Replies: 3 comments 2 replies
-
panopticon is not a clone of myjoomla |
Beta Was this translation helpful? Give feedback.
-
Panopticon is site monitoring. It does not do security. That would be Admin Tools Pro, a different product. So, I’ll evaluate your suggestions as Admin Tools features.
Do note that a lot of the features you mention have long been obsolete, or only ever made sense when performing diagnostics. So, I’ll put them in categories.
Needs external context to make sense:
The Debug Mode Should Be Disabled. Unless you’re troubleshooting. Make it part of your troubleshooting checklist. The presence of the debug bar in any version of Joomla released the last decade is a dead giveaway.
Error Reporting Should Be Set To None On A Live Site. See above.
Review "Renamed To Hide" Files (like File.old, File.bak). There is no universal naming pattern. In many cases, you NEED to keep these files, e.g. when applying settings you don’t know if they will work. So, without context of why these files are there, this check is more likely to do harm than good.
Meaningless, or obsolete:
Identify Files With No Content (Zero Bytes In Size). Hard disagree. Several flag files have a legitimate purpose and no content. Remove them and shit will break.
Do Not Use $live_site Configuration. It doesn’t do much harm unless you are really daft about it, e.g. set it to plain HTTP on a site with HSTS enabled. Admin Tools warns you in all common use cases which involve operator daftness. We are keenly ware of the exponential increase in daftness relative to undercaffeination.
Remove Unneeded Joomla Core "fluff". Has not been present in the core distribution for the most part for the better part of a decade. Inconsequential when using Admin Tools Pro and the .htaccess Maker.
Super Admin Should Not Have Username "admin". No longer relevant. This was advice from back when 2FA / MFA wasn’t a core feature, i.e. before J3.2.
Locate And Review Files Over 2Mb Size. Pretty pointless in 2024 when people upload media dozens of times larger than this. It would only make sense if you only checked for certain non-media files. It would still be finding a needle in a haystack on sites like ours which delivers software as ZIP files.
Locate And Review Admintool_breaches.log Files. Only generated when explicitly enabled for troubleshooting purposes, then removed. This check is obsolete. It was only relevant up until around seven or so years ago.
Use Multi-Factor Authentication On All Super User Accounts. I wrote the code in the core which allows you to ENFORCE that. We also do far more serious checks so you don’t get unexpected Super Admin users which is what matters even more.
Check for hidden files. Hidden files are inconsequential to and often needed, e.g. the entire .well-known folder, various .gitkeep types of files, .user.ini for PHP settings, etc. How many sites broke because people blindly deleted hidden files marked by this feature? Sigh.
Needs to be part of your checklists:
Only Enable User Registration If Needed. Part of your site building checklist.
Installation Folders Should Be Deleted. Part of your site building and restoration checklist. If they’re not, Joomla redirects to them. If you are stupid enough to rename them to something like installation.bak, well, stand 30 yards away from a wall, sprint towards it, and hit it with your head at full speed. Repeat until stupidity is fixed one way or another. You know who you are! I’ve seen your sites!
Akeeba Kickstart Should Not Be Left In Webspace. Part of your site restoration checklist. See notes on installation folder.
Already implemented:
Remove "Never Logged In" Accounts. Admin Tools can do that. Very bad idea when you apply it as a blanket policy, especially if you’re selling things tied to a user account! You need to carefully evaluate your use case before doing this.
File permissions. Checking file permissions is dumb because the tool doesn’t know the ownership of the files and the web server. Even if it does, it won’t know any file attributes / Linux ACLs in place. This is why Admin Tools lets you change permissions, not “check” them.
tmp/logs Folders Should Be Writable. Checked by Admin Tools.
PHP Files Should Not Be In These Certain Folders. Irrelevant when using Admin Tools' .htaccess Maker.
Already scheduled:
Identify Core Joomla Files That Are Missing From Your Webspace. I’d say
also tell me which are not pristine. This is already in the Issues tracker of Panopticon for future development.
|
Beta Was this translation helpful? Give feedback.
-
Well, that is actually pretty helpful. Thanks for sharing this Nicholas. To summarize: Most 'checks' provided by some other services are not relevant (anymore) or should be part of a site checklist when creating sites. Also Admin Tools (also) provides useful checks that do not need to done by external services. The tricky thing about all these checks is: It's not always that easy for me to evaluate all those checks like you are able to do. I just want to make sure I do the best I can to keep the sites of our clients as safe as possible, using the right tools and procedures. |
Beta Was this translation helpful? Give feedback.
-
Panopticon is capable of managing doing backups, fielscans and extension management. All are great tools!
The external service we use at this moment also does some other useful checks on our sites. Most of these checks probably only need to be check once, to see if a site is using 'sane' security settings. Some other checks might indicate 'bad' user behaviour like uploading huge images of documents.
Some example:
Maybe it would be a nice feature to have some kind of library of checks rules. And those rules can be applied to the sites so we can audit the sites on those rules.
One a set of rules could be set to check manually (for example before publishing new website) Some other set of rules might be set to run periodically to keep an eye on some specific things, like big files sizes.
I would be up to you what 'rules' (checks) would help users to harden the site security. And users of Panopticon would have the flexibility to add check rules to their sites. Or not.
What do you think?
Beta Was this translation helpful? Give feedback.
All reactions