Go to main content

Textpattern CMS support forum

You are not logged in. Register | Login | Help

#13 2008-11-03 19:10:52

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Wouldn’t a 404 be better than a 403?

NO! Because that means you have changed the name, and they will continue to look for it, if it shows a 403 they will think it’s still the same just they can’t access it, subtle trickery. x

just tried adding index.php to the url and it still throws the 403, works a charm, although now i’ve revealed the secret :D

Last edited by driz (2008-11-03 19:17:07)


~ Cameron

Offline

#14 2008-11-03 19:39:01

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: What do you do to secure "/textpattern"?

It would be possible to hide the fact that it’s even textpattern by returning a 404. 403 still confirms that textpattern is there.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#15 2008-11-03 19:56:42

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: What do you do to secure "/textpattern"?

Destry wrote:

This was added to the wiki a long while ago, Renaming the Textpattern Admin Directory for Added Security.

I initially thought this was a good idea, but soon I abandoned it, because as the article mentions, choosing non-obvious user names and good passwords provides plenty of security.

Anyway, another simple step would be to remove any give-aways from the source code, that hint at Textpattern such as the default css link:

<link rel="stylesheet" type="text/css" media="all" href="http://domain.com/textpattern/css.php?s=default" />

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

Offline

#16 2008-11-03 19:58:06

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404. 403 still confirms that textpattern is there.

I don’t follow? Pretending that your NOT using textpattern doesn’t secure it in my book, a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern. Chances are even if you throw a 404 they could and will find out what CMS your using, plus I like to promote Txp as the CMS of choice so it’s common knowledge.

But using this technique, of creating a section/page called textpattern you can use the txp_die function to throw either 403 or 404, or even create a whole new access panel, possibilities are endless. x


~ Cameron

Offline

#17 2008-11-03 20:01:59

Gocom
Plugin Author
From: Helsinki, Finland
Registered: 2006-07-14
Posts: 4,533
Website

Re: What do you do to secure "/textpattern"?

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404

Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.

First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.

Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.

Last edited by Gocom (2008-11-03 20:12:37)

Offline

#18 2008-11-03 20:33:07

driz
Member
From: Huddersfield, UK
Registered: 2008-03-18
Posts: 441
Website

Re: What do you do to secure "/textpattern"?

Gocom wrote:

MattD wrote:

It would be possible to hide the fact that it’s even textpattern by returning a 404

Afraidly you need some hacks to hide the fact that it is Textpattern. Textpattern’s core do return some messages with out hacks/server thingies ;) Or ofcourse you can force server to return error message while accesing those URIs and that way disable them.

First one is feeds, second one is clean URLs, tests and so on. Also at same time you should disable all server error(+port) messages that can reveal what you are using.

Also note, that moving textpattern dir is somewhat useless if you use any known host, default ports, any known server admin tools, webmail etc. If you do that, you might want to move everything more cautious too. Well, moving txp atleast slows finding it down, and removes one really known dir but doesn’t really protect anything for that matter; it just hides one thing.

Yeah but my point was, by using a 403 people wouldn’t think that you’d hidden it all, they’d think it had been protected using .htaccess, and therefore they wouldn’t be looking for it as they’d think they’d found it, just they can’t get in.


~ Cameron

Offline

#19 2008-11-03 20:55:15

MattD
Plugin Author
From: Monterey, California
Registered: 2008-03-21
Posts: 1,254
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

And then there are numerous sites with a note in their footer saying “powered by …” – obvious, huh?!

I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.


My Plugins

Piwik Dashboard, Google Analytics Dashboard, Minibar, Article Image Colorpicker, Admin Datepicker, Admin Google Map, Admin Colorpicker

Offline

#20 2008-11-03 21:17:22

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,751
Website

Re: What do you do to secure "/textpattern"?

masa wrote:

I initially thought this was a good idea, but soon I abandoned it, because as the article mentions, choosing non-obvious user names and good passwords provides plenty of security.

