Basic PHPlist Security

Solutions for other phpList version 2 users
Forum rules
Please do not ask questions here, this is for Solutions you have discovered or come across.

Basic PHPlist Security

Postby eazeegeek » 4:10am, Sat 12 Jun, 2010

I was reading a thread in these forums on someone's account being hacked and a lot of illegal links were included in the installation files.

So I thought I will write a little on how to take a few primary steps for keeping your installation safe.
You will find good security tips in the PHPList documentation at PHPList Security

1. Change your "admin" name to something else: Replace ALL administrator accounts containing "admin" with something else. Hackers commonly try out "admin", "listadmin", "webmaster" for attempts at logging in.

2. Change the default password: Default passwords are generated using a mathematical logic. This can be guessed by hackers using the same logic.

3. DO NOT use simple words in passwords: What we call as "dictionary" words. Your password should contain UPPERCASE & lowercase characters, numbers, and some special characters (Shift + numbers keys in PC). A "dictionary" attack is making login attempts using words in the dictionary.

4. DO NOT use personal details in passwords: Birthdays (Your's, Girlfriend's, Wife's, Dog's) can be guessed.

5. Changing Passwords often is good, but NOT necessary: I use a strong password ALL the time & I never change my password. But then NEVER share your password with ANYONE (not even with your alter-ego!)

6. BACKUP: Sadly most people are reminded of the importance of backups only AFTER it is too late. Make it a habit to backup frequently. Use several freely available software to make it an automated process. In this age of hacker activity, not backing up almost amounts to a cardinal sin!
[Edit - 20100616] Another important thing about Backups as pointed out by Chris is to test the backups that they are indeed complete & can be used for restoring successfully. Assuming that a backup is good without testing them & then realizing after a system failure that your backups are not useful is probably a bigger frustration than having no backups!
This also reminds me of an experience that I had with MySQL backups. DO NOT backup MySQL backups as "zipped" or "gzipped" files. Produce a backup file without compression as much as possible. When I tried using compressed backups, I realized that the restore process failed (it did a partial restore). This was not observed with an uncompressed file.
But there is a downside to this method! MySQL installation might not allow an upload greater than a certain size while an uncompressed MySQL backup file can easily exceed this limit.
As a workaround, you can choose a certain number of tables to backed up & restore in parts. The process indeed will be painful but the possibility of you needing to backup is low, so this pain can be taken.

7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.

8. Access-level as much as is required: Give access to admins only as much as is required. Even if you are the only Admin, create a new account with much lesser privileges which are sufficient to do your job. Use the administrator account only when you are making changes to your installation. There is no need to use the Admin account for sending newsletters.

Feel free to add this list.I was reading a thread in these forums on someone's account being hacked and a lot of illegal links were included in the installation files.

So I thought I will write a little on how to take a few primary steps for keeping your installation safe.
You'll also find a number of other security related recommendations in the documentation wiki: Securing phpList

1. Change your "admin" name to something else: Replace ALL administrator accounts containing "admin" with something else. Hackers commonly try out "admin", "listadmin", "webmaster" for attempts at logging in.

2. Change the default password: Default passwords are generated using a mathematical logic. This can be guessed by hackers using the same logic.

3. DO NOT use simple words in passwords: What we call as "dictionary" words. Your password should contain UPPERCASE & lowercase characters, numbers, and some special characters (Shift + numbers keys in PC). A "dictionary" attack is making login attempts using words in the dictionary.

4. DO NOT use personal details in passwords: Birthdays (Your's, Girlfriend's, Wife's, Dog's) can be guessed.

5. Changing Passwords often is good, but NOT necessary: I use a strong password ALL the time & I never change my password. But then NEVER share your password with ANYONE (not even with your alter-ego!)

6. BACKUP: Sadly most people are reminded of the importance of backups only AFTER it is too late. Make it a habit to backup frequently. Use several freely available software to make it an automated process. In this age of hacker activity, not backing up almost amounts to a cardinal sin!
[Edit - 20100616] Another important thing about Backups as pointed out by Chris is to test the backups that they are indeed complete & can be used for restoring successfully. Assuming that a backup is good without testing them & then realizing after a system failure that your backups are not useful is probably a bigger frustration than having no backups!
This also reminds me of an experience that I had with MySQL backups. DO NOT backup MySQL backups as "zipped" or "gzipped" files. Produce a backup file without compression as much as possible. When I tried using compressed backups, I realized that the restore process failed (it did a partial restore). This was not observed with an uncompressed file.
But there is a downside to this method! MySQL installation might not allow an upload greater than a certain size while an uncompressed MySQL backup file can easily exceed this limit.
As a workaround, you can choose a certain number of tables to backed up & restore in parts. The process indeed will be painful but the possibility of you needing to backup is low, so this pain can be taken.

