Thread

I was curious as to what the “paranoid” EE users do for security on their live ExpressionEngine websites. Such as tweaking permissions and etc. I know EllisLab takes security to heart but I want to know what the community does to ensure their install is secure.

I’m talking about things like changing your system directory to “supercalifragilistic” (Yes, I cheated. Google search FTW).

Paranoid ramblings are encouraged!

Yes, I generally rename “system” to something impossible to guess, and use secure passwords. I also try to make sure my users do, disallowing the 500 (or so) worst passwords.

I haven’t really done anymore than the standard system folder renaming, however if there were any other suggested or recommended approaches (without being too paranoid) then I’d be interested to hear them.

I’ve not only changed the name of my system folder at least twice over the years, I’ve moved it at least once. You want to talk about a major undertaking!

I’ve only been honest-to-goodness hacked once, and that was because I hadn’t realized my database username and password were saved unencrypted in config.php, and until the hacking I’d simply user my root username/password for EE’s database access. Not anymore.

Fortunately it wasn’t an attack on my site but an installation of phishing code (completely outside of EE) that my host detected immediately and shut down right away.

Ingmar,

Interested in how you “disallowed” the worst password list?

I have also heard of people removing the update.php in the system directory.

McGhee,

How did you encrypt the config.php file? That’s a good idea.

I haven’t really done anymore than the standard system folder renaming, however if there were any other suggested or recommended approaches (without being too paranoid) then I’d be interested to hear them.

I’ve heard of some people changing the permissions on the installation permissions but I can’t remember how they set them or who said they used that method.

Ok, the permissions info was posted by EE Lover at the bottom of this page:

http://expressionengine.com/docs/installation/installation.html

Interested in how you “disallowed” the worst password list?

Admin > System Preferences > Security and Session Preferences > Allow Dictionary Words as Passwords

I have also heard of people removing the update.php in the system directory.

Yes, that’s definitely recommend.

McGhee,

How did you encrypt the config.php file? That’s a good idea.

I didn’t. I just set up a different username and password just for EE to access the database, and then I divided up the other things I used to do via my root password among a lot of other different username/password combos.

And of course, I changed my root password. That was kind of unavoidable at that point.

Encrypting that information in the config.php file would be nice, though. Don’t know how it could be done.

Easily. Encript your config.php with a encoder/obfuscating program, like Zend. If you dont have it a program license to do it this, some companies do it for you for a reasonable price.

Zend in your 5 versions its very hard to decode it (i hear some rumors about complete Zend 4 decode by chinese groups)and its completly transparency in most Linux/Unix servers, once time with have it Zend engine installed by default.

is this what you are talking about: http://www.zend.com/en/products/guard/

I’m def not familiar with how that works, any insight would be welcome!

Yes, is this:

Its simply: the Zend Engine, installed freely in your server works like a decoder.
So, you encode your php scripts with the encoder and all source code will be like this:

