By W.M. on
I have posted this question before. Some have said that it makes no difference to restrict IP addresses' access to Admin folder by a htaccess file. Is this true? Is it possible to rename the Admin folder to some really hard to guess name?! Is it possible to disallow access to Admin folder by query?! Is it possible to restrict logging into administration area to SSL connections only?!
How to make my site safe?! The only thing that I have done so far is to have real long password.
Comments
None of that will make much difference
The main things that matter:
* Keep up to date with all Drupal patches
* Don't add any custom code to your site without checking it over (yes this includes modules and themes)
* Don't use shared hosting
* Making sure the server you are running on is kept secure
Protecting logins (or the whole site) with SSL will add some protection from people intercepting the traffic or some types of DNS fiddling, but I get the impression that SSL can sometimes add some headaches. You'll need to try it out.
If you can't get SSL working how you want, one option to protect your own password might be to use OpenID, and only use providers that use SSL or two factor auth etc.
Note that password sniffing attacks are very rare compared to just exploiting vulnerable servers - and if you have vulnerable software on your server none of the minor restrictions you ask about will be any help.
Why shared hosting no good
Why shared hosting no good idea?!
shared hosting
involves a lot of security compromises.
You (ok the host) can use suexec to prevent other users (or the crackers that have compromised the other sites) on the server being able to read your files, but that involves allowing your own site write access to its files. You'd better keep your own site secure.
The alternative is having the web server run with the same account for everyone on the web server. This allows you to protect your code from being written by the web server, but you then have to trust that other users (or the crackers on their sites) won't read your your code and get DB passwords etc. If someone can log into your DB, then it makes no difference what IP restrictions etc you have on your admin urls.
The suexec is probably the preferred approach for shared hosting, but you need to be extra vigilant about keeping your own site up to date. You generally trust yourself more than the other users.
You can't get any real security on a shared host, and it makes all the things you asked about the equivalent of rearranging the deck chairs on the Titanic (ie futile). On a virtual or dedicated server, there are no other users on the server to worry about and the non suexec approach is probably the better one. But you still need to be vigilant in making/keeping the server itself secure.
shared hosting?
Ok, we know that shared hosting is full of compromises and potential mistakes that can be leveraged into security vulnerabilities. But those mistakes are even more likely to be made by someone without extensive experience on the server-side. For those like me whose experience doesn't extend to the server, it is better to put up as many barriers possible and let the staff at the shared hosting site take care of the rest.
All security is a compromise and errors can be made anytime a human is involved or a robot created by a human. The concern isn't to try and eliminate the existence of compromises but to minimize them. You may be very capable of rolling your own server solution without exposing the site to even more flaws, but most of us are not.
Saying that you need to control your own hosting site because of potential errors in a shared site is like saying we must create our own crypto schemes because Debian/Ubuntu had weak keys for years.
Yeah
Shared hosting is "good enough" for a lot of people - especially if a managed server is massive overkill for their site.
My (possibly badly worded) point wasn't that everyone needs dedicated hosting - just that freaking out over the kinds of things in the original question is pointless if far bigger and more common risks haven't been addressed. Someone who was legitimately paranoid enough to worry about those minor risks would freak out at shared hosting, but most people don't (and don't need to) care.
It's all a matter of putting each risk in perspective.
the right perspective
After that (April) fools worm, freaking-out doesn't seem very odd anymore. It almost makes you nostalgic about the days when nobody cared about security.
I use a risk-to-benefit analysis to keep my head straight-- looking at each piece of protection and decide if it will potentially hurt me more than it will potentially benefit me.
security steps
I would start with:
When designing a site:
When programming a module or a theme:
...
There's also http://drupal.org/security, http://drupal.org/security/secure-configuration, and http://drupal.org/writing-secure-code
good pages
I wish more people paid attention to those pages, especially the ones about file permissions and input filtering. But I'm afraid people will use it to justify only doing the 3rd (hiding info) hence, "security through obscurity". STO is dangerous in the wrong places.
Delete CHANGELOG.txt
Delete the CHANGELOG.txt, so people can't figure out what version of Drupal you're running so easily..
-Myke