Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted December 8, 201212 yr Hello I am used to lock down directories, which are used for includes etc, using .htaccess directives like this one: .htaccess deny from all Which IP.Board directories can be shut down for public audience? I guess: cache hooks ips_kernel Are there more? Thanks,
December 9, 201212 yr im pretty sure IPB already does this. They have index.php's in all dirs which essentially redirect you no where (or perhaps the real index), i forget which.
December 9, 201212 yr yes, but to make it works, proper web server configuration is required. For the best (if you have access to vhost/host config) then for its main config set Options ALL -Indexes +MultiViews +FollowSymLinks DirectoryIndex index.php index.html index.htm NOTE: if you are using apache version < 2 then do -MultiViews, otherwise +MultiViews, this is due to issue with GoogleBot, there is trick for apache < 2, however I am not going to explain this, it is time to use newer versions ^.^ (or best solution to switch to nginx) You also can specify those things directly in your .htaccess of {root} directory, however remember the htaccess working only one lvl down of directory it is located. Also, @maddog, not every folder has the index in default ipb install, good example is http://community.invisionpower.com/interface/blog/apis/ try check those directories of you, I believe it does not cause any important security issue at all, however what for somebody would need to check what's there? some work on your side is required.. as you see IPS for themselves keeps the index in every folder but it is not provided in default installation.
December 10, 201212 yr Author That's not the same. Visitors can be excluded from certain directories on the webserver software level. You suggest to handle unsolicited requests via PHP, which is fine but one level higher.
December 11, 201212 yr Thomas, this is how IPS board here is configured, it is easy to determine by trying to run some file's url from the finger. Use tool provided by IPS to fill recommended folders with .htaccess file + the config I suggested above and that should be fine. I have my board configured like this and company (very famous one) which does penetration tests did not say anything about this ;)
December 12, 201212 yr Author Agreed, I'm used to a.m. apache 2 configuration, benefit I see is if someone manages to bypass PHP the webserver still has a lock on it. PHP may be misconfigured, may have current or future issues etc. I'll play with my variant of "extra" security and thought someone already has something similar in place - that's it. ;)
Archived
This topic is now archived and is closed to further replies.