How to secure my elgg installation

I think that aplying to the hosting the perms 444 for files and 555 for directories is the most secure option, can anybody confirm that?. Can anybody propose more security options?

These last few days I've been having problems With The file. htaccess, twice has been removed from the hosting without any apparent explanation!.

Thanks! 

  • If you set permissions to 444 you remove write permissions for yourself (or whoever is the owner of the file). I don't know how this should increase security though. If someone managed to log in using your server account it's equally possible to add the write permissions again. For others the write permissions are not on anyway.

    Regardless how you set file and directory permissions it won't help you in any way to stop your hoster from changing/deleting any files if they want to. Root permissions override any of your "security" settings. If they removed the .htaccess file they most likely had a valid reason to do so. Most likely your site produced too much server load and the easiest way for your hoster to stop your site from blocking any other services on the same server was to remove the .htacces file to bring your site offline.

    If you ask them why they did it, they should be at least open enough to tell you this. Shared server? There surely are some limitations of server resources to be allowed to use outlined in the hoster's terms of use. Elgg can easily take a lot of resources (CPU for example) and if a high load spike occurs you could be way above the limitations allowed on the shared server.

  • I asked to my hosting and they don´t remove the file, so I don´t know what happened, my only explanation is an external attack, so this is the reason of apply this perms.

  • 'attacks' are kinda 'rare' - without any other symtoms - 'they' won't just delete one file.. usually such attackers will have nore ""fun"" with your website !;-P  the 444 or 555 does not sound like much real apache oriented use for standard parms configuration. 644 for code and 755 or 777 for data 'usually' works ok.

    i think your issue is "something" else on your site/ domain/ hosting (security/suexec, suhosin, etc) characteristics that's not allowig the htaccess file or some unknown-to-you 'accidents' ;-o( *but it will be rather hard for someone else to figure without looking over your shouders ;) find a code-savvy 'friend, invite him over, buy him a beer, maybe.. you'll get to the real problem cause(s).

  • @all

    I've seem those attacks before, they target .htaccess but it only happens when an outdated version of wordpress is installed in the same hosting account.

    Do you have any other CMS installed?

     

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison

  • @rjcalifornia

    I´ve Joomla (ver 1.7) in my domain, and Elgg in a subdomain of that domain. Is a shared server hosting.

    The uploads directory is in the same directory of the Elgg installation, can be a problem?. 

    Thanks for all :)

  • The uploads directory is in the same directory of the Elgg installation, can be a problem?.

     Yes. Elgg's data directory must not be accessible from the web.

  • that is *not correct - joomla has a (configurable) $temp_path -- usually points to joomla_code_install_dir/ tmp/  -> where joomla code auto upgrades are (temp) stored.  elgg would *naturally be in it's own elgg_code_install_dir/ - unless one (highly unlikely) goes against 'naturally'. so - if joomla and elgg code are installed in the (unthinkable) *same directory...? the installtion situation described does not sound quite right.

  • @Javier

    That's a really old version of Joomla, you should consider upgrading.

    Rodolfo Hernandez

    Arvixe/Elgg Community Liaison