Pular para o conteúdo
XOOPS 2.7 Docs

Configuração de Segurança

Configuração de Segurança do XOOPS

Seção intitulada “Configuração de Segurança do XOOPS”

Guia abrangente para proteger sua instalação do XOOPS contra vulnerabilidades web comuns.

Checklist de Segurança

Seção intitulada “Checklist de Segurança”

Antes de lançar seu site, implemente estas medidas de segurança:

  • Permissões de arquivo definidas corretamente (644/755)
  • Pasta de instalação removida ou protegida
  • mainfile.php protegido contra modificação
  • SSL/HTTPS habilitado em todas as páginas
  • Pasta de administração renomeada ou protegida
  • Arquivos sensíveis não acessíveis na web
  • Restrições de .htaccess em vigor
  • Backups regulares automatizados
  • Headers de segurança configurados
  • Proteção CSRF habilitada
  • Proteções contra injeção SQL ativas
  • Módulos/extensões atualizados

File System Security

Seção intitulada “File System Security”

File Permissions

Seção intitulada “File Permissions”

Proper file permissions are critical for security.

Permission Guidelines

Seção intitulada “Permission Guidelines”
PathPermissionsOwnerReason
mainfile.php644rootContains DB credentials
*.php files644rootPrevent unauthorized modification
Directories755rootAllow reading, prevent writing
cache/777www-dataWeb server must write
templates_c/777www-dataCompiled templates
uploads/777www-dataUser uploads
var/777www-dataVariable data
install/Remove-Delete after installation
configs/755rootReadable, not writable

Setting Permissions Script

Seção intitulada “Setting Permissions Script”
/usr/local/bin/xoops-secure.sh
#!/bin/bash
XOOPS_PATH="/var/www/html/xoops"
WEB_USER="www-data"


# Set ownership
echo "Setting ownership..."
chown -R $WEB_USER:$WEB_USER $XOOPS_PATH


# Set restrictive default permissions
echo "Setting base permissions..."
find $XOOPS_PATH -type d -exec chmod 755 {} \;
find $XOOPS_PATH -type f -exec chmod 644 {} \;


# Make specific directories writable
echo "Setting writable directories..."
chmod 777 $XOOPS_PATH/cache
chmod 777 $XOOPS_PATH/templates_c
chmod 777 $XOOPS_PATH/uploads
chmod 777 $XOOPS_PATH/var


# Protect sensitive files
echo "Protecting sensitive files..."
chmod 644 $XOOPS_PATH/mainfile.php
chmod 444 $XOOPS_PATH/mainfile.php.dist  # If it exists (read-only)


# Verify permissions
echo "Verifying permissions..."
ls -la $XOOPS_PATH | grep -E "mainfile|cache|uploads|var|templates_c"


echo "Security hardening completed!"

Run the script:

Terminal window
chmod +x /usr/local/bin/xoops-secure.sh
/usr/local/bin/xoops-secure.sh

Remove Installation Folder

Seção intitulada “Remove Installation Folder”

CRITICAL: The install folder must be removed after installation!

Terminal window
# Option 1: Delete completely
rm -rf /var/www/html/xoops/install/


# Option 2: Rename and keep for reference
mv /var/www/html/xoops/install/ /var/www/html/xoops/install.bak/


# Verify removal
ls -la /var/www/html/xoops/ | grep install

Protect Sensitive Directories

Seção intitulada “Protect Sensitive Directories”

Create .htaccess files to block web access to sensitive folders:

File: /var/www/html/xoops/var/.htaccess

<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar)$">
    Deny from all
</FilesMatch>


<IfModule mod_autoindex.c>
    Options -Indexes
</IfModule>

File: /var/www/html/xoops/templates_c/.htaccess

<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar)$">
    Deny from all
</FilesMatch>


Options -Indexes

File: /var/www/html/xoops/cache/.htaccess

Options -Indexes
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7)$">
    Deny from all
</FilesMatch>

Protect Upload Directory

Seção intitulada “Protect Upload Directory”

Prevent execution of scripts in uploads:

File: /var/www/html/xoops/uploads/.htaccess

# Prevent script execution
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7|phps|pht|phar|pl|py|jsp|asp|aspx|cgi|sh|bat|exe)$">
    Deny from all
</FilesMatch>


# Prevent directory listing
Options -Indexes


# Additional protection
<IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /xoops/uploads/


    # Block suspicious files
    RewriteCond %{REQUEST_URI} \.(php|phtml|php3|php4|php5|php6|php7)$ [NC]
    RewriteRule ^.*$ - [F,L]
</IfModule>

SSL/HTTPS Configuration

Seção intitulada “SSL/HTTPS Configuration”

Encrypt all traffic between users and your server.

