Sikkerhedskonfiguration

XOOPS Sikkerhedskonfiguration

Omfattende guide til at sikre din XOOPS-installation mod almindelige web-sårbarheder.

Sikkerhedstjekliste

Inden du starter dit websted, skal du implementere disse sikkerhedsforanstaltninger:

• Filtilladelser indstillet korrekt (644/755)
• Installer mappe fjernet eller beskyttet
• mainfile.php beskyttet mod ændringer
• SSL/HTTPS aktiveret på alle sider
• Admin mappe omdøbt eller beskyttet
• Følsomme filer er ikke tilgængelige på nettet
• .htaccess begrænsninger på plads
• Regelmæssige sikkerhedskopier automatiseret
• Sikkerhedsoverskrifter konfigureret
• CSRF-beskyttelse aktiveret
• SQL injektionsbeskyttelse aktiv
• Moduler/udvidelser opdateret

Filsystemsikkerhed

Filtilladelser

Korrekte filtilladelser er afgørende for sikkerheden.

Retningslinjer for tilladelser

Sti	Tilladelser	Ejer	Årsag
hovedfil.php	644	rod	Indeholder DB-legitimationsoplysninger
*.php filer	644	rod	Undgå uautoriseret ændring
Vejviser	755	rod	Tillad læsning, undgå skrivning
cache/	777	www-data	Webserver skal skrive
skabeloner_c/	777	www-data	Kompilerede skabeloner
uploads/	777	www-data	Bruger uploads
var/	777	www-data	Variable data
installer/	Fjern	-	Slet efter installation
configs/	755	rod	Læsbar, ikke skrivbar

Indstilling af tilladelser Script

/usr/local/bin/xoops-secure.sh

#!/bin/bash
XOOPS_PATH="/var/www/html/xoops"
WEB_USER="www-data"

# Set ownership
echo "Setting ownership..."
chown -R $WEB_USER:$WEB_USER $XOOPS_PATH

# Set restrictive default permissions
echo "Setting base permissions..."
find $XOOPS_PATH -type d -exec chmod 755 {} \;
find $XOOPS_PATH -type f -exec chmod 644 {} \;

# Make specific directories writable
echo "Setting writable directories..."
chmod 777 $XOOPS_PATH/cache
chmod 777 $XOOPS_PATH/templates_c
chmod 777 $XOOPS_PATH/uploads
chmod 777 $XOOPS_PATH/var

# Protect sensitive files
echo "Protecting sensitive files..."
chmod 644 $XOOPS_PATH/mainfile.php
chmod 444 $XOOPS_PATH/mainfile.php.dist  # If it exists (read-only)

# Verify permissions
echo "Verifying permissions..."
ls -la $XOOPS_PATH | grep -E "mainfile|cache|uploads|var|templates_c"

echo "Security hardening completed!"

Kør scriptet:

chmod +x /usr/local/bin/xoops-secure.sh
/usr/local/bin/xoops-secure.sh

Fjern installationsmappe

CRITICAL: Installationsmappen skal fjernes efter installationen!

# Option 1: Delete completely
rm -rf /var/www/html/xoops/install/

# Option 2: Rename and keep for reference
mv /var/www/html/xoops/install/ /var/www/html/xoops/install.bak/

# Verify removal
ls -la /var/www/html/xoops/ | grep install

Beskyt følsomme mapper

Opret .htaccess-filer for at blokere webadgang til følsomme mapper:

Fil: /var/www/html/xoops/var/.htaccess

<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar)$">
    Deny from all
</FilesMatch>

<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

Fil: /var/www/html/xoops/templates_c/.htaccess

<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar)$">
    Deny from all
</FilesMatch>

Options -Indexes

Fil: /var/www/html/xoops/cache/.htaccess

Options -Indexes
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7)$">
    Deny from all
</FilesMatch>

Beskyt uploadkatalog

Forhindre udførelse af scripts i uploads:

Fil: /var/www/html/xoops/uploads/.htaccess

# Prevent script execution
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar|pl|py|jsp|asp|aspx|cgi|sh|bat|exe)$">
    Deny from all
</FilesMatch>

# Prevent directory listing
Options -Indexes

# Additional protection
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /xoops/uploads/

    # Block suspicious files
    RewriteCond %{REQUEST_URI} \.(php|phtml|php3|php4|php5|php6|php7)$ [NC]
    RewriteRule ^.*$ - [F,L]
</IfModule>

SSL/HTTPS Konfiguration

Krypter al trafik mellem brugere og din server.

