Securing your Movable Type installation

3,331 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
3,331
On SlideShare
0
From Embeds
0
Number of Embeds
7
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Securing your Movable Type installation

  1. 1. Securing your Movable Type
  2. 2. ✓✓✓✓ How many have you done ?
  3. 3. Securingyour admin screen Public site Admin CGI
  4. 4. Separate directories for CGI and contents http://example.com/cgi-bin/*.cgi /mt-static/ /*.html Execute all files Prohibit CGI
  5. 5. Restrict accesses Conceal CGI inside the DMZ, or restrict access by IP addresses/cgi-bin/*more info on http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html
  6. 6. Rename mt.cgi script Prevent a bot access and a random guessinghttps://example.com/cgi-bin/mt/mt.cgi AdminScript XXXX.cgi Specify as a configuration directive in mt-config.cgi
  7. 7. Protect mt.cgi by the basic authentication Allow access to mt-comments.cgi or mt-cp.cgi, but deny access to mt.cgi/cgi-bin/mt.cgi
  8. 8. httpd.conf<Directory "/home/example/www"> etc.... .htaccess AuthType Basic AuthName "Restricted Files" AuthUserFile /path/to/.htpasswd <Files mt.cgi> Require valid-user </Files></Directory> http://httpd.apache.org/docs/2.2/en/howto/auth.html
  9. 9. You must use a different ID /Password for the basicauthentication from your MT accountSSL is mandatory otherwise theID / Password can be capturedduring the network transaction
  10. 10. Use SSL for the admin accessEncrypt the transaction between your browser and MT SSL SSL
  11. 11. Required configure in mt-config.cgi Use relative pathStaticWebPath /mt-staticNot to mix http and https connections when fetching images and CSS in the admin screen.
  12. 12. Configure URL for admin / and non admin CGIAdminCGIPath Path for the admin CGI (SSL) https://example.com/cgi-bin/mt/CGIPath Path for the non-admin CGI http://example.com/cgi-bin/mt/ But this is NOT enough to prohibit the non-SSL access to the admin script
  13. 13. 1. Show Forbidden for non-SSL access httpd.conf<Directory "/home/example/www"> etc.... AuthType Basic .htaccess AuthName "Restricted Files" AuthUserFile /path/to/passwords <Files mt.cgi> Require valid-user SSLRequireSSL </Files></Directory>
  14. 14. 2. Redirect http access to https httpd.conf<Directory "/home/example/www"> etc.... .htaccessRewriteEngine OnRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(cgi-bin/mt.cgi)$ https://%{SERVER_NAME}/$1 [R,L] in one line</Directory>
  15. 15. SSL cert is not expensive today e.g. RapidSSL GeoTrust, Inc) Go Daddy SSL are $20 - 40 / a year
  16. 16. Restrict file uploads AssetFileExtensionsDeniedAssetFileExtensions Introduced in MT 4.291 / 4.361 / 5.051 / 5.11
  17. 17. AssetFileExtensions"gif,jpe?g,png,bmp,tiff?,mp3,ogg,aiff,wav,wma,aac, flac,m4a,mov, avi,3gp,asf,mp4,qt,wmv,asx,mpg,flv,mkv,ogm" Specify file extensions to permit
  18. 18. DeniedAssetFileExtensions"ascx,asis,asp,aspx,bat,cfc,cfm,cgi,cmd,com,cpl,dll,exe,htaccess,htm,html,inc,jhtml,js,jsb,jsp,mht,mhtml,msi,php,php2,php3,php4,php5,phps,phtm,phtml,pif,pl,pwml,py,reg,scr,sh,shtm,shtml,vbs,vxd"Specify file extensions to prohibit
  19. 19. ✓✓✓✓ How many have you done ?

×