I’ve never done anything extra in the years I’ve used Txp except change my p-words from time-to-time. :/

However, being I’m a little concerned with TxB at the moment, maybe we should rename that page to something more generic (say Making the Textpattern Installation More Secure), and then add all the ideas showing up in this thread as different sections in that article. They can then be ranked by a perceived effectiveness or whatever in a top-to-bottom order. Clearly that one article there now is not the only way, nor seemingly the best way either.

Last edited by Destry (2008-11-03 21:58:55)

Offline

#21 2008-11-03 21:29:59

ruud
Developer emeritus
From: a galaxy far far away
Registered: 2006-06-04
Posts: 5,068
Website

Re: What do you do to secure "/textpattern"?

I don’t do anything to secure TXP after installing it; I just keep it up-to-date. That should be enough. If it’s not, that would be a bug.

Offline

#22 2008-11-03 21:56:56

Destry
Member
From: Haut-Rhin
Registered: 2004-08-04
Posts: 4,751
Website

Re: What do you do to secure "/textpattern"?

I agree, but you’ll always have people who want to go the extra distance. So for that reason I start Making the Textpattern Installation More Secure. I’ve rewritten the intro to present both sides of the coin. A user can go from there.

Ruud, if you want to add a dev statement to the “Default Install” paragraph that it’s “dev approved’ or something, by all means.

That former page is now deleted. All other secure methods can be added to the new page as separate sections.

Offline

#23 2008-11-03 21:59:46

masa
Member
From: Asturias, Spain
Registered: 2005-11-25
Posts: 1,091

Re: What do you do to secure "/textpattern"?

MattD wrote:

I promote TXP from my site as well so I guess I don’t really see the point of hiding the login page if you use strong passwords.

Neither do I, but those that are a bit paranoid might.

To put things into perspective, I do my online banking from a login page that is accessible to anyone. Only my username and password allow me to log in and perform tasks.

Why should Textpattern need to be more secure than that?? I just don’t get it.

Last edited by masa (2008-11-03 22:04:51)

Offline

#24 2008-11-03 22:05:32

Bloke
Developer
From: Leeds, UK
Registered: 2006-01-29
Posts: 10,481
Website GitHub

Re: What do you do to secure "/textpattern"?

driz wrote:

a faux 403 means hackers believe that the /textpattern/ directory is being used, when in fact it doesn’t even exist and therefore they won’t look for the REAL textpattern

As a seasoned — if noble — hacker in my heydey, may I just point out that when your /textpattern/ folder came back with a 403, I tried something else and found your login page on the 1st attempt ;-) So it begs the question, what’s the point of going to the trouble of hiding the textpattern folder in the first place? Reminds me of a phrase about security through obscurity being no security at all… discuss!

That’s not a personal attack on you. It’s just that, until quantum computers become more useful, a good password is plenty secure in a well-designed system. Use a shit password and you get what’s coming to ya… the sad thing is if you give me half an hour talking with any person from well over half the computer-using population I could pretty much guarantee I’d find a password, a PIN or some security tidbit that would allow me to gain access to more than one facet of their lives. I don’t because I’m a decentish bloke (and I’ve got better things to do!), but I could. Heck, just spend an afternoon on Facebook and you’ve got a whole notebook’s worth of stuff to go on.

People tend to become lazy when it comes to electronic security because of bad software and bad IT policies such as forcing you to change your password every month, which does nothing but breed bad passwords. And bad passwords then rub off onto other well-designed (from a security standpoint) systems such as TXP. The password, the photo, the signature, the biometric thumbprint, the iris scan, or whatever single piece of identity is required to authenticate a user is the weak link in any automated system. Always has been, always will be. I’d save your energy: set a good password and concentrate on the site content instead :-)

P.S. good idea about the page rewrite Destry. Now people who want to rename the folder (probably purely for aesthetic reasons) can put in their tips. Nice.

Last edited by Bloke (2008-11-03 22:09:28)


The smd plugin menagerie — for when you need one more gribble of power from Textpattern. Bleeding-edge code available on GitHub.

Txp Builders – finely-crafted code, design and Txp

Offline

Board footer

Powered by FluxBB