-----BEGIN PGP SIGNED MESSAGE-----<br>Hash: SHA1<br><br><br><br>2009/1/12 MacGyveR <<a href="mailto:macgyver@thedumbterminal.co.uk">macgyver@thedumbterminal.co.uk</a>><br>On Monday 12 Jan 2009, MacGyveR wrote:<br>> On Monday 12 Jan 2009, Laurence Southon wrote:<br>
> > Mike Evans wrote:<br>> > > We should, however, take<br>> > > the appropriate steps to ensure that we are not vulnerable to an<br>> > > attack. Doing so would seem to be a matter of controlling certain<br>
> > > global settings for PHP, and checking the provenance of any plug-ins<br>> > > used, and perhaps being conservative in the number used.<br>> ><br>> > It's also important to ensure that Joomla calls php scripts as its own<br>
> > user and not the Apache2 user (www-data on Debian).<br>> ><br>> > This can be achieved either using suphp or installing Apache2 using the<br>> > mpm-itk module rather than the default mpm-worker.<br>
> ><br>> > Both methods have pros and cons, so I'd be interested in anyone's<br>> > experience/comment on this.<br>> ><br>> > Also vital to keep Joomla up to date. A security fix was announced just<br>
> > this weekend.<br>> ><br>> > LS<br>><br>> Agree,<br>><br>> i've been using suphp for years and i dont have any major problems with it,<br>> it is very easy to install and basically works the same as the apache<br>
> suexec. I have had it working with joomla, mambo etc..<br>><br>> Keeping joomla up to day will keep risks to a minimum, i imagine there is a<br>> joomla list you can subscribe to be alerted of new releases. If not then a<br>
> subscription to a security list (bugtraq etc..) could also be used. Don't<br>> forget that 3rd party plugins may have different problems and release<br>> cycles, so that is one thing to bear in mind when installing them.<br>
><br>> Suhosin is another alternative, but I don't have any experience of it, but<br>> it does come from a reputable source:<br>><br>> <a href="http://www.hardened-php.net/suhosin/index.html">http://www.hardened-php.net/suhosin/index.html</a><br>
><br>> Maybe even look in to the mod_security apache module to block common<br>> attacks.<br>><br>> I think that joomla will tell you its up to date from the control panel,<br>> you just have to login regulary :-)<br>
<br>sorry to all that i posted a html message, i'll get my coat<br><br>- --<br>- --------------------------------<br><a href="http://www.thedumbterminal.co.uk">http://www.thedumbterminal.co.uk</a><br><br>_______________________________________________<br>
Kent mailing list<br><a href="mailto:Kent@mailman.lug.org.uk">Kent@mailman.lug.org.uk</a><br><a href="https://mailman.lug.org.uk/mailman/listinfo/kent">https://mailman.lug.org.uk/mailman/listinfo/kent</a><br><br>Sorry to through a spanner in the works but if my memory serves me<br>
correctly the old site ran Drupal and we had an excellent talk on what<br>could and could not be done with Drupal (and how to do it) only a few<br>months (maybe 6) in Canterbury.... (Or was I dreaming)<br><br>Peter.<br><br>
-----BEGIN PGP SIGNATURE-----<br>Version: GnuPG v1.4.9 (GNU/Linux)<br>Comment: <a href="http://getfiregpg.org">http://getfiregpg.org</a><br><br>iEYEARECAAYFAklroAQACgkQdCiDiWPK5RyzJACdEYkZRCfpaDNdCMmrWGBjj0HB<br>Nn0AnAzjNsCIdgaUACy20oy7u4RQ+0dn<br>
=jeeF<br>-----END PGP SIGNATURE-----<br><br><br>