Welcome to Geeklog, Anonymous Monday, December 23 2024 @ 02:00 am EST

Geeklog Forums

Security Checklist


Status: offline

scottandhiscat

Forum User
Newbie
Registered: 09/07/05
Posts: 2
awake
Greetings all. I am a new and very happy Geeklog user.

CPanel and Fantastico made installation of version 1.3.11sr1 easier than dunking cookies for breakfast... but, I'm concerned about security.

Has anyone created a security checklist? i.e.: Permissions for files and folders, what files can be deleted after installation, etc.

Overall, I find documentation to be excellent, and I'm very pleased, thank you to the developers for all your hard work... I just can't seem to find much on security, perhaps that's a good thing!

Cheers, thanks in advance,

Scott
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
You should find a brief checklist sitting in the submission queue of your new site as well as a side block telling you to remove the install directory and change the passwords of the two default accounts.

The original installation instructions (for a manual install) list which files and directories need special permissions - everything else should be read-only.

I've never used any of the existing automated installers, so I can only hope none of those has screwed up any of the above ...

bye, Dirk
 Quote

Status: offline

DubiousChrisJ

Forum User
Regular Poster
Registered: 05/10/05
Posts: 114
Hey Dirk,
FYI, I used Fantastico, and it did a correct install, including the features you mentioned. The only thing I had to do was run the upgrade, since it gave me an older version initally. I also had the site security check as a default block on the left when I ran it for the first time, which all checked out.
Luhme summa dat GL.
 Quote

Status: offline

scottandhiscat

Forum User
Newbie
Registered: 09/07/05
Posts: 2
embarrassed
thanks, I found everything

Cheers,
Scott
 Quote

SuD

Anonymous
Well, i've seen a fantastico installation and i didn't like it much:

* Geeklog dir was on public_html !
* IIRC Backup & log directory was not writable (it's better like that due to the previous point).
* I'm not sure whether it gave write access to images/ and similar directories...

So imho it just unzipped the files and inserted the tables, without any more actions...
 Quote

Status: offline

tlingit54

Forum User
Newbie
Registered: 01/04/05
Posts: 8
On registration, some users do not change their password from "password", or else they register with that as their password.

Then in my security_check block, I get a security message informing me of such. What do I need to add to the lib-common.php under the phpblock_getBent section in order for the warning to tell me exactly which user has the password set to "password"?


This is probably an easy MySQL query, but I am not much on either MySQL or PHP. I think this would be useful for other admins to show, rather than count the weak passwords.


Thanks in advance!
 Quote

Status: offline

Dirk

Site Admin
Admin
Registered: 01/12/02
Posts: 13073
Location:Stuttgart, Germany
Quote by tlingit54: On registration, some users do not change their password from "password", or else they register with that as their password.

New users get a randomly generated password. If they voluntarily change that to "password", then that is really their problem, IMO.

Btw, make sure you changed the default password for the Moderator account - maybe that's the reason for that message?

bye, Dirk
 Quote

All times are EST. The time is now 02:00 am.

  • Normal Topic
  • Sticky Topic
  • Locked Topic
  • New Post
  • Sticky Topic W/ New Post
  • Locked Topic W/ New Post
  •  View Anonymous Posts
  •  Able to post
  •  Filtered HTML Allowed
  •  Censored Content