Securing your Movable Type

Securing your Movable Type installation

Embed Size (px)

Citation preview

Securing your Movable Type

Securing your MT in a day

✓ Upgrade to the latest version✓ Secure your admin screen✓ Use SSL✓ Restrict file uploads

How many have you done ?

Admin CGI

Public site

Securingyour admin screen

/cgi-bin/*.cgi /mt-static//*.html

Prohibit CGIExecute all files


Separate directories for CGI and contents


Restrict accesses

Conceal CGI inside the DMZ, or restrict access by IP addresses

more info on http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html

Rename mt.cgi script


Prevent a bot access and a random guessing

AdminScript XXXX.cgiSpecify as a configuration directive

in mt-config.cgi


Protect mt.cgi by the basic authentication

Allow access to mt-comments.cgi or mt-cp.cgi, but deny access to mt.cgi


AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/.htpasswd<Files mt.cgi> Require valid-user</Files>


<Directory "/home/example/www">




You must use a different ID / Password for the basic authentication from your MT account

SSL is mandatory otherwise the ID / Password can be captured during the network transaction


Use SSL for the admin access


Encrypt the transaction between your browser and MT

StaticWebPath /mt-static

Required configure in mt-config.cgi

Use relative path

Not to mix http and https connections when fetching images and CSS in the admin screen.

AdminCGIPath https://example.com/cgi-bin/mt/

CGIPath http://example.com/cgi-bin/mt/

Configure URL for admin / and non admin CGI

Path for the admin CGI (SSL)

Path for the non-admin CGI

But this is NOT enough to prohibit the non-SSL access to the admin script

AuthType BasicAuthName "Restricted Files"AuthUserFile /path/to/passwords<Files mt.cgi> Require valid-user SSLRequireSSL</Files>


<Directory "/home/example/www">



1. Show Forbidden for non-SSL access


RewriteEngine OnRewriteCond %{SERVER_PORT} ^80$RewriteRule ^(cgi-bin/mt\.cgi)$

https://%{SERVER_NAME}/$1 [R,L]


<Directory "/home/example/www">



2. Redirect http access to https


in one line

SSL cert is not expensive today

e.g. RapidSSL(GeoTrust, Inc)

Go Daddy SSL are$20 - 40 / a year

Restrict file uploads


Introduced in

MT 4.291 / 4.361 / 5.051 / 5.11


"gif,jpe?g,png,bmp,tiff?,mp3,ogg,aiff,wav,wma, aac, flac,m4a,mov, avi,3gp,asf,mp4,qt,wmv, asx,mpg,flv,mkv,ogm"

Specify file extensions to permit



Specify file extensions to prohibit

Securing your MT in a day

✓ Upgrade to the latest version✓ Secure your admin screen✓ Use SSL✓ Restrict file uploads

How many have you done ?