Pool Security

Joey edited this page Jan 28, 2014 · 7 revisions

Security is an Onion

There is more to pool security than a 1 page bullet-point list and there is no magical program to keep you from getting hacked, this is just a primer.

Pre-Installation

  • Get onto your production box, setup ssh keys
  • Update and install all the dependencies, mail etc
  • Make sure apache/php/mysql/$mailserver are playing nice together
  • Run phpsecinfo
  • Make sure display_errors is Off in your php.ini
  • Make sure your session.save_path is NOT web accessible in your php.ini
  • And if you're not running it yet and reading along, run phpsecinfo

Apache / MySQL / PHP

  • Make sure your .htaccess works for MPOS + anything else running within its subdir or equiv
  • If you have an SSL cert, make sure you have installed it correctly
  • Enable [cookies][secure] in global config and [strict__https_only] in security config
  • Your MySQL user should not be root, setup a new user with permissions you set

MPOS

  • Turning on [twofactor] will protect your users from themselves
  • Get an SSL cert and take the extra 10 minutes, it's worth it
  • Make sure your [cookie] settings are correct
  • Memcache should be enabled unless you absolutely cannot use it (I don't believe you)
  • Strict mode will stop a few types of attacks, so use it
  • If you're paranoid use strict__verify_server and set the strict__bind_'s to your server info

Finishing Up

  • Remove unnecessary software; Your production box doesn't need phpmyadmin
  • Download and run phpsecinfo
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.