Announcement

Collapse
No announcement yet.

First time upload to 1and1 - Security Concern

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    First time upload to 1and1 - Security Concern

    Hi - This is my first post and I only obtained a copy of Actinic 7 yesterday but I must say that I'm really impressed with the functionality.

    I have a 1and1 Linux Business Pro package that seems to have everything I require.

    However when viewing the directory tree/structure (before my upload of Actinic) I only appear to have two files/folders by default

    Logs (folder)
    index.html

    I was impressed how easy it was to upload everything however I was prompted for a CGI Folder. I didn't have one so I created 'cgi-bin'. I didn't know where to create this so I just created it at the root where everything else seems to be.

    Actinic then created 'acatolog' at the root.

    So my directory structure now looks like this -

    acatalog
    cgi-bin
    logs

    Eveerything works like a dream. My only concern is should I be adding any additional folder security to this set up? Or can someone only mess with my directories if they knew the ftp password? I'm a little confused I'm sorry.

    I asked 1and1 the question but they just send me a link showing howing to protect directories rather than telling me if I should or if I already have the protection I need.

    Thanks in advance for any advice.
    Tags: None
    #2
    In your 1and1 control panel you can create a folder for the domain root. You can then configure the domain to use that folder. Then everything online related to that domain is together. Your logs folder would be outside the domain root.
    Also if you wished to add additional domains in the future you would just repeat the above and they would each have their own folder.

    Comment

      #3
      Thanks very much for the reply. But I'm still a little confused (sorry). Does your reply mean that I should really be creating a folder to put 'cgi-bin' and 'acatalog' in? If so what should I call this folder and do I add some sort of folder protection to it within 1and1?

      When I first uploaded the site, all I needed to create was 'cgi-bin'. So i did this. Everything else worked fine.

      My only concern is if the way I did it is ok and if its secure. I know with 1and1you can give folders security but did the way I uploaded everything create enough security?

      Thanks again and sorry for any confusion.

      Comment

        #4
        A strong password is obviously essential to prevent access.

        Most site hacks are often through known pre-set passwords for databases, admin panels etc. Depending on what items you have installed it is vital you change any "factory default" passwords and usernames straight away.

        The other "easy" way is via a keyboard logging virus to capture your FTP password and username so up-to-date virus software and trojan scanner is essential.

        One simple trick is to place a index.html page into all folders to prevent users seeing a file listing (some servers prevent this by default) and spotting any vulnerability

        *nix servers allow permissions to be set on folders - the cgi-bin should be set to 755
        Last edited by jont; 06-May-2006, 10:13 AM. Reason: cgi-bin


        Bikster
        SellerDeck Designs and Responsive Themes

        Comment

          #5
          Thanks for that, those are excellent points. My main query though is.....Actinic says when uploading using the wizard, little config is needed. Therefore all I did was create a cgi-bin folder and everything uploaded fine. Actinic created the 'actalog' folder. My webspace works very well.

          So if you look at the root of my webspace I have just three folders -

          acatalog
          cgi-bin
          logs

          I was just concerned if during a default install like this with 1and1 is everything secure enough? Should i have created a folder to put those three items in? Or are they ok at the root of my webspace?

          I'm reluctant to change what i have done as it works so well. I'm just unsure if this is the right way to go about it from a security point of view although the wizard does say as long as you know the path to your cgi bin, no other tinkering is needed.

          Regards again for your time and trouble

          Comment

            #6
            Everything is fine where they are and need to be in the root to function correctly. Many hosts provide a cgi-bin capability but sometimes leave it to the user to specify it's location ... every site I create with CLARA I have to manually create a cgi-bin in the web root and set permissions to 755.

            Actinic does it's own thing with the acatalog/ folder.

            If the logs/ folder is pre-configured on the server you may not ben able to move it. Have you tried trying to browse via http to domain.com/logs and seeing what happens? Depending on the server this may be protected and require a username and password. Some of the older log stats packages could be viewed directly if you know the default host address. If you can see a listing of the files in your browser and don't want competitors seeing how much traffic you are getting then simply add in a index.html file into the logs/ folder to prevent browser listing.

            Other than that you should be OK from what you haev done so far


            Bikster
            SellerDeck Designs and Responsive Themes

            Comment

              #7
              Jont and Drounding thanks very very much for all your help.

              Comment

                #8
                Originally posted by Big_Dave
                Thanks very much for the reply. But I'm still a little confused (sorry). Does your reply mean that I should really be creating a folder to put 'cgi-bin' and 'acatalog' in? If so what should I call this folder and do I add some sort of folder protection to it within 1and1?
                From a security aspect what Jonty says is all you have to do. From an organisation point of view it's neater to create a folder per domain in your webspace then configure that domain to use it as it's domain root. If you did this you would need to create a cgi-bin folder inside the created folder. You would have to do this anyway if you ever decide to have additional domains in the same webspace. Don't move the logs folder or any other default folder/files created by 1and1.

                Eg this is waht I have with 1and1:

                webspace root
                -domain folder 1
                --cgi-bin
                --subfolders as required
                -domain folder 2
                --cgi-bin
                --subfolders as required
                -domain folder 3
                --cgi-bin
                --subfolders as required
                etc...

                Comment

                  #9
                  Brilliant guys, thanks again for all your quick and informative help.

                  Comment

                  Previous template Next
                  Working...
                  X