Få SSL-certifikat

Mulighed 1: Gratis certifikat fra Let’s Encrypt

# Install Certbot
apt-get install certbot python3-certbot-apache

# Obtain certificate (auto-configures Apache)
certbot certonly --apache -d your-domain.com -d www.your-domain.com

# Verify certificate installed
ls /etc/letsencrypt/live/your-domain.com/

Mulighed 2: Kommercielt SSL-certifikat

Kontakt SSL udbyder eller registrator:

1. Køb SSL-certifikat
2. Bekræft domæneejerskab
3. Installer certifikatfiler på serveren
4. Konfigurer webserveren

Apache SSL Konfiguration

Opret HTTPS virtuel vært:

Fil: /etc/apache2/sites-available/xoops-ssl.conf

<VirtualHost *:443>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html/xoops

    # SSL Configuration
    SSLEngine on
    SSLProtocol TLSv1.2 TLSv1.3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/your-domain.com/chain.pem

    # Security Headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"

    <Directory /var/www/html/xoops>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>

    # Restrict install folder
    <Directory /var/www/html/xoops/install>
        Deny from all
    </Directory>

    # Logging
    ErrorLog ${APACHE_LOG_DIR}/xoops_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/xoops_ssl_access.log combined
</VirtualHost>

# Redirect HTTP to HTTPS
<VirtualHost *:80>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    Redirect 301 / https://your-domain.com/
</VirtualHost>

Aktiver konfigurationen:

# Enable SSL module
a2enmod ssl

# Enable site
a2ensite xoops-ssl

# Disable non-SSL site if exists
a2dissite 000-default

# Test configuration
apache2ctl configtest
# Should output: Syntax OK

# Restart Apache
systemctl restart apache2

Nginx SSL Konfiguration

Fil: /etc/nginx/sites-available/xoops

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name your-domain.com www.your-domain.com;

    location / {
        return 301 https://$server_name$request_uri;
    }
}

# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name your-domain.com www.your-domain.com;
    root /var/www/html/xoops;
    index index.php index.html;

    # SSL Certificate Configuration
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;

    # Modern SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;

    # HSTS Header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;

    # Security Headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;

    # Restrict install folder
    location ~ ^/(install|upgrade)/ {
        deny all;
    }

    # Deny access to sensitive files
    location ~ /\. {
        deny all;
    }

    # PHP-FPM backend
    location ~ \.php$ {
        fastcgi_pass unix:/run/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }

    # Static files caching
    location ~* \.(js|css|png|jpg|gif|ico|svg)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }

    # URL rewriting
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    # Logging
    access_log /var/log/nginx/xoops_access.log;
    error_log /var/log/nginx/xoops_error.log;
}

Aktiver konfigurationen:

ln -s /etc/nginx/sites-available/xoops /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx

Bekræft HTTPS-installationen

# Test SSL configuration
openssl s_client -connect your-domain.com:443 -tls1_2

# Check certificate validity
openssl x509 -in /etc/letsencrypt/live/your-domain.com/cert.pem -noout -text

# SSL/TLS test online
# https://www.ssllabs.com/ssltest/
# https://www.testssl.sh/

Auto-forny Lad os kryptere certifikat

# Enable auto-renewal
systemctl enable certbot.timer
systemctl start certbot.timer

# Test renewal process
certbot renew --dry-run

# Manual renewal if needed
certbot renew --force-renewal

Webapplikationssikkerhed

Beskyt mod SQL injektion

XOOPS bruger parametriserede forespørgsler (sikker som standard), men altid:

// UNSAFE - Never do this!
$query = "SELECT * FROM users WHERE name = '" . $_GET['name'] . "'";

// SAFE - Use prepared statements
$database = XoopsDatabaseFactory::getDatabaseConnection();
$sql = "SELECT * FROM " . $database->prefix('users') . " WHERE name = ?";
$result = $database->query($sql, array($_GET['name']));

Cross-Site Scripting (XSS) Forebyggelse

Rengør altid brugerinput:

// UNSAFE
echo $_GET['user_input'];

// SAFE - Use XOOPS sanitization functions
echo htmlspecialchars($_GET['user_input'], ENT_QUOTES, 'UTF-8');

// Or use XOOPS functions
$text_sanitizer = new xoops_text_sanitizer();
echo $text_sanitizer->stripSlashesGPC($_GET['user_input']);

Forfalskning af anmodninger på tværs af websteder (CSRF) Forebyggelse

XOOPS inkluderer CSRF token-beskyttelse. Inkluder altid tokens:

<!-- In forms -->
<form method="post">
    {xoops_token form=update}
    <input type="text" name="field">
    <input type="submit">
</form>

Deaktiver PHP-udførelse i uploadmappe

Forhindrer angribere i at uploade og udføre PHP:

# Create .htaccess in uploads folder
cat > /var/www/html/xoops/uploads/.htaccess << 'EOF'
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7)$">
    Deny from all
</FilesMatch>
php_flag engine off
EOF

# Alternative: Disable execution globally in uploads
chmod 444 /var/www/html/xoops/uploads/  # Read-only

Sikkerhedsoverskrifter

Konfigurer vigtige HTTP sikkerhedsoverskrifter:

# Strict-Transport-Security (HSTS)
# Forces HTTPS for 1 year
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"

# X-Content-Type-Options
# Prevents MIME type sniffing
Header always set X-Content-Type-Options "nosniff"

# X-Frame-Options
# Prevents clickjacking attacks
Header always set X-Frame-Options "SAMEORIGIN"

# X-XSS-Protection
# Browser XSS protection
Header always set X-XSS-Protection "1; mode=block"

# Referrer-Policy
# Controls referrer information
Header always set Referrer-Policy "strict-origin-when-cross-origin"

# Content-Security-Policy
# Controls resource loading
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'"

Admin Panel Sikkerhed

Omdøb Admin-mappe

Beskyt admin mappe ved at omdøbe den:

