Thomas P Posted December 8, 2012 Posted December 8, 2012 Hello I am used to lock down directories, which are used for includes etc, using .htaccess directives like this one: .htaccess deny from all Which IP.Board directories can be shut down for public audience? I guess: cache hooks ips_kernel Are there more? Thanks,
maddog107_merged Posted December 9, 2012 Posted December 9, 2012 im pretty sure IPB already does this. They have index.php's in all dirs which essentially redirect you no where (or perhaps the real index), i forget which.
PatrickRQ Posted December 9, 2012 Posted December 9, 2012 yes, but to make it works, proper web server configuration is required. For the best (if you have access to vhost/host config) then for its main config set Options ALL -Indexes +MultiViews +FollowSymLinks DirectoryIndex index.php index.html index.htm NOTE: if you are using apache version < 2 then do -MultiViews, otherwise +MultiViews, this is due to issue with GoogleBot, there is trick for apache < 2, however I am not going to explain this, it is time to use newer versions ^.^ (or best solution to switch to nginx) You also can specify those things directly in your .htaccess of {root} directory, however remember the htaccess working only one lvl down of directory it is located. Also, @maddog, not every folder has the index in default ipb install, good example is http://community.invisionpower.com/interface/blog/apis/ try check those directories of you, I believe it does not cause any important security issue at all, however what for somebody would need to check what's there? some work on your side is required.. as you see IPS for themselves keeps the index in every folder but it is not provided in default installation.
Thomas P Posted December 10, 2012 Author Posted December 10, 2012 That's not the same. Visitors can be excluded from certain directories on the webserver software level. You suggest to handle unsolicited requests via PHP, which is fine but one level higher.
PatrickRQ Posted December 11, 2012 Posted December 11, 2012 Thomas, this is how IPS board here is configured, it is easy to determine by trying to run some file's url from the finger. Use tool provided by IPS to fill recommended folders with .htaccess file + the config I suggested above and that should be fine. I have my board configured like this and company (very famous one) which does penetration tests did not say anything about this ;)
Thomas P Posted December 12, 2012 Author Posted December 12, 2012 Agreed, I'm used to a.m. apache 2 configuration, benefit I see is if someone manages to bypass PHP the webserver still has a lock on it. PHP may be misconfigured, may have current or future issues etc. I'll play with my variant of "extra" security and thought someone already has something similar in place - that's it. ;)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.