2003120701129019534xů ź2­ZÍoIŻ‹őÇ®dn@j—ŘÓU]Ő¬´±o“‰â BŤgÚvg{zf»ŰqĽ Nüąä¸ŇžqB‚´˙Ăžö„rDB‘8ě ¸đŞşş«Ş§§=+áddČ(-¶ź€6T}âÓž]€?÷8÷w­ŃÇźbďiśŽ§Wů6&ŚŘ5ŻzĆĂţ˝ţńq˙©m=|ďÁážý¸·˙äD&qú•EÉžť×I”_DQa[|ÝRĐ(ĎmYƒîđ=A·Ăżćó{ŐňN§ăkxçĺ!jŤ˘$™ ÇcđŔ=۱Ĺç|6UźO§€‹řŞËótρ®QĆą®sP„·uŚăřą5J†yľg—“đŤ}gŔŢʳўO†çQ.4‰˛ČBśeÁkćݐ–ĐĘąöJ¶äţ0=Ígď*ŕ5W2K¶ƒb,4[_?ąÎ‹hb    ¤-Ü+§çŁi2…U~˙đ˙g·-Dp•V»ŠÇĹĹžŤçó&3LJt;–<Ŕ\»cuw‘pbĚ”Tëő±By†wf35¶>,q    Ö%˛H_šA¶őś)ŕ%†˜ĽÓ@‚Dz»§„ĂľRWyz«B)ň±i6(|P9QԈ-¤†vgMhB­w6Ę,tŇĐhÇúƒUŹ» ż<'/Čôź® ‰ö…;óŃä•ĹP.‰Žú'ţnňRť=A»uő€µS¸|ş@v‰·řÁĐ4…·„)Ľ.Sx]¦đşLáÍ›ÂŐ§v˜Â[Ćţś)0::°’ř4fצüf čĽÂ    żË ~—ü.+řóV X›ÚamµZ˘Ś—Vś$@ß2ű)[Úü@ťRU;D «vA˛•ł‡nŔB$%lŕ˛ĐĹ<„‚ˆˇĎÖ*"ąťa­´ĎmÚ˘Ź‹29=@Żis6„TÚ„čĂÚÜ„ś(tĐ?Ś”_áÔ…ŽeYâ|·¨„ŻN[*نőÍ+Łęú'@Pśh'‡’yĹVĚehXߏIŹŞ;÷0ř—VĆŘGvărGNřk“Ő¸ý˘•_~SĹóąęS0ôĐo›Ňękü}»QŞNÂ=Í4˘N!Ľ+ź6Ă»”qÄřŃĄŘÄ>Ă®Źěň‹ëŇ?ßŢĆľOő-¦Qžo'đýŔu|Q¸ÁŠÄ7ń©+zZ“ĽüĆ'Ą´ŚÁ*Łó2`šŠË ţ‚•\›%oZáĐIP×–Qm˛ęĹy 83 .ĺQłź/{•Şs%Č.Űž_Đţ§j/­TG/G×çËyĄ    ÁŞÓ&ˆ>]Zé7Ë)ý·Ög꧕ČWÝjOZl톁ŁŮÚEo–TŰ…Ëj»Č] ö4­DŇ.µ]ôÇ6aء:Ń­ĄŐ~˝śÚwYűa%ňe#ľDŰWiôIk@;µ¬ň%|Ňč|ÓcŐ–O›©RPŞ°Žs«˛&EW;Ću//™†Ié§5‡Ő§ą9lŁ_™,š˝ ńŃÓ5Ľŕ¶4-’˛¨ä 8°ŠŤT@€µîµ§Ĺž—31öŮ4W†šż™Đw« cu~%˜T+qębb|ĘëŐň¦•ˆrI%K㈢ťťŢhz5Oâ´—ÇETÖ»đÝd2MsŢš(Ąřč_őęI˝zF    ö”*aš[•˘úÂĂşřTuĄvăb¬9ägö–°ŁKÚŞ}/ň]ˆŃ­†ďňŰ‘Š    żju\*˙a1<ć‘^˙[ăi”§?*¬RÝŠÇúŤÎ[p´ŘaTˇž«™Öeʱˆşi3-ßš3­vcĄ›h?›3m¨KŠ—0-ăT‹M˸ǵ˜Ö#í¦xH§…Ué{Űš%§Ů˙A˙ $)¦–çyűŻn¶ş×0úí› „„u4·qĐ+}bnŔŐ„r„¸ŚĚeÎBdá‡#QcxâeÔ Z(ažNŮ€\/pŮ×D˜đqYB]â    Âőć„î    0Üž ¶RgĘj˙e«S”ďbîÍ™Âő»2…«ăU¨í­¤€d¦"iĐîj    ˆŢÜ` iFaë °ľ0çşąXúVƒŁ~ŰÜ`ôĘěŞ;F1ژ!uţłYt^bôÝ–É*}pKIAőáÇ7{%Z?Ţc`8mÇŻËcN˛,Éőm맏Ź¬ürĆŻ +¨ěiU"ţyŁcQ·†ÜÇ‚Ńő›đƒz]¸Ł+ťĐˆűĘ&¸°ă`Ď÷˝:˝ó,‡ńP^ŕľžňqÖ¬LxŃlľĚľn•:°F—Ŕćvb    ·c‰‹Kiǘ3ž0Ú…'0zcĺÉ:+O¶DĺéËvPÎŹąĺĚj‡˝r‡Ý0â©ŕóćjOŚ6Ś=ŠŰ]}/RŇ|ŃÜFb°0!N=Ŕ˘zs‚ě­Ĺ%«Gn6ÎŇ5D€ţ{Ó-đV1×&Ů딌Ĺdu÷Ł®ÔłLľ”%8Ű$>I¸Őˆç{dgO>©µVDCť1üŞn/[˘Dŕ»íWĎŇ    ”kâŮ#e&ţôÔ˙•Âő¬

Interesting, no?
So, the Zend engine in your server reads this code (in sometimes more faster then a normal PHP code, because its dont only encoded, but its optimized to load more faster)
and your code its protected, in this case, your site its protected, beacause your config.php data dont can be read by human eyes anymore…

Today the most secure obfuscator in the market its Ioncube engine, but Zend its certified by PHP and one of the donators to the PHP project, with results in more “stability”...

Just dont forget with just rename the “system” folder and encode key files in your site will lock your site to hackers.

Be carefull with anothers scripts and your folder permissions rules.

A interesting point is: if you are in a VPS system, the chances to you be hacked its 99,9%...

A interesting point is: if you are in a VPS system, the chances to you be hacked its 99,9%...

Source? Seems a bit unbeliefable ... only a bit. 😉

Honstely, I don’t see big value of encrypting config.php: If someone can read config.php and the stored information, you’re already in big trouble. Encryption will not help at all when someone has server/file access. It all depends on the hacking scenario you are preparing against: Its much easier to mess with the index.php if I have file access - an iframe would be sufficient. No need to access the database at all. Or I’d insert some code in one of the system files ... they already grant me database access ... again no need for fiddling with the encryption. If a hacker gets access to your files and can modify them, you are screwed!

And if the attack comes through a web script and SQL injection, encryption doesn’t help either ... the unsecure script already has the database config, regardless if stored encrypted or not.

And often you will have much less secure scripts floating around that EE that have database access ... you’d end up needing to encrypt all config data for each and every script and tool. And of course update everything in time. But most users don’t even know about all the wordpresses, phpmyadmins, webmail programs, web stats utilities and so on that are installed on their servers. Oh, and check you file system: Some friendly helps like Plesk and co. in some version store passwords and access info in plain text or make it easy to retrieve (and change) them. Providers sometimes store initial passwords in log files if you re-initialize the server. And so on.

EE has a very good security record and I’m not worried about an unencrypted config.php here. Encryption brings even more trouble when trying to move an installation or else. But security is done by constant administration, monitoring, updating and knowledge, not by obfuscation. And of course: Have a recent backup handy just in case: You’ll never be safe (think openssl, php, ...).

Just my $.05

Markus

Will be nice see some security tips here to Cpanel: http://blog.cpanel.net/?p=60
Now, if you are in a Plesk VPS, cross your fingers and pray a lot…

I think the single most important thing is the choice of host. Having a car with a state of the art alarm system, bullet proof and unopenable windows, and unpickable locks means nothing if you hand your keys to the valet who hires an irresponsible teen with a criminal record and pays him minimum wage to “watch” your car.