain name or part of it). And that can be archieved by looking whois; that will tell who hosts you. Maybe you wanna change those too then ;)
And what comes to password cracking: it’s idiotic. It doesn’t need professional – you just need a computer, software, set what to crack and where. Exe the program it starts to crack the password, from pass variation to other. And if you don’t stop it somehow, eventually that “cracker” will get the correct one – with out doing anything, just by executing automatic password variation app.
But if the password is strong, it takes a lot of time – and if you watch your logs, you will spot it. And ofcourse you can use automatic banners. Who would make 500 000 requests in couple of minutes? No one, and that is easily prevented. Also, no worries, most hosts keep on eye (automatic but anyway) their servers too ;)
Last edited by Gocom (2008-11-03 23:18:37)
Offline
Re: What do you do to secure "/textpattern"?
To be honest I really doubt anyone would want to hack my site, I just hide the txp folder cos I don’t want it called that. I’m curious your saying that you saw a 403 and assumed I was lying? Or just read it here and decided to delve further, and what was it did to find it?
~ Cameron
Offline
Re: What do you do to secure "/textpattern"?
I’d think you’d be better off with /textpattern then what you’ve changed it to.
Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker
Offline
Re: What do you do to secure "/textpattern"?
masa wrote:
To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks. Why should Textpattern need to be more secure than that?? I just don’t get it.
The difference is that your bank is securing that page with SSL, and you are likely not doing the same with your Txp site. Therefore, your user name and password are sent in the clear every time you log in, and can be intercepted by anyone who might be listening.
What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.
Offline
Re: What do you do to secure "/textpattern"?
artagesw wrote:
What I do is put the entire Txp admin area onto its own subdomain and secure it with SSL. Something like: https://admin.mysite.com. That plus strong passwords and it’s nice and buttoned up.
Hi artagesw, would you be willing to elaborate on that a bit more in instructional format for someone doing SSL for the first time, and add it as a new section here?
Contact me (must be logged on to the forum) with an email if you need a wiki account. Or post them here and I’ll transfer them over.
Offline