Page 1 of 1

Basic PHPlist Security

PostPosted: 4:10am, Sat 12 Jun, 2010
by eazeegeek
I was reading a thread in these forums on someone's account being hacked and a lot of illegal links were included in the installation files.

So I thought I will write a little on how to take a few primary steps for keeping your installation safe.
You will find good security tips in the PHPList documentation at PHPList Security

1. Change your "admin" name to something else: Replace ALL administrator accounts containing "admin" with something else. Hackers commonly try out "admin", "listadmin", "webmaster" for attempts at logging in.

2. Change the default password: Default passwords are generated using a mathematical logic. This can be guessed by hackers using the same logic.

3. DO NOT use simple words in passwords: What we call as "dictionary" words. Your password should contain UPPERCASE & lowercase characters, numbers, and some special characters (Shift + numbers keys in PC). A "dictionary" attack is making login attempts using words in the dictionary.

4. DO NOT use personal details in passwords: Birthdays (Your's, Girlfriend's, Wife's, Dog's) can be guessed.

5. Changing Passwords often is good, but NOT necessary: I use a strong password ALL the time & I never change my password. But then NEVER share your password with ANYONE (not even with your alter-ego!)

6. BACKUP: Sadly most people are reminded of the importance of backups only AFTER it is too late. Make it a habit to backup frequently. Use several freely available software to make it an automated process. In this age of hacker activity, not backing up almost amounts to a cardinal sin!
[Edit - 20100616] Another important thing about Backups as pointed out by Chris is to test the backups that they are indeed complete & can be used for restoring successfully. Assuming that a backup is good without testing them & then realizing after a system failure that your backups are not useful is probably a bigger frustration than having no backups!
This also reminds me of an experience that I had with MySQL backups. DO NOT backup MySQL backups as "zipped" or "gzipped" files. Produce a backup file without compression as much as possible. When I tried using compressed backups, I realized that the restore process failed (it did a partial restore). This was not observed with an uncompressed file.
But there is a downside to this method! MySQL installation might not allow an upload greater than a certain size while an uncompressed MySQL backup file can easily exceed this limit.
As a workaround, you can choose a certain number of tables to backed up & restore in parts. The process indeed will be painful but the possibility of you needing to backup is low, so this pain can be taken.

7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.

8. Access-level as much as is required: Give access to admins only as much as is required. Even if you are the only Admin, create a new account with much lesser privileges which are sufficient to do your job. Use the administrator account only when you are making changes to your installation. There is no need to use the Admin account for sending newsletters.

Feel free to add this list.I was reading a thread in these forums on someone's account being hacked and a lot of illegal links were included in the installation files.

So I thought I will write a little on how to take a few primary steps for keeping your installation safe.
You'll also find a number of other security related recommendations in the documentation wiki: Securing phpList

1. Change your "admin" name to something else: Replace ALL administrator accounts containing "admin" with something else. Hackers commonly try out "admin", "listadmin", "webmaster" for attempts at logging in.

2. Change the default password: Default passwords are generated using a mathematical logic. This can be guessed by hackers using the same logic.

3. DO NOT use simple words in passwords: What we call as "dictionary" words. Your password should contain UPPERCASE & lowercase characters, numbers, and some special characters (Shift + numbers keys in PC). A "dictionary" attack is making login attempts using words in the dictionary.

4. DO NOT use personal details in passwords: Birthdays (Your's, Girlfriend's, Wife's, Dog's) can be guessed.

5. Changing Passwords often is good, but NOT necessary: I use a strong password ALL the time & I never change my password. But then NEVER share your password with ANYONE (not even with your alter-ego!)

6. BACKUP: Sadly most people are reminded of the importance of backups only AFTER it is too late. Make it a habit to backup frequently. Use several freely available software to make it an automated process. In this age of hacker activity, not backing up almost amounts to a cardinal sin!
[Edit - 20100616] Another important thing about Backups as pointed out by Chris is to test the backups that they are indeed complete & can be used for restoring successfully. Assuming that a backup is good without testing them & then realizing after a system failure that your backups are not useful is probably a bigger frustration than having no backups!
This also reminds me of an experience that I had with MySQL backups. DO NOT backup MySQL backups as "zipped" or "gzipped" files. Produce a backup file without compression as much as possible. When I tried using compressed backups, I realized that the restore process failed (it did a partial restore). This was not observed with an uncompressed file.
But there is a downside to this method! MySQL installation might not allow an upload greater than a certain size while an uncompressed MySQL backup file can easily exceed this limit.
As a workaround, you can choose a certain number of tables to backed up & restore in parts. The process indeed will be painful but the possibility of you needing to backup is low, so this pain can be taken.

7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.

8. Access-level as much as is required: Give access to admins only as much as is required. Even if you are the only Admin, create a new account with much lesser privileges which are sufficient to do your job. Use the administrator account only when you are making changes to your installation. There is no need to use the Admin account for sending newsletters.

Feel free to add this list.

Re: Basic PHPlist Security

PostPosted: 12:25pm, Wed 16 Jun, 2010
by H2B2
Good post. You'll find a number of other security related recommendations in the documentation wiki: Securing phpList

Re: Basic PHPlist Security

PostPosted: 2:46pm, Wed 16 Jun, 2010
by NYChris
Regarding the part labeled "BACKUP"...Test you backups. Don't assume that just because you have them they are good.

Re: Basic PHPlist Security

PostPosted: 3:02pm, Wed 16 Jun, 2010
by eazeegeek
Good point Chris.

I have edited my post to include this fact.

This also brings to my mind another fact about Database backups that I have observed. Adding that to the post also.

Re: Basic PHPlist Security

PostPosted: 3:08pm, Sat 18 Sep, 2010
by kingofchaos
People should also be aware that they have a secure computer which they use. Very often infected PC's are infecting websites because they get the FTP passwords etc. so make sure you are good protected. There are plenty of free anti-virus software like Avast or AVG same with firewalls if you have no firewall in your router you should use a firewall too.

config.php insecure?

PostPosted: 4:24pm, Tue 30 Nov, 2010
by reoO
can't someone just type in mydomain/list/config.php and get my password and usernam?

Re: config.php insecure?

PostPosted: 11:34am, Wed 01 Dec, 2010
by Dragonrider
reoO wrote:can't someone just type in mydomain/list/config.php and get my password and usernam?

No, try it and see :D Mind you, if you also add to your lists/.htaccess file the following line, putting your domain in where I've put domain will triple safe it!

Code: Select all
RewriteEngine On

ErrorDocument 404 http://domain/lists


If you haven't already got the RewriteEngine On bit, you need to add that above the line.

Re: Basic PHPlist Security

PostPosted: 8:03am, Thu 29 Sep, 2011
by dfranco
I think that running PHPList Apache's virtualhost with SSL (https) would be good idea as well.

Re: Basic PHPlist Security

PostPosted: 7:11am, Wed 09 May, 2012
by donosor00
eazeegeek wrote:7. Reinstall if you are ever compromised: DO NOT try to "fix" your installation if you are ever successfully hacked by someone. Delete the folder; remove the database & reinstall EVERYTHING from your Backup. Hackers leave a trail of code snippets which can enable them to get back to work if you use the same installation files.


Hi.

My experience as sysadmin says not to use the backup to recover a compromised system as you can't be really sure when your system was compromised. So you may reinstall your system with compromised data and ensuring access to your system to whom your system cracked.

Regards