Protector ver. 3.04a
Release Date: 12 July 2007 Release Status: Final (3.17 Beta) Author: GIJOE Home Page: PEAK XOOPS - Support & Experiment Support: Protector Forums Download: Protector v3.04a (Protector v3.17 beta
)
(unless otherwise specified, all modules released for use with ImpressCMS are released under the GNU General Public License (GPL). For more information about the GPL visit: http://www.gnu.org/copyleft/gpl.html)
This document is distributed under a Creative Commons Attribution - Share Alike - Non Commercial 3.0 License. For a human-readable summary of the full licensing terms visit the following web page: http://creativecommons.org/licenses/by-nc-sa/3.0/
Protector is a very useful module that can help improve the security of your ImpressCMS site, and is widely regarded as a 'must have' module for all ImpressCMS websites. Protector is capable of defending against:
Protector logs the attacking IPs and offers a range of countermeasures including IP bans, blank screens and automatic sanitisation of attempted injections etc. Protector also evaluates your site for certain vulnerabilities and providing warnings about them through a security advisory' page, and provides instructions on how to fix them.
Installation of the module does not follow the standard procedure as a few files must be modified. Additional modifications are necessary to fully implement the security improvements recommended by the module. These are covered in the Security Advisory section below, but for the moment, lets just get it installed.
Starting with ImpressCMS version 1.1 it is recommended to install the protector module without hacking mainfile.php. 1 Unzip the compressed archive and you will find two directories inside: /XOOPS_TRUST_PATH /HTML
2 Upload the contents of HTML into the root folder of your website. Basically you want the folder HTML/modules/protector to end up in your_site_root/modules/protector.
3 Create a new folder outside of your website root to serve as your 'trust path'. You can call the folder anything you like, but I'll use 'my_trust_path' in this example. If your website root is called public_html, the directory structure would probably look something like this: /home /my_account /public_html [this is the website root, your site is in here] /my_trust_path [lies outside the website root] 4 Upload the contents of the XOOPS_TRUST_PATH folder into my_trust_path (or whatever you have called it).
5 Change the permissions of my_trust_path/modules/protector/configs to make it writable (777, but on some servers you may be able to write with a more restrictive setting).
6 Copy protector.php to the preload folder
You can find a file named protector.php in the folder Extra's => preload included with the ImpressCMS 1.1 dowload files. Copy the protector.php from that preload folder to the preload folder in your ImpressCMS root.
7 Go to administration => system => modules and install the module. If you need detailed instructions on installing modules refer to Adding Modules
8 The protector module is now installed.
1 Unzip the compressed archive and you will find two directories inside: /XOOPS_TRUST_PATH /HTML 2 Upload the contents of HTML into the root folder of your website. Basically you want the folder HTML/modules/protector to end up in your_site_root/modules/protector.
3 Create a new folder outside of your website root to serve as your 'trust path'. You can call the folder anything you like, but I'll use 'my_trust_path' in this example. If your website root is called public_html, the directory structure would probably look something like this: /home /my_account /public_html [this is the website root, your site is in here] /my_trust_path [lies outside the website root] 4 Upload the contents of the XOOPS_TRUST_PATH folder into my_trust_path (or whatever you have called it).
5 Change the permissions of my_trust_path/modules/protector/configs to make it writable (777, but on some servers you may be able to write with a more restrictive setting).
6 Edit mainfile.php, which is in your website root folder. You need to define ICMS_TRUST_PATH as a new constant here by adding a new line. The value should be the physical path to the trust path folder, eg: define('ICMS_TRUST_PATH', '/home/my_user_account/my_trust_path'); Add the line near the other constant definitions near the top of the file (for example, under ICMS_ROOT_PATH). If you don't know what the physical path to your trust path folder is, you can see the directory structure in the definition for the ICMS_ROOT_PATH constant.
7 Go to administration => system => modules and install the module. If you need detailed instructions on installing modules refer to Adding Modules
8 You need to add two more lines to mainfile.php as per the red lines in the code example below. You will find it close to the bottom of the file. Important: Do not do this until after you have installed the module or it will not work. include ICMS_TRUST_PATH.'/modules/protector/include/precheck.inc.php'; if ( !isset( $xoopsOption['nocommon'] ) && ICMS_ROOT_PATH != '' ) { include ICMS_ROOT_PATH."/include/common.php"; } include ICMS_TRUST_PATH.'/modules/protector/include/postcheck.inc.php'; 9 Installation should now be complete. Don't forget to change the permissions on mainfile.php back to read only (444), as this file contains the password to your database account!
