您添加到您的开源cms安装哪些额外的证券? [英] Which additional securities do you add to your open source cms installations?
问题描述
我知道,开源并不一定会使程序比封闭源更安全/不太安全(让我们假设这个中立,使火焰熄灭这个帖子)。事实是:因为源代码是开放的,所以大家都知道你的默认url,默认管理员登录等。
I know that being open source does not necessarily makes a program more/less secure than closed source (let's assume this neutrality, to keep flames out of this post). Fact is: since the source code is open, everybody knows your defaults urls, default administrator logins, etc.
我在我的客户的一些项目中使用Wordpress和Joomla ,我总是试图创造一些附加的安全性。不包括始终将文件更新到最新版本,通常在此方案中添加更多安全性是什么?我的一些想法:
I'm using Wordpress and Joomla in some projects of my clients, and I always try to create some kind of additional security. Excluding always updating your files to latest version, what do you usually do to add more security in this scenario? Some of my thoughts:
-
我总是在适当时更改admin名称;
I always change the "admin" name when applicable;
我想不要说明我使用的是什么技术,但是因为我想推广cms(我认为是最小的应该做),我只是不说攻击者不知道他们可以攻击哪些确切的漏洞(wordpress自动创建一个元标记在html中说Wordpress 2.8.4例如);
I would like to don't explicity say which technologies I'm using, but since I want to promote the cms (I think is the minimal I should do), I just don't say the exact version so attackers don't know which exact vulnerabilities they can attack (wordpress automatically creates a meta tag in html saying "Wordpress 2.8.4" for example);
在目录中设置正确的权限,在我的服务器中的bash脚本每天在0h运行,设置755到目录我可能在白天改为775,忘记返回;
Set correct permissions in directories, and bash scripts in my server that run everyday at 0h setting 755 to directories I may have changed to 775 during the day and forgot to turn back;
适用时,我设置apache配置以限制ips。
When applicable, I set apache configuration to limit ips.
去做?
推荐答案
使用类似于 mod_security 或
由于他们是Apache的模块,它还需要你安装新的Apache的模块 - 这意味着你必须是服务器的管理员。
Using something like the mod_security or mod_evasive Apache's modules can be an idea too -- I suppose they require some configuration, though ; and you should test you website still works OK before using those on your production server.
As they are Apache's modules, it also requires you can install new Apache's module -- which means you have to be admin of the server.
在纯PHP级别,有一个名为 PHP-IDS 的工具;引用其网站:
On a pure PHP-level, there is a tool called PHP-IDS ; quoting its website :
PHPIDS(PHP-入侵检测
System)是一个简单易用, ,快速和最先进的
安全层为您的基于PHP的web
应用程序。 IDS不剥离,
清理或过滤任何恶意的
输入,它只是识别一个
攻击者试图破坏您的网站和
的反应,正是你想要的方式
to。基于一组批准的和
严格测试的过滤规则,任何攻击
被给予数值影响评级
,这使得容易决定什么
种类的动作应该跟随
黑客企图。这可以从
简单日志到发出
紧急邮件到开发
团队,显示警告消息
攻击者甚至结束用户的
会话。
PHPIDS (PHP-Intrusion Detection System) is a simple to use, well structured, fast and state-of-the-art security layer for your PHP based web application. The IDS neither strips, sanitizes nor filters any malicious input, it simply recognizes when an attacker tries to break your site and reacts in exactly the way you want it to. Based on a set of approved and heavily tested filter rules any attack is given a numerical impact rating which makes it easy to decide what kind of action should follow the hacking attempt. This could range from simple logging to sending out an emergency mail to the development team, displaying a warning message for the attacker or even ending the user’s session.
我想你可以通过添加几行到你正在使用的CMS前面插入点 - 如果有一个公共入口点,你可以标识,或某些文件,包括一次在每一页的开始。
有一个如何在我的应用程序中使用它?条目常见问题。
I suppose you could "plug" it in front of the CMS you are using, by adding a couple of lines to its entry point -- if there is a common entry point you can identify, or some file that's included once at the beginning of each page.
There is a "How to use it in my application?" entry in the FAQ.
< br>
和,就像你说的,安全的服务器是好的:没有远程SQL访问,例如;检查系统上每个用户的权限;保持您的软件更新... ...
And, like you said, securing your server is nice : no remote SQL access, for instance ; checking the provileges of each user on the system, too ; keeping your software up to date, ...
这篇关于您添加到您的开源cms安装哪些额外的证券?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
