A security step every web site owner should take.

Very simply: Put a blank index.html file in every directory that does not have any type of index file.

.

Many scripts already have this in the distribution package, Doing this simple thing will prevent anyone from viewing your directory listings in a browser.... all they'll see is that blank index.html file

.

If you'd like an example, just do this google search and click some of the hits.

.

http://www.google.com/search?hl=en&q=inurl%3Aray%2Fmodules%2Fmovie%2Ffiles%2F&btnG=Search

.

this will return a list of dolphin site links relative to the ray/modules/movie/files/   directory where all the videos your users have uploaded is stored.  Maybe this is private info, maybe it's not, but why let someone freely browse through your sites directories?  If these site owners had a blank index.html file in those directories, you would not be able to view the file list.

.

This is a simple thing Boonex should really add to the distribution package.

Instead of a blank index.html file why not send them back to the home page?

You can create a index.html (using notepad etc) file like this:

<head>
<meta http-equiv="refresh" content="0; url=http://www.yoursite/index.php">
</head>

Hope this helps,

Stuart

.

Yeah, I agree with Stuart038,

Might as well send them somewhere where you'd like for them to be.

On the other hand though, that only works (primarily) for regular folks who might get nosey about a folder on the site. I'd be much more concerned about hackers (mega-problem in europe). Most hackers would go far enough to enter an actual "guessed" file name like /index.php or /login.php or /member.php or whatever, in order to access a physical file instead of a directory structure. If you're going to do the above, then you should also have custom error 404 and error 500 messages/pages which redirect somewhere else. If you administer your own server or TLD, that would be a snap since most error pages are stored in .html format within their very own folder. Once you find that folder via FTP, you can go to town and create your own custom error pages just like any other .html pages. Works for me anyway ....

.

.

Greetings from Germany

You can also try  adding -Indexes after:

Options -MultiViews

in your htaccess so it views:

Options -MultiViews -Indexes

this closes all in a sec.

 I also was surprised to see index.php missing in public folders...like Houton mentioned, it's in the installer for other apps...Joomla is one I can think of.

 Thanks for the tip on .htaccess will give it a try. :)

 Been slowly finding and patching the security items mentioned round the forums, sure would be nice to have a security section with the old suggestions and any new ones collected together.

 One tip I think is also smart is don't post/advertise your dolphin site link in here...it seems to me it would be an invite to any hackers looking in here for a target.

 For example there's a recent thread explaining all the "howto" of an email security hole allowing people to read and delete user mail. All a would be trouble maker needs to do is get that info and a link to your site and have some fun at your expense.

 Personally I'm also surprised that the forum is in a folder named "Orca". (This project doesn't need the main forum, but I need to leave it running in the groups/orca section)...All a malicious user on your site needs to do is see Orca in the webpage title or URL and google "forum orca" to find out your community is using dolphin. Then they come here to find out what vunerabilities it has and start messing with your community.

**EDIT*

here's info on how to change the "orca" URL name to "forum">

http://www.boonex.com/unity/forums/#topic/Changing-the-name-of-the-orca-folder-V6-1-4.htm

.

One tip I think is also smart is don't post/advertise your dolphin site link in here...it seems to me it would be an invite to any hackers looking in here for a target.

.

The hacking problem is so bad in germany that not posting links, regardless where, is no solution of any type. The solution is in securing the server which can mostly be done with crons. You have to keep in mind that most hacking software works on automation & repetition, wich is actually something that can be used AGAINST the hackers.

.

Multiple pings from the same country ... boom, you're out for 60 minutes.

.

Two failed login attempts to authorized areas ... boom, you're out for 45 minutes.

.

Countries that we know have nothing whatsoever to do with us ... boom, no access from those regions.

.

decent firewall setups ... inserted greylist references ... inserted blacklist references ... and, and, and.

.

No, nothing is fail-safe I suppose and you do have to be pretty careful how some of those security features are applied, but then you also have to ask yourself - just how safe does your site need to be? What kind of information is available that could be of interest to any hackers? How long would it take to backup your stuff if it got hacked, and so on. We're working on what we're hoping will ultimately end up being the worlds largest and most popular german speaking community, so security is of a major concern to us (we're now entering the final development phase). On the other hand, we have clients with small business domains (less than 50 pages) who simply don't care about security at all because they figure that A. they're not important enough to be hacked and B. that a backup takes them all of 5 Minutes, in order for everything to be back the way was it was ........ just some food for thought.

.

.

Greetings from Germany

The things we are supposed to do to make D6.1 secure are posted all over the place here.  I wish someone would compile them all in one place - better yet, I wish Boonex would publish a patch so we have some confidence that our installs are secure.

That is one reason I don't post my site's name here.

I like the idea by Houston and the extra modification by Stuart.

-

L

Yes, this works....Ya just have to upload it to the correct place. (I am stupid!)

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="refresh" content="0; url=http://www.mysite/index.php">
</head>
<body>

</body>
</html>

Yeah, I was going to mention that you could do whatever you wanted to in the index.html file.  The blank index.html file should be included in the distribution and will work for every site.

.

It's true that people can still view files if they type in the fie name, but browsing directories by typing in every file name is a lot more tedious than clicking a mouse.

Designer2 - "invitation only" works with the "invite a friend" link I believe - you don't have to pre-create the profiles.  http://www.boonex.com/unity/forums/?action=goto&topic_id=Invitation-only-site Good suggestion on a special section for security issues - I think this forum could be organized more effectively.    I wish we didn't have to be paranoid here about posting our sites - depends on the sensitivity of the content I suppose.  For smaller sites the worst case is probably a backup restore.

-

Rob

hmmm, you know I figured that might be how it worked, and gave it a try, but for some reason it didn't function for me.

Just tried it again on different machine and it worked this time...NICE!

Thanks.

Should we place this in every single folder that does NOT have an INDEX.html or.php?

.

I have custom html/php pages in all sensitive areas. Error 404, Error 500 restricted access, new domain/subdomain default index, etc. Yeah, I'd place such a file in any folder where it's important to keep prying eyes out of ... to include image folders if you have highly customized image work or private photos. Be sure not to include any search engine friendly metas either (duh).

.

Greetings from Germany