Obtain SSL Certificate

Seção intitulada “Obtain SSL Certificate”

Option 1: Free Certificate from Let’s Encrypt

Terminal window
# Install Certbot
apt-get install certbot python3-certbot-apache


# Obtain certificate (auto-configures Apache)
certbot certonly --apache -d your-domain.com -d www.your-domain.com


# Verify certificate installed
ls /etc/letsencrypt/live/your-domain.com/

Option 2: Commercial SSL Certificate

Contact SSL provider or registrar:

  1. Purchase SSL certificate
  2. Verify domain ownership
  3. Install certificate files on server
  4. Configure web server

Apache SSL Configuration

Seção intitulada “Apache SSL Configuration”

Create HTTPS virtual host:

File: /etc/apache2/sites-available/xoops-ssl.conf

<VirtualHost *:443>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    DocumentRoot /var/www/html/xoops


    # SSL Configuration
    SSLEngine on
    SSLProtocol TLSv1.2 TLSv1.3
    SSLCipherSuite HIGH:!aNULL:!MD5
    SSLCertificateFile /etc/letsencrypt/live/your-domain.com/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/your-domain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/your-domain.com/chain.pem


    # Security Headers
    Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    Header always set X-Content-Type-Options "nosniff"
    Header always set X-Frame-Options "SAMEORIGIN"
    Header always set X-XSS-Protection "1; mode=block"
    Header always set Referrer-Policy "no-referrer-when-downgrade"
    Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'"


    <Directory /var/www/html/xoops>
        Options -Indexes +FollowSymLinks
        AllowOverride All
        Require all granted
    </Directory>


    # Restrict install folder
    <Directory /var/www/html/xoops/install>
        Deny from all
    </Directory>


    # Logging
    ErrorLog ${APACHE_LOG_DIR}/xoops_ssl_error.log
    CustomLog ${APACHE_LOG_DIR}/xoops_ssl_access.log combined
</VirtualHost>


# Redirect HTTP to HTTPS
<VirtualHost *:80>
    ServerName your-domain.com
    ServerAlias www.your-domain.com
    Redirect 301 / https://your-domain.com/
</VirtualHost>

Enable the configuration:

Terminal window
# Enable SSL module
a2enmod ssl


# Enable site
a2ensite xoops-ssl


# Disable non-SSL site if exists
a2dissite 000-default


# Test configuration
apache2ctl configtest
# Should output: Syntax OK


# Restart Apache
systemctl restart apache2

Nginx SSL Configuration

Seção intitulada “Nginx SSL Configuration”

File: /etc/nginx/sites-available/xoops

# HTTP to HTTPS redirect
server {
    listen 80;
    listen [::]:80;
    server_name your-domain.com www.your-domain.com;


    location / {
        return 301 https://$server_name$request_uri;
    }
}


# HTTPS server
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;


    server_name your-domain.com www.your-domain.com;
    root /var/www/html/xoops;
    index index.php index.html;


    # SSL Certificate Configuration
    ssl_certificate /etc/letsencrypt/live/your-domain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/your-domain.com/privkey.pem;


    # Modern SSL Configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
    ssl_session_timeout 10m;


    # HSTS Header
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;


    # Security Headers
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-XSS-Protection "1; mode=block" always;
    add_header Referrer-Policy "no-referrer-when-downgrade" always;
    add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'" always;


    # Restrict install folder
    location ~ ^/(install|upgrade)/ {
        deny all;
    }


    # Deny access to sensitive files
    location ~ /\. {
        deny all;
    }


    # PHP-FPM backend
    location ~ \.php$ {
        fastcgi_pass unix:/run/php-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    }


    # Static files caching
    location ~* \.(js|css|png|jpg|gif|ico|svg)$ {
        expires 30d;
        add_header Cache-Control "public, immutable";
    }


    # URL rewriting
    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }


    # Logging
    access_log /var/log/nginx/xoops_access.log;
    error_log /var/log/nginx/xoops_error.log;
}

Enable the configuration:

Terminal window
ln -s /etc/nginx/sites-available/xoops /etc/nginx/sites-enabled/
nginx -t
systemctl restart nginx

Verify HTTPS Installation

Seção intitulada “Verify HTTPS Installation”
Terminal window
# Test SSL configuration
openssl s_client -connect your-domain.com:443 -tls1_2


# Check certificate validity
openssl x509 -in /etc/letsencrypt/live/your-domain.com/cert.pem -noout -text


# SSL/TLS test online
# https://www.ssllabs.com/ssltest/
# https://www.testssl.sh/

Auto-Renew Let’s Encrypt Certificate

Seção intitulada “Auto-Renew Let’s Encrypt Certificate”
Terminal window
# Enable auto-renewal
systemctl enable certbot.timer
systemctl start certbot.timer


# Test renewal process
certbot renew --dry-run


# Manual renewal if needed
certbot renew --force-renewal

Web Application Security

Seção intitulada “Web Application Security”

Protect Against SQL Injection

Seção intitulada “Protect Against SQL Injection”

XOOPS uses parameterized queries (safe by default), but always:

// UNSAFE - Never do this!
$query = "SELECT * FROM users WHERE name = '" . $_GET['name'] . "'";


// SAFE - Use prepared statements
$database = XoopsDatabaseFactory::getDatabaseConnection();
$sql = "SELECT * FROM " . $database->prefix('users') . " WHERE name = ?";
$result = $database->query($sql, array($_GET['name']));

Cross-Site Scripting (XSS) Prevention

Seção intitulada “Cross-Site Scripting (XSS) Prevention”

Always sanitize user input:

// UNSAFE
echo $_GET['user_input'];


// SAFE - Use XOOPS sanitization functions
echo htmlspecialchars($_GET['user_input'], ENT_QUOTES, 'UTF-8');


// Or use XOOPS functions
$text_sanitizer = new xoops_text_sanitizer();
echo $text_sanitizer->stripSlashesGPC($_GET['user_input']);

Cross-Site Request Forgery (CSRF) Prevention

Seção intitulada “Cross-Site Request Forgery (CSRF) Prevention”

XOOPS includes CSRF token protection. Always include tokens:

<!-- In forms -->
<form method="post">
    {xoops_token form=update}
    <input type="text" name="field">
    <input type="submit">
</form>

Disable PHP Execution in Upload Folder

Seção intitulada “Disable PHP Execution in Upload Folder”

Prevent attackers from uploading and executing PHP:

Terminal window
# Create .htaccess in uploads folder
cat > /var/www/html/xoops/uploads/.htaccess << 'EOF'
<FilesMatch "\.(php|phtml|php3|php4|php5|php6|php7)$">
    Deny from all
</FilesMatch>
php_flag engine off
EOF


# Alternative: Disable execution globally in uploads
chmod 444 /var/www/html/xoops/uploads/  # Read-only

Security Headers

Seção intitulada “Security Headers”

Configure important HTTP security headers:

# Strict-Transport-Security (HSTS)
# Forces HTTPS for 1 year
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"


# X-Content-Type-Options
# Prevents MIME type sniffing
Header always set X-Content-Type-Options "nosniff"


# X-Frame-Options
# Prevents clickjacking attacks
Header always set X-Frame-Options "SAMEORIGIN"


# X-XSS-Protection
# Browser XSS protection
Header always set X-XSS-Protection "1; mode=block"


# Referrer-Policy
# Controls referrer information
Header always set Referrer-Policy "strict-origin-when-cross-origin"


# Content-Security-Policy
# Controls resource loading
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'"

Admin Panel Security

Seção intitulada “Admin Panel Security”

Rename Admin Folder

Seção intitulada “Rename Admin Folder”

Protect admin folder by renaming it:

Terminal window
# Rename admin folder
mv /var/www/html/xoops/admin /var/www/html/xoops/myadmin123


# Update admin access URL
# Old: http://your-domain.com/xoops/admin/
# New: http://your-domain.com/xoops/myadmin123/

Configure XOOPS to use renamed folder:

Edit mainfile.php:

// Change this line
define('XOOPS_ADMIN_PATH', '/var/www/html/xoops/myadmin123');

IP Whitelisting for Admin

Seção intitulada “IP Whitelisting for Admin”

Restrict admin access to specific IPs:

