JvMTECH.NeosHardening Package for Neos CMS

Harden request headers, login interface and passwords to increase backend security.

Installation

composer require jvmtech/neos-hardening

Active by default

• Remove Neos version info from request headers *
• Set min password strength requirements

Optional features

• Change the default login url "/neos" to something like "/neos-random-suffix" *:

  JvMTECH:
  NeosHardening:
    loginUri: 'neos-random-suffix'

• Replace the dynamic login url check with a custom RegEx (not needed if you just replace loginUri):

  JvMTECH:
  NeosHardening:
    loginUriRegex: '/^(neos)?($|\/)/'

• Limit login interface access to specified ip addresses:

  JvMTECH:
  NeosHardening:
  allowedIPs:
    IPv4:
      - '172.20.30.40'
      - '172.20.0.0/24'
    IPv6:
      - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'

• Define password strength requirements, defaults:

  JvMTECH:
  NeosHardening:
    checkPasswordStrengthOnAddUser: true
    checkPasswordStrengthOnSetUserPassword: true
    passwordRequirements:
      minLength: 8
      upperAndLowerCase: true
      numbers: true
      specialChars: false
      maxConsecutiveLetters: 0 # disabled
      maxConsecutiveNumbers: 0 # disabled

• An example for secure passwords (should be your standard because you use a password manager, right? 😉):

  JvMTECH:
  NeosHardening:
    passwordRequirements:
      minLength: 16
      upperAndLowerCase: true
      numbers: true
      specialChars: true
      maxConsecutiveLetters: 3
      maxConsecutiveNumbers: 3
  
  # "djxAHQC0bzc_tjd9nmg" would fail
  # "djx@HQC0bzc_tjd9nmg" would work

*) Why hiding stuff?

Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "security by obsurity".

Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.

by jvmtech.ch