7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.

8. Access-level as much as is required: Give access to admins only as much as is required. Even if you are the only Admin, create a new account with much lesser privileges which are sufficient to do your job. Use the administrator account only when you are making changes to your installation. There is no need to use the Admin account for sending newsletters.

Feel free to add this list.
Last edited by eazeegeek on 8:34am, Thu 29 Sep, 2011, edited 3 times in total.
When using the Forum
  • Give details of your issue with error messages
  • Tell everything you have tried
  • For resolved issues add "RESOLVED" to Subject of your Post
eazeegeek
PL Master
 
Posts: 343
Joined: 3:42pm, Tue 02 Mar, 2010
Location: Bangalore, India

Re: Basic PHPlist Security

Postby H2B2 » 12:25pm, Wed 16 Jun, 2010

Good post. You'll find a number of other security related recommendations in the documentation wiki: Securing phpList
H2B2
Moderator
 
Posts: 7188
Joined: 1:51am, Wed 15 Mar, 2006

Re: Basic PHPlist Security

Postby NYChris » 2:46pm, Wed 16 Jun, 2010

Regarding the part labeled "BACKUP"...Test you backups. Don't assume that just because you have them they are good.
NYChris
PL Geek
 
Posts: 59
Joined: 4:55pm, Mon 29 Jun, 2009

Re: Basic PHPlist Security

Postby eazeegeek » 3:02pm, Wed 16 Jun, 2010

Good point Chris.

I have edited my post to include this fact.

This also brings to my mind another fact about Database backups that I have observed. Adding that to the post also.
When using the Forum
  • Give details of your issue with error messages
  • Tell everything you have tried
  • For resolved issues add "RESOLVED" to Subject of your Post
eazeegeek
PL Master
 
Posts: 343
Joined: 3:42pm, Tue 02 Mar, 2010
Location: Bangalore, India

Re: Basic PHPlist Security

Postby kingofchaos » 3:08pm, Sat 18 Sep, 2010

People should also be aware that they have a secure computer which they use. Very often infected PC's are infecting websites because they get the FTP passwords etc. so make sure you are good protected. There are plenty of free anti-virus software like Avast or AVG same with firewalls if you have no firewall in your router you should use a firewall too.
kingofchaos
phpList newbie
 
Posts: 1
Joined: 2:55pm, Sat 18 Sep, 2010

config.php insecure?

Postby reoO » 4:24pm, Tue 30 Nov, 2010

can't someone just type in mydomain/list/config.php and get my password and usernam?
reoO
phpList newbie
 
Posts: 1
Joined: 4:22pm, Tue 30 Nov, 2010

Re: config.php insecure?

Postby Dragonrider » 11:34am, Wed 01 Dec, 2010

reoO wrote:can't someone just type in mydomain/list/config.php and get my password and usernam?

No, try it and see :D Mind you, if you also add to your lists/.htaccess file the following line, putting your domain in where I've put domain will triple safe it!

Code: Select all
RewriteEngine On

ErrorDocument 404 http://domain/lists


If you haven't already got the RewriteEngine On bit, you need to add that above the line.
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Re: Basic PHPlist Security

Postby dfranco » 8:03am, Thu 29 Sep, 2011

I think that running PHPList Apache's virtualhost with SSL (https) would be good idea as well.
dfranco
phpList newbie
 
Posts: 1
Joined: 7:30am, Thu 29 Sep, 2011

Re: Basic PHPlist Security

Postby donosor00 » 7:11am, Wed 09 May, 2012

eazeegeek wrote:7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.


Hi.

My experience as sysadmin says not to use the backup to recover a compromised system as you can't be really sure when your system was compromised. So you may reinstall your system with compromised data and ensuring access to your system to whom your system cracked.

Regards
donosor00
phpList newbie
 
Posts: 1
Joined: 7:03am, Wed 09 May, 2012


Return to Answers, Howtos, Tips & Tricks

Who is online

Users browsing this forum: No registered users and 2 guests

cron