I asked this long ago and now I can't find the question or the answer, so forgive me, I'll ask again.
Is it trivial to change the name of the admin file? Almost all blog software is under random attack, and I'm guessing it won't be long before people begin hitting randomly at the well-known file serendipity_admin.php.
Or, can a directory name be safely changed?
I never install phpMyAdmin under that name under the root, although it can be protected with an .htaccess file. I don't think serendipity_admin can?
Security fotr admin
-
garvinhicking
- Core Developer
- Posts: 30022
- Joined: Tue Sep 16, 2003 9:45 pm
- Location: Cologne, Germany
- Contact:
Re: Security fotr admin
Hi!
No, you cannot change serendipity_admin.php without changing many, many scripts.
Renaming files is security by obscurity; this concept has never really worked and I discourage to put any trust into this being of help. The only way to deal with security issues, is to report them and read at least the "Security" section of blog.s9y.org.
Best regards,
Garvin
No, you cannot change serendipity_admin.php without changing many, many scripts.
Renaming files is security by obscurity; this concept has never really worked and I discourage to put any trust into this being of help. The only way to deal with security issues, is to report them and read at least the "Security" section of blog.s9y.org.
Best regards,
Garvin
# Garvin Hicking (s9y Developer)
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
# Did I help you? Consider making me happy: http://wishes.garv.in/
# or use my PayPal account "paypal {at} supergarv (dot) de"
# My "other" hobby: http://flickr.garv.in/
Re: Security fotr admin
Hi Garvin,
Anyway, thanks for answering the question.
I agree, it's not a solution in itself, but it would make it easier to buy a little time, because as soon as someone *does* find an exploit, they'll know right where to look for the admin. Bad hits on the serendipity_admin.php file could be dealt with in a different way. If someone has already broken into a server, it doesn't matter what you do though, they just need to use find and ls to find the real names.garvinhicking wrote: Renaming files is security by obscurity; this concept has never really worked and I discourage to put any trust into this being of help.
Anyway, thanks for answering the question.
Server security and application security are different stories.
Renaming a file is not a good way to 'buy time', in security you will never get any 'special offers'.
If your server get exploited you lost in any way.
If s9y will get 'exploited' some day the renaming of _one_ file maybe wouldn't bring you
'more' security. Because there are maybe some other files are involved.
It's just a suggestion and don't meant as an offense: Please stay calm and don't panic.
It's usually better that all users of s9y, as long their php skills are good enough, continue with security auditing of the software. That would safe us time, it's not cheap, but the better way.
Renaming a file is not a good way to 'buy time', in security you will never get any 'special offers'.
If your server get exploited you lost in any way.
If s9y will get 'exploited' some day the renaming of _one_ file maybe wouldn't bring you
'more' security. Because there are maybe some other files are involved.
It's just a suggestion and don't meant as an offense: Please stay calm and don't panic.
It's usually better that all users of s9y, as long their php skills are good enough, continue with security auditing of the software. That would safe us time, it's not cheap, but the better way.
-=( Experienced Apache 2.0.x Administrator )=-