Loading...
 
Features / Usability

Features / Usability

Forum List Topic List

 
Thread actions
PDF Print this page
  • Print all pages

    • Is my site safe??

    Posted by Russ Wilde posts: 63 United Kingdom

    Now I know I'm probably just being foolish for asking this but;

    I knocked up a bit of easy-peasy IP tracking software and run it on my site to get better info about what people are up to and to give me ammunition for the banning system should it be needed,

    Now I notice in my IP logs that someone (based in Portland, Oregon in the USA) has hit on the following pages without logging in;

    tiki-webmail.php
    tiki-admin.php?page=fgal

    now I'm guessing that this is someone who knows a bit about tiki and is just "trying their luck" and I'm fairly sure they haven't succeeded in anything they appear to have attempted - My IP Tracker doesn't log the error page because the URL is normally unchanged, unless it is a seroious error as you know.

    But I was kinda hoping someone would say:
    "no no, they will definitely not have gotten through tiki's incredible security"

    If there is anyone who can say something along these lines convincingly I would appreciate it.frown

    Reads: 1592
    Link
    Posted by Damian Parker posts: 2881 United Kingdom

    Hiya

    firstly do you have a robots.txt to control the search engines? If not get one!

    try googling for you site too, and check the content google has for you.

    Apart from that, like everyone else tiki permissions will keep you safe.

    If your not on CVS then goto http://mods.tikiwiki.org click Guides and read the secure your tiki one. it talks about removing things that could be used against you. Well they could always download tiki for themselves, but your removing all the information from under there nose.

    You might also want to use a apache directorymatch to prevent people from browsing db/ templates/ templates_c etc.

    for example try:
    http://yourdomain.com/templates/tiki-top_bar.tpl
    or
    http://yourdomain.com/templates/styles/yourthemename/tiki.tpl

    yourthemename can be got through the CSS path

    All your hard work creating your sites templates are there for the grabbing!

    Damian

    Link

    Posted by Russ Wilde posts: 63 United Kingdom

    fanks wink
    I've checked my robots.txt,
    Corrected the errors in the PHP redirection scripts in all the sub-directories of tiki and disallowed the folder listings of directories through .htaccess

    I'm also entertaining the idea of banning the IP addresses that are "probing" tiki from the domain, just for peace of mind. Then again the word "dynamic" is floating around my head.

    the rest is up to tiki.

    Link