Upload
six-apart-kk
View
3.332
Download
3
Embed Size (px)
Citation preview
Securing your MT in a day
✓ Upgrade to the latest version✓ Secure your admin screen✓ Use SSL✓ Restrict file uploads
How many have you done ?
/cgi-bin/*.cgi /mt-static//*.html
Prohibit CGIExecute all files
http://example.com
Separate directories for CGI and contents
/cgi-bin/*
Restrict accesses
Conceal CGI inside the DMZ, or restrict access by IP addresses
more info on http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html
Rename mt.cgi script
https://example.com/cgi-bin/mt/mt.cgi
Prevent a bot access and a random guessing
AdminScript XXXX.cgiSpecify as a configuration directive
in mt-config.cgi
/cgi-bin/mt.cgi
Protect mt.cgi by the basic authentication
Allow access to mt-comments.cgi or mt-cp.cgi, but deny access to mt.cgi
http://httpd.apache.org/docs/2.2/en/howto/auth.html
AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/.htpasswd<Files mt.cgi> Require valid-user</Files>
.htaccess
<Directory "/home/example/www">
</Directory>
etc....
httpd.conf
You must use a different ID / Password for the basic authentication from your MT account
SSL is mandatory otherwise the ID / Password can be captured during the network transaction
StaticWebPath /mt-static
Required configure in mt-config.cgi
Use relative path
Not to mix http and https connections when fetching images and CSS in the admin screen.
AdminCGIPath https://example.com/cgi-bin/mt/
CGIPath http://example.com/cgi-bin/mt/
Configure URL for admin / and non admin CGI
Path for the admin CGI (SSL)
Path for the non-admin CGI
But this is NOT enough to prohibit the non-SSL access to the admin script
AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/passwords<Files mt.cgi> Require valid-user SSLRequireSSL</Files>
.htaccess
<Directory "/home/example/www">
</Directory>
httpd.conf
1. Show Forbidden for non-SSL access
etc....
RewriteEngine OnRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(cgi-bin/mt\.cgi)$
https://%{SERVER_NAME}/$1 [R,L]
.htaccess
<Directory "/home/example/www">
</Directory>
httpd.conf
2. Redirect http access to https
etc....
in one line
Restrict file uploads
AssetFileExtensionsDeniedAssetFileExtensions
Introduced in
MT 4.291 / 4.361 / 5.051 / 5.11
AssetFileExtensions
"gif,jpe?g,png,bmp,tiff?,mp3,ogg,aiff,wav,wma, aac, flac,m4a,mov, avi,3gp,asf,mp4,qt,wmv, asx,mpg,flv,mkv,ogm"
Specify file extensions to permit
DeniedAssetFileExtensions
"ascx,asis,asp,aspx,bat,cfc,cfm,cgi,cmd,com,cpl,dll,exe,htaccess,htm,html,inc,jhtml,js,jsb,jsp,mht,mhtml,msi,php,php2,php3,php4,php5,phps,phtm,phtml,pif,pl,pwml,py,reg,scr,sh,shtm,shtml,vbs,vxd"
Specify file extensions to prohibit