Setting up the module Once you have it installed, the suggested procedure for setting up this module is to:
The Protector administration menu Protect center (default admin page) The protect center (below) provides a convenient tool to ban the IP numbers of computers (or people!) that are causing you problems. It also provides a list of all IPs that have been banned to date, including those banned (or at least, reacted to) by the Protector module itself in response to incidents. Missing image: Things that you can do here are:
Option Function You can ban the IPs of troublemakers by entering them in the box, each on a separate line. If you leave this line blank, that means all IPs are allowed. Enter allowed IPs for group 1 (webmasters) in this box, each on a separate line. You can allow ranges of IPs, for example entering 192.168. will allow 192.168.* Protector keeps a log of IPs that have exceeded the limits of its security policies and triggered a response, as defined in the preferences section. Here you can see the offending IPs, and why they were listed. You can remove records by selecting the checkboxes and clicking the 'remove' button.Security advisory The Security Advisory page evaluates the vulnerability of your site against several potential security risks and offers advice on how to fix them. In the screenshot below you can see that this site miserably fails most of the security advisories. Missing image: Fixing the security risks Follow the instructions below to implement security improvements recommended by Protector. Reload the Protect Cente page to check your progress as you go - the red warnings should turn a soothing green. ‘register_globals’: on Fixing this issue is very easy. Create a text file called .htaccess. Place it in the root directory of your site. The file only needs to contain one line, as follows: php_flag register_globals off ‘allow_url_fopen’: on This setting allows attackers to execute arbitrary scripts on remote servers. Unfortunately it may be difficult for you to fix because only an administrator can change this option. If you are renting disk space from a commercial host you need to ask them to make this change for you (and frankly many hosts will refuse to modify a shared system for your convenience). If you are lucky enough to have access, edit php.ini or httpd.conf and add (or amend) the following line to be: php_admin_flag allow_url_fopen off ‘session.use_trans_sid”: on Add another line to the .htaccess file in your website root directory, as follows: php_flag session.use_trans_sid off ‘XOOPS_DB_PREFIX’ xoops This is covered in the section ‘Prefix manager’, below. ‘mainfile.php’: missing precheck Edit your mainfile.php according to the steps described in the installation procedure (step 8). You shouldn't be seeing this warning if you followed it properly! Check if Protector works well Click on a link to test the module – you should get booted back out to the home page, depending on how you set up your preferences. You should also see entries added to the log in the Protect Center. Missing image: Prefix manager The prefix manager lets you i) change the prefix of your database tables by creating copies with a new prefix of your choice and ii) backup your database. Why would you want to change the prefix? Well, by default the XOOPS installation script sets the prefix as ‘xoops’. The problem with this is that it is predictable, facilitating SQL injection attacks - if an attacker finds a hole in your site it will be easier for them to interfere with your database because they will be able to guess the full table names. Changing the prefix to something other than the default makes things a bit more difficult for them. Changing the database table prefix Missing image: Simply type the new prefix you would like to use in the blank box (don’t use anything obvious, the whole idea of this is to be obscure) and press the ‘copy’ button. A duplicate set of tables will be made with the new prefix. Note that this will double the size of your database. Missing image: However, to actually use the new set of tables you need to edit the file mainfile.php in your root directory, as per the footnote in the image above. Look for the following lines: // Table Prefix define('XOOPS_DB_PREFIX', 'xoops'); Change ‘xoops’ to whatever your new prefix is and upload your modified mainfile.php. Don’t forget to CHMOD the file permissions to 444 (read only in Windows)! Once you have done that, your database will be running on the duplicate tables. Please note that any further changes in your database will not be reflected in the old tables. Backing up your database Just press the ‘backup’ button and you will be prompted to download an SQL file of your database. Deleting duplicate tables Since having duplicate sets of tables increases the size of your database so you might like to get rid of excess copies once you are sure the new set is working well. You can delete the old copies by pressing the ‘delete’ button (good idea to back them up locally first in case you later discover you need them). Note that you cannot delete the prefix/tables that are currently in use. Preferences The configuration options and recommended settings for Protector are summarised in the table below. For the most part, you can just leave the settings at the defaults.
Module configuration option Function You can turn Protector off temporarily if you are having problems. Don't forget turn it back on when you have fixed the problem. Default is 'no'. . ^ matches the head of string, $ matches the tail of string. Options (default is 'full') are:Rescue: Accidental self-banning If you somehow manage to ban yourself from your own site (most people seem to achieve this at least once :) go to XOOPS_TRUST_PATH/modules/protector/configs and delete the files in there. One of them contains the 'banned IP' data so getting rid of it (or better, editing it to remove your own IP) will restore your access to the site. Note that deleting it will also restore access of all other banned users, so editing it is a better idea if you aren't in a hurry. In previous versions of Protector there was a facility to set a “rescue password”, but this has been removed in V3.
There is no user-side functionality associated with this module. All interaction is through the administration side. Only site administrators should have access to this module.
There are no blocks associated with this module (there were in earlier versions, but no longer).
