security
Forum rules
Just please remember to play nicely once you walk through the door. You can disagree with us, or any other commenters in this forum, but respect our space and keep your comments directed to the topic at hand.
Just please remember to play nicely once you walk through the door. You can disagree with us, or any other commenters in this forum, but respect our space and keep your comments directed to the topic at hand.
- RussH
- Site Admin
- Posts: 824
- Joined: 12 Apr 2008, 08:28
- what is two(2) plus three(3) ?: 5
- Location: UK
- Contact:
Re: security
Hey.
there's been no security holes identified recently. I assume as we don't have any '3 strikes and you're out' configuration for logon attempts then they can try to brute force username / passwords.
Please check that you have restrictions on your upload directory and that executables cannot be run (i.e. they can't upload a script then try to call it)
Also - for additional security you can configure an htaccess / htpasswd logon for your back-end admin page if you expose that to the internet.
I also have an antivirus scan (clamav) configured to run relularly on my attachments directory and the upload directory.
If you're concerned with ddos protection in particular, you could look to use Cloudflare.
For security testing, I have been looking at fuzz testing the codebase.. but unfortunately I'm fairly backlogged and could do with reviewing and approving some overdue commits before I get into new stuff!
there's been no security holes identified recently. I assume as we don't have any '3 strikes and you're out' configuration for logon attempts then they can try to brute force username / passwords.
Please check that you have restrictions on your upload directory and that executables cannot be run (i.e. they can't upload a script then try to call it)
Also - for additional security you can configure an htaccess / htpasswd logon for your back-end admin page if you expose that to the internet.
I also have an antivirus scan (clamav) configured to run relularly on my attachments directory and the upload directory.
If you're concerned with ddos protection in particular, you could look to use Cloudflare.
For security testing, I have been looking at fuzz testing the codebase.. but unfortunately I'm fairly backlogged and could do with reviewing and approving some overdue commits before I get into new stuff!
RussH
Report your issues and feature requests;
https://github.com/opencats/opencats/issues
Please CLICK THE TICK to accept the answer!
Report your issues and feature requests;
https://github.com/opencats/opencats/issues
Please CLICK THE TICK to accept the answer!
Re: security
Thanks Russ
Is there a way to block ip if they try for too many times? '3 strikes and you're out' configuration for logon attempts ?
also what do mean by additional security you can configure an htaccess / htpasswd logon for your back-end admin page if you expose that to the internet?
thanks bud
Is there a way to block ip if they try for too many times? '3 strikes and you're out' configuration for logon attempts ?
also what do mean by additional security you can configure an htaccess / htpasswd logon for your back-end admin page if you expose that to the internet?
thanks bud
Re: security
also when you say restrictions on your upload directory and that executables cannot be run .. what do you chmod your attachment directory? thanks
- RussH
- Site Admin
- Posts: 824
- Joined: 12 Apr 2008, 08:28
- what is two(2) plus three(3) ?: 5
- Location: UK
- Contact:
Re: security
I've proposed a small enhancement to protect against cross-site scripting if you use the careers portal - if you want to apply this manually feel free..
https://github.com/opencats/OpenCATS/issues/406
https://github.com/opencats/OpenCATS/issues/406
RussH
Report your issues and feature requests;
https://github.com/opencats/opencats/issues
Please CLICK THE TICK to accept the answer!
Report your issues and feature requests;
https://github.com/opencats/opencats/issues
Please CLICK THE TICK to accept the answer!