# Rename admin folder
mv /var/www/html/xoops/admin /var/www/html/xoops/myadmin123

# Update admin access URL
# Old: http://your-domain.com/xoops/admin/
# New: http://your-domain.com/xoops/myadmin123/

Konfigurer XOOPS til at bruge omdøbt mappe:

Rediger hovedfil.php:

// Change this line
define('XOOPS_ADMIN_PATH', '/var/www/html/xoops/myadmin123');

IP Whitelisting for Admin

Begræns administratoradgang til specifikke IP’er:

Fil: /var/www/html/xoops/myadmin123/.htaccess

# Allow only specific IPs
<RequireAll>
    Require ip 192.168.1.100   # Your office IP
    Require ip 203.0.113.50    # Your home IP
    Deny from all
</RequireAll>

Eller med Apache 2.2:

Order Deny,Allow
Deny from all
Allow from 192.168.1.100 203.0.113.50

Stærke administratoroplysninger

Gennemtving stærke adgangskoder for administratorer:1. Brug mindst 16 tegn 2. Bland store bogstaver, små bogstaver, tal, symboler 3. Skift adgangskode regelmæssigt (hver 90. dag) 4. Brug en adgangskodemanager 5. Aktiver to-faktor-godkendelse, hvis tilgængelig

Overvåg administratoraktivitet

Aktiver login for admin login:

Administrationspanel > System > Præferencer > Brugerindstillinger

Log Admin Logins: Yes
Log Failed Login Attempts: Yes
Alert Email on Admin Login: Yes

Gennemgå logfiler regelmæssigt:

# Check database for login attempts
mysql -u xoops_user -p xoops_db << EOF
SELECT uid, uname, DATE_FROM_UNIXTIME(user_lastlogin) as last_login
FROM xoops_users WHERE uid = 1;
EOF

Regelmæssig vedligeholdelse

Opdater XOOPS og moduler

Hold XOOPS og alle moduler opdateret:

# Check for updates in admin panel
# Admin > Modules > Check for Updates

# Or via command line
cd /var/www/html/xoops
# Download and install latest version
# Follow upgrade guide

Automatiseret sikkerhedsscanning

#!/bin/bash
# Security audit script

# Check file permissions
echo "Checking file permissions..."
find /var/www/html/xoops -type f ! -perm 644 ! -name "*.htaccess" | head -10

# Check for suspicious files
echo "Checking for suspicious files..."
find /var/www/html/xoops -type f -name "*.php" -newer /var/www/html/xoops/install/ 2>/dev/null

# Check database for suspicious activity
echo "Checking for failed login attempts..."
mysql -u xoops_user -p xoops_db << EOF
SELECT count(*) as attempts FROM xoops_audittrail WHERE action LIKE '%login%' AND status = 0;
EOF

Regelmæssige sikkerhedskopier

Automatiser daglige backups:

#!/bin/bash
# Daily backup script

BACKUP_DIR="/backups/xoops"
RETENTION=30  # Keep 30 days

# Backup database
mysqldump -u xoops_user -p xoops_db | gzip > $BACKUP_DIR/db_$(date +%Y%m%d).sql.gz

# Backup files
tar -czf $BACKUP_DIR/files_$(date +%Y%m%d).tar.gz /var/www/html/xoops --exclude=cache --exclude=templates_c

# Remove old backups
find $BACKUP_DIR -type f -mtime +$RETENTION -delete

echo "Backup completed at $(date)"

Tidsplan med cron:

# Edit crontab
crontab -e

# Add line (runs daily at 2 AM)
0 2 * * * /usr/local/bin/xoops-backup.sh >> /var/log/xoops_backup.log 2>&1

Skabelon for sikkerhedstjekliste

Brug denne skabelon til regelmæssige sikkerhedsrevisioner:

Weekly Security Checklist
========================

Date: ___________
Checked by: ___________

File System:
[ ] Permissions correct (644/755)
[ ] Install folder removed
[ ] No suspicious files
[ ] mainfile.php protected

Web Security:
[ ] HTTPS/SSL working
[ ] Security headers present
[ ] Admin panel restricted
[ ] File upload restrictions active
[ ] Login attempts logged

Application:
[ ] XOOPS version current
[ ] All modules updated
[ ] No error messages in logs
[ ] Database optimized
[ ] Cache cleared

Backups:
[ ] Database backed up
[ ] Files backed up
[ ] Backup tested
[ ] Offsite copy verified

Issues Found:
1. ___________
2. ___________
3. ___________

Actions Taken:
1. ___________
2. ___________

Sikkerhedsressourcer

• Serverkrav
• Grundlæggende konfiguration
• Ydelsesoptimering
• OWASP Top 10: https://owasp.org/www-project-top-ten/

---

Tags: #sikkerhed #ssl #https #hærdning #best-practices

Relaterede artikler:

• ../Installation/Installation
• ../../06-Publisher-Module/User-Guide/Basic-Configuration
• System-indstillinger
• ../Installation/Upgrading-XOOPS