There are no notifications for this module
There is no user content
- added a filter postcommon_post_deny_by_httpbl for antispam by honeypotproject - updated language files -- polish (thx kurak_bu)
- added "compact log" - added "remove all log" - added language files -- fr_utf8 (thx gigamaster)
- imported HTMLPurifier (special thx! Edward Z. Yang) PHP5 only - added filtering point (spamcheck, crawler, f5attack, bruteforce, purge) - added filter plugins -- postcommon_post_htmlpurify4guest (guest's post will be purified) only PHP5 -- spamcheck_overrun_message -- crawler_overrun_message -- f5attack_overrun_message -- bruteforce_overrun_message -- prepurge_exit_message
3.13 beta (2007/08/22)
- modified the filter structure from function to class
- added filtering point (badip, register)
- added filter plugins
-- postcommon_register_insert_js_check (against registering SPAM)
-- precommon_badip_message (displays a message on rejecting the IP)
-- precommon_badip_redirection (redirects somewhere on rejecting the IP)
Xoops Protector is a module to defend XOOPS2 from various and malicious attacks. This release Protector 3.13 with anti auto registering bots. (You can search it by petro@dnati7.org , george-walker-bush.info or boss@villa9.org) If you installed Protector correctly, just copy the plugin filters_disabled/postcommon_register_insert_js_check.php into filters_enabled/. No core hacks needed. Since I don't like Captcha (it's not friendly with visible handicapped), I make it as JavaScript. You should check a guest can register after enable the plugin. You can also check the bots will be rejected by turn JavaScript off. Note: If you access via "Reliable IPs" in Preferences of Protector, this plugin never stop registering. This module can protect a various kind of attacks like: - DoS
- Bad Crawlers (like bots collecting e-mails...)
- SQL Injection
- XSS (not all though)
- System globals pollution
- Session hi-jacking
- Null-bytes
- Directory Traversal
- Some kind of CSRF (fatal in XOOPS <= 2.0.9.2)
- Brute Force
- Camouflaged Image File Uploading (== IE Content-Type XSS)
- Executable File Uploading Attack
- XMLRPC's eval() and SQL Injection Attacks
- SPAMs for comment, trackback etc.
Xoops Protector defends you XOOPS from these attacks, and it records into its log. Of course, all vulnerablities can't be prevented.
Be not overconfident, please.
However, I strongly recommend installing this module to all XOOPS sites with any versions.
3.12 beta (2007/08/16)
- fixed for controllers with $xoopsOption['nocommon']=true
3.11 beta (2007/08/16)
- modified ordering precheck and postcheck
- removed a rbl server from postcommon_post_deny_by_rbl.php
- added language files
-- french (thx Christian)
3.10 beta (2007/07/30)
- modified precheck getting config via local cache
- modified precheck does not connect MySQL as possible
- fixed "reliable IP" does not work well
- modified mainfile patch can be inserted before protector installation
- added a logic to check some folder's permission on installing protector
- modified IP denying pattern. 'full', 'foward match', and 'preg match'
- added denied IP moratorium
- added a warning if the directory for configs is not writable
3.04 (2007/06/13)
- added a check against the phpmailer command-injection vulnerability.
- modified postcommon_post_need_multibyte (3.04a)
3.03 (2007/06/03)
- added a protection against installer attack
- changed language name
-- ja_utf8 (formerly japaneseutf) 3.03a
3.02 (2007/04/08)
- modified compatibility of the option "force_intval"
- fixed wrong link in advisory.php (thx genet)
- added a method module can skip DoS/crawler check (define a constant)
- updated D3 system
- added language files
-- persian (thx voltan)
-- russian (thx West) 3.02a
-- arabic (thx onasure) 3.02b
-- japaneseutf 3.02c
3.01 (2007/02/10)
- modified the rule for sorting IPs
- added language files
-- portuguesebr (thx beduino)
-- spanish (thx PepeMty)
-- polish (thx kurak_bu) 3.01a
-- german (thx wuddel) 3.01b
- modified module_icon.php 3.01c
- fixed typo in module_icon.php 3.01d
3.00 (2007/02/06)
- marked as a stable version
- fixed typo in log level
- fixed multibyte plugin never denies registered users (thx mizukami)
- modified compatibility with 2.2.x from xoops.org 3.00a
3.00beta2 (2007/01/31)
- added plugin system (just postcommon_post_*)
- added filtering-plugins
-- postcommon_post_deny_by_rbl.php (deny SPAM by RBL)
-- postcommon_post_need_multibyte.php (deny SPAM by character type)
3.00beta (2007/01/30)
- moved almost files under XOOPS_TRUST_PATH
- modified denying IP from DB to a file under configs
- removed rescue feature (just remove a file via FTP)
- added allowed IPs for user of group=1
- modified table structures (compatible MySQL5)
- added BigUmbrella anti-XSS system
- added anti-SPAM feature
- Kikuchi (Traditional Chinese language files)
- Marcelo Yuji Himoro (Brazilian Portuguese and Spanish language files)
- HMN (French language files)
- Defkon1 (Italian language files)
- Dirk Louwers (Dutch language files)
- Rene (German language files)
- kokko (Finnish language files)
- Tomasz (Polski language files)
- Sergey (Russian language files)
- Bezoops (Spanish language files)
These contributions was made for v2.x
Laatst bewerkt op: 28/11/2010 door Anonymous
|