File: /var/www/html/xoops/myadmin123/.htaccess

# Allow only specific IPs
<RequireAll>
    Require ip 192.168.1.100   # Your office IP
    Require ip 203.0.113.50    # Your home IP
    Deny from all
</RequireAll>

Or with Apache 2.2:

Order Deny,Allow
Deny from all
Allow from 192.168.1.100 203.0.113.50

Strong Admin Credentials

Seção intitulada “Strong Admin Credentials”

Enforce strong passwords for administrators:

  1. Use at least 16 characters
  2. Mix uppercase, lowercase, numbers, symbols
  3. Change password regularly (every 90 days)
  4. Use a password manager
  5. Enable two-factor authentication if available

Monitor Admin Activity

Seção intitulada “Monitor Admin Activity”

Enable admin login logging:

Admin Panel > System > Preferences > User Settings

Log Admin Logins: Yes
Log Failed Login Attempts: Yes
Alert Email on Admin Login: Yes

Review logs regularly:

Terminal window
# Check database for login attempts
mysql -u xoops_user -p xoops_db << EOF
SELECT uid, uname, DATE_FROM_UNIXTIME(user_lastlogin) as last_login
FROM xoops_users WHERE uid = 1;
EOF

Regular Maintenance

Seção intitulada “Regular Maintenance”

Update XOOPS and Modules

Seção intitulada “Update XOOPS and Modules”

Keep XOOPS and all modules updated:

Terminal window
# Check for updates in admin panel
# Admin > Modules > Check for Updates


# Or via command line
cd /var/www/html/xoops
# Download and install latest version
# Follow upgrade guide

Automated Security Scanning

Seção intitulada “Automated Security Scanning”
#!/bin/bash
# Security audit script


# Check file permissions
echo "Checking file permissions..."
find /var/www/html/xoops -type f ! -perm 644 ! -name "*.htaccess" | head -10


# Check for suspicious files
echo "Checking for suspicious files..."
find /var/www/html/xoops -type f -name "*.php" -newer /var/www/html/xoops/install/ 2>/dev/null


# Check database for suspicious activity
echo "Checking for failed login attempts..."
mysql -u xoops_user -p xoops_db << EOF
SELECT count(*) as attempts FROM xoops_audittrail WHERE action LIKE '%login%' AND status = 0;
EOF

Regular Backups

Seção intitulada “Regular Backups”

Automate daily backups:

#!/bin/bash
# Daily backup script


BACKUP_DIR="/backups/xoops"
RETENTION=30  # Keep 30 days


# Backup database
mysqldump -u xoops_user -p xoops_db | gzip > $BACKUP_DIR/db_$(date +%Y%m%d).sql.gz


# Backup files
tar -czf $BACKUP_DIR/files_$(date +%Y%m%d).tar.gz /var/www/html/xoops --exclude=cache --exclude=templates_c


# Remove old backups
find $BACKUP_DIR -type f -mtime +$RETENTION -delete


echo "Backup completed at $(date)"

Schedule with cron:

Terminal window
# Edit crontab
crontab -e


# Add line (runs daily at 2 AM)
0 2 * * * /usr/local/bin/xoops-backup.sh >> /var/log/xoops_backup.log 2>&1

Security Checklist Template

Seção intitulada “Security Checklist Template”

Use this template for regular security audits:

Weekly Security Checklist
========================


Date: ___________
Checked by: ___________


File System:
[ ] Permissions correct (644/755)
[ ] Install folder removed
[ ] No suspicious files
[ ] mainfile.php protected


Web Security:
[ ] HTTPS/SSL working
[ ] Security headers present
[ ] Admin panel restricted
[ ] File upload restrictions active
[ ] Login attempts logged


Application:
[ ] XOOPS version current
[ ] All modules updated
[ ] No error messages in logs
[ ] Database optimized
[ ] Cache cleared


Backups:
[ ] Database backed up
[ ] Files backed up
[ ] Backup tested
[ ] Offsite copy verified


Issues Found:
1. ___________
2. ___________
3. ___________


Actions Taken:
1. ___________
2. ___________

Recursos de Segurança

Seção intitulada “Recursos de Segurança”

Tags: #security #ssl #https #hardening #best-practices

Artigos Relacionados:

  • ../Installation/Installation
  • ../../06-Publisher-Module/User-Guide/Basic-Configuration
  • System-Settings
  • ../Installation/Upgrading-XOOPS