Jump to content

Enhance security - deny from all


Recommended Posts

Hello

I am used to lock down directories, which are used for includes etc, using .htaccess directives like this one:

.htaccess

deny from all

Which IP.Board directories can be shut down for public audience?

I guess:

cache

hooks

ips_kernel

Are there more?

Thanks,

Link to comment
Share on other sites

yes, but to make it works, proper web server configuration is required. For the best (if you have access to vhost/host config) then for its main config set

Options ALL -Indexes +MultiViews +FollowSymLinks
DirectoryIndex index.php index.html index.htm

NOTE: if you are using apache version < 2 then do -MultiViews, otherwise +MultiViews, this is due to issue with GoogleBot, there is trick for apache < 2, however I am not going to explain this, it is time to use newer versions ^.^ (or best solution to switch to nginx)

You also can specify those things directly in your .htaccess of {root} directory, however remember the htaccess working only one lvl down of directory it is located.

Also, @maddog,

not every folder has the index in default ipb install, good example is http://community.invisionpower.com/interface/blog/apis/ try check those directories of you, I believe it does not cause any important security issue at all, however what for somebody would need to check what's there? some work on your side is required.. as you see IPS for themselves keeps the index in every folder but it is not provided in default installation.

Link to comment
Share on other sites

Thomas, this is how IPS board here is configured, it is easy to determine by trying to run some file's url from the finger. Use tool provided by IPS to fill recommended folders with .htaccess file + the config I suggested above and that should be fine.

I have my board configured like this and company (very famous one) which does penetration tests did not say anything about this ;)

Link to comment
Share on other sites

Agreed, I'm used to a.m. apache 2 configuration, benefit I see is if someone manages to bypass PHP the webserver still has a lock on it. PHP may be misconfigured, may have current or future issues etc.

I'll play with my variant of "extra" security and thought someone already has something similar in place - that's it. ;)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...