Securing your Movable Type

Securing your MT in a day

✓ Upgrade to the latest version✓ Secure your admin screen✓ Use SSL✓ Restrict file uploads

How many have you done ?

Admin CGI

Public site

Securingyour admin screen

/cgi-bin/*.cgi /mt-static//*.html

Prohibit CGIExecute all files

http://example.com

Separate directories for CGI and contents

/cgi-bin/*

Restrict accesses

Conceal CGI inside the DMZ, or restrict access by IP addresses

more info on http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html

Rename mt.cgi script

https://example.com/cgi-bin/mt/mt.cgi

Prevent a bot access and a random guessing

AdminScript XXXX.cgiSpecify as a configuration directive

in mt-config.cgi

/cgi-bin/mt.cgi

Protect mt.cgi by the basic authentication

Allow access to mt-comments.cgi or mt-cp.cgi, but deny access to mt.cgi

http://httpd.apache.org/docs/2.2/en/howto/auth.html

AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/.htpasswd<Files mt.cgi> Require valid-user</Files>

.htaccess

<Directory "/home/example/www">

</Directory>

etc....

httpd.conf

You must use a different ID / Password for the basic authentication from your MT account

SSL is mandatory otherwise the ID / Password can be captured during the network transaction

SSL通信

Use SSL for the admin access

SSL

Encrypt the transaction between your browser and MT

StaticWebPath /mt-static

Required configure in mt-config.cgi

Use relative path

Not to mix http and https connections when fetching images and CSS in the admin screen.

AdminCGIPath https://example.com/cgi-bin/mt/

CGIPath http://example.com/cgi-bin/mt/

Configure URL for admin / and non admin CGI

Path for the admin CGI (SSL)

Path for the non-admin CGI

But this is NOT enough to prohibit the non-SSL access to the admin script

AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/passwords<Files mt.cgi> Require valid-user SSLRequireSSL</Files>

.htaccess

<Directory "/home/example/www">

</Directory>

httpd.conf

1. Show Forbidden for non-SSL access

etc....

RewriteEngine OnRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(cgi-bin/mt\.cgi)$

https://%{SERVER_NAME}/$1 [R,L]

.htaccess

<Directory "/home/example/www">

</Directory>

httpd.conf

2. Redirect http access to https

etc....

in one line

SSL cert is not expensive today

e.g. RapidSSL（GeoTrust, Inc)

Go Daddy SSL are$20 - 40 / a year

Restrict file uploads

AssetFileExtensionsDeniedAssetFileExtensions

Introduced in

MT 4.291 / 4.361 / 5.051 / 5.11

AssetFileExtensions

"gif,jpe?g,png,bmp,tiff?,mp3,ogg,aiff,wav,wma, aac, flac,m4a,mov, avi,3gp,asf,mp4,qt,wmv, asx,mpg,flv,mkv,ogm"

Specify file extensions to permit

DeniedAssetFileExtensions

"ascx,asis,asp,aspx,bat,cfc,cfm,cgi,cmd,com,cpl,dll,exe,htaccess,htm,html,inc,jhtml,js,jsb,jsp,mht,mhtml,msi,php,php2,php3,php4,php5,phps,phtm,phtml,pif,pl,pwml,py,reg,scr,sh,shtm,shtml,vbs,vxd"

Specify file extensions to prohibit

Securing your MT in a day

✓ Upgrade to the latest version✓ Secure your admin screen✓ Use SSL✓ Restrict file uploads

How many have you done ?