Hardening, Securing Modx?

Does anyone have any experience or know of any tutes regarding hardening modx?

I’ve read the wiki, which recommends changing everything down from 777 to more appropriate settings.

The problem is, once you do that many files are no longer writable from within the modx admin panel.

EG: If I want to be able to access and write any files under the file manager (templates and CSS for example) then anything other than 777 won’t work.

And of course 777 is the most vulnerable setting you can set.

I’m posing this question as more of a discussion generator, although we should all be concerned with our security.

Thoughts? Experiences? Recommendations etc?

Depends on your server setup. I’ve installed a fair few on suPHP and PHPSuexec with no problems. You could also IP deny the manager folder for bit of extra security.

I agree with Knight.

I wouldnt use modx on a site unless it’s running suPHP (preferred) or PHPSuexec. It makes things easier, more secure, and keeps files from needing to be 777

Everyday there’s something new to learn.

Thanks guys.

How do I find out if my server has suPHP and PHPSuexec ?

Check your phpinfo, if Server API is CGI then suPHP is enabled.

There’s phpsecinfo which is also quite handy.


http://www.phpasks.com/suphp/index.html

http://www.phpasks.com/suphp/phpsuexec.pdf

Just realize that suPHP and similar extensions will likely cost you 5-10x in terms of script performance vs. mod_php. If performance is of concern to you, consider FastCGI (mod_fcgid) in conjunction with suPHP.

I have a constantly updated dedicated box not running PHPsuExec / suPHP and I never have been hacked (I run 12 modx installs on it). When I asked my server admin he told me just what Jason tells you about performance... Didn’t know about mod_fcgid though... might enquire about this and see if I get this installed on my new box (will upgrade soon from Core2Duo 2,66 2Gb/250Gb setup to Xeon Quad 2.83 4Gb/750gb setup)

My understanding is suExec makes things easier when you set permissions but you can have a secure server not running it (at least, it seems so from my experience). I am still debating wether or not going for it, not for security but easier permissions set up...

For tighest security mod_security, but then you can pull your hair out since it brings a lot of issues no matter what script you use...

but you can have a secure server...

, yes, harden your server first, then according to what it is going to be doing , e.g webserver, harden it further, then harden any specific app you are using in the best way possible. As for PHPsuExec / suPHP personally I don’t use these as I have full control of my physical server(s) I’ve found I don’t need them but this must be judged on a case by case basis. I do use mod_security and once I’d set it up so I can use the manager with it(saving chunks etc.) its been OK so far.

If your in the Red Hat world this is a good read http://www.nsa.gov/ia/_files/os/redhat/rhel5-guide-i731.pdf. This seems to be one way governments/large corporates are going, in particular, tweaking/writing SElinux policies is moving away from military/paranoid/niche markets more into mainstream all the time.

Hey shamblett, can you share your mod_security rulesets for 096x?

can you share your mod_security rulesets for 096x?

, yes no probs, I’ll post this as soon, I’ve got a bit of downtime from now for about 36 hrs as I’m physically moving my server but I will get back to you.