Recent Topics

Installing in a secure manner

Started by on Mar 05, 2013 – Contents updated: Apr 20, 2013

Mar 05, 2013 15:26    

Hi

I'm looking for blogging software I can install in an isolated secure manner.
By this I mean it must not connect to any other site for any reason at any time.
I have ruled out wordpress as being a security nightmare on many counts but the
above is my main issue with it.

I downloaded evolution and it does seem to try and connect to something at various times
so I guess the question is - can this be reasonably dissabled and can I be certain that
it will never attempt any further connections?

I am happy to do some PHP editing but dont have time to trawl through hundreds
of lines of code just guessing so I'm hoping there is a simple way to isolate the software.

thanks

Warton.

Mar 05, 2013 18:14

Yes, you can pretty easily edit the code to disable pings to the outside. You just won't get notifications when you should upgrade b2evo for security reasons. It happens much less than with we, but it still happens sometimes.

Why is connecting to the outside a security issue?

Mar 06, 2013 14:40

Hi
Thanks for the reply.

Its not just updates - I need to ensure there is no rss or search engine contact etc.
I need to create a confidential information service and blogging
software seems to be the best way to do it.
To that end I need to ensure nothing goes out and nothing comes in without my
specific approval.
No pings, search engines, crawlers, syncs, updates notifications nothing.

Security 101 - don't advertise you have something to secure.

Maybe any blogging software that was designed with
all such communication as an optional plug-in would have a really good way
to differentiate itself in the market. I know I would have gone straight for it.
And I expect business users would welcome it.

Anyway - thats what I'm doing - any advice on what to change and where
would be welcome.

Warton.

Mar 06, 2013 15:54

Disable updates and protect your b2evolution directory with a password on a server side. That should do it.

Mar 06, 2013 19:09

Note: it is on our todo list to implement "private blogs" which will be impossible to access without logging in (and if wanted: being a member of a blog, which allows different access for different users).

Private blogs will also refuse to serve RSS feeds, sitemaps and will not ping to the outside.

Mar 07, 2013 13:12

Thanks to both for the replies.

I will of course click the dissable buttons where they exist but I need to remove any
code entirely to guarantee it can never be acidentally re-enabled. Code that doesn't
do anything shouldn't be there anyway.
The system will be behind an apache .htaccess file for initial logging in.
I don't think just putting a password on it will stop it being capable of initiating
external contact though. (I need to be able to say that)
(Just to be clear: I have a duty of care issue here - I have to demonstrate steps taken
which is why I seem to be pedantic.)

For the future
If external comms was a plug-in that could be added
or simply removed in entirety by just not installing a specific module
that would be a perfect situation for future use from my perspective.

It is really good news to see you are planning a more confidential version.
Most people probably dont need the lengths I have to go to but making things
an option should be easy enough. I would caution about making things too complex
though. PHPBBS3 permissions system is far too complex unnecessarily IMO for example.

I'm now looking forware to exploring b2Evolution in more detail.
I'm always open to further advice.

thanks

Warton.

Mar 08, 2013 03:01

Warton, can you tell us more about your use case and why you need that much confidentiality? I am trying to grasp if that is a wide spread use case or if it is very specific to your situation. Also trying to see how it fits in with other user requests about private blogs.

Have you tried b2evolution's permission system yet? How does it compare to phpBB ?

Mar 08, 2013 15:31

I can understand your interest and yes - without proclaiming the notion to the world I would say you are right to be interested.
There are markets but also pitfalls - and some well established competition. If you want a business manager for such activities I'd be happy to look at it and advise in confidence (there is that word again you see). I hope thats a help.
As to my own case - I'd rather not elucidate just yet except to say I'm not charging for it but membership will be by invitation only
and the content and member list will be confidential for data protection and other purposes.

Yes I looked briefly at the permission system yesterday - it seems to be more manageable and thought out than PHPBBS(V3) and offers similar levels of flexibility. I don't think I would design it quite like that but it works and doesnt need constant attention once set up. (except the flexibility of b2evolution means it could get very complex indeed - a difficult compromise that could be simplified
at the expense of a little flexibility maybe)

Right now I've just deleted all the widgets and things I don't need (I havn't worked out how to remove the RSS links etc from the blogs skins yet but have dissabled them) and I've deleted all the example stuff and started to build the welcome page and enter some data. I havn't done much more as yet. I'll trawl the php code a little when I get the chance. And I'm still looking through the skins to see the best place and options for me to begin with style wise.
I still have lots to do.


Form is loading...

Forums software – This forum is powered by b2evolution CMS, a complete engine for your website.