Skip to content
Joey edited this page Jan 28, 2014 · 7 revisions

Security is an Onion

There is more to pool security than a 1 page bullet-point list and there is no magical program to keep you from getting hacked, this is just a primer.

Pre-Installation

  • Get onto your production box, setup ssh keys
  • Update and install all the dependencies, mail etc
  • Make sure apache/php/mysql/$mailserver are playing nice together
  • Run phpsecinfo
  • Make sure display_errors is Off in your php.ini
  • Make sure your session.save_path is NOT web accessible in your php.ini
  • And if you're not running it yet and reading along, run phpsecinfo

Apache / MySQL / PHP

  • Make sure your .htaccess works for MPOS + anything else running within its subdir or equiv
  • If you have an SSL cert, make sure you have installed it correctly
  • Enable [cookies][secure] in global config and [strict__https_only] in security config
  • Your MySQL user should not be root, setup a new user with permissions you set

MPOS

  • Turning on [twofactor] will protect your users from themselves
  • Get an SSL cert and take the extra 10 minutes, it's worth it
  • Make sure your [cookie] settings are correct
  • Memcache should be enabled unless you absolutely cannot use it (I don't believe you)
  • Strict mode will stop a few types of attacks, so use it
  • If you're paranoid use strict__verify_server and set the strict__bind_'s to your server info

Finishing Up

  • Remove unnecessary software; Your production box doesn't need phpmyadmin
  • Download and run phpsecinfo
Clone this wiki locally