Closed ant-tar closed 6 years ago
Omeryl
commented
6 years ago I disagree, security by obscurity in that case is moot. Just protect the folders via htaccess/nginx/etc rules. We’re already advertising that you’re using MODX via a header too.
ant-tar
commented
6 years ago I don't insist :) , it only seems to me a logical continuation of this thought:
Changing Default Paths Unlike Evolution, MODX Revolution makes it fairly easy to change the names of its various folders and move the core outside the web root. Note that only the core can (and should) be moved outside the web root because the other directories must be accessible via the web. Changing the directory names is critical if you want to avoid your site being fingerprinted and ending up on the speed-dial list of every hacker-bot out there. The Advanced Distribution allows you to specify the names and locations of the various directories during the install, but it won't install successfully on some hosts.
You're right, protection is must, but if you changed default pathes, and then reported in robots.txt file about it, the work is done wasted, is not it?
Omeryl
commented
6 years ago The work isn't to hide the fact you're using MODX, in my opinion. It's to harden against some exploits that used to hit files in /core/ etc. You can just as easily do:
location /core/ {
return 403;
}Another note: you've never seen /manager/ /core/ etc indexed because they were always included in robots.txt for as long as I can remember :).
ant-tar
commented
6 years ago The work isn't to hide the fact you're using MODX, in my opinion. It's to harden against some exploits that used to hit files in /core/ etc. You can just as easily do:
I wasn't going to do it, base tag, assets files and some other signs will help to find out that this is MODX. but I really don't want to let bad guys know, where manager(and as a result authorization login form),core or connectors folders are. You suggest pouring boiling tar on the heads of those who storm the citadel, but they are already here! I suggest that you hide the gate and build a ditch so that they do not know where the entrance is. :))
Another note: you've never seen /manager/ /core/ etc indexed because they were always included in robots.txt for as long as I can remember :).
Well, this is not quite true. I got websites that didn't have this file at all. However these inner folders were not indexed (as traditionally we don't have available links for the crawler to manager/ connectors/core) there.
Mark-H
commented
6 years ago I'm confused - where do the docs say you need the robots.txt to ignore core directories? Or where is this being set as default?
ant-tar
commented
6 years ago Hi Mark, Honestly - nowhere :) I've just seen dozens of such robots.txt, maybe someone used Joomla or WP before (there is list of what needs to be closed from indexing is much more) MODX and there is such a practice now sometimes. This is not a requirement of course, but only a wish. If I'm not persuasive, then it's only in my head. So skip it and have a good weekend! Peace for everyone!
Mark-H
commented
6 years ago Interesting, can't say I've seen that before but that's obviously anecdotal. It does seem a little like an anti-pattern to first take the effort to hide directories, and to then point to exactly where they are in the robots.txt...
If it is a common occurrence, adding a note to the doc can't hurt, but for now I'd suggest we leave it as-is as that document is already filled with way too many random tidbits making it harder to understand what is and what isn't needed to keep your site secure.
ant-tar
commented
6 years ago Agree. Thank you! 💯
Page Title
Hardening MODX Revolution
URL
https://docs.modx.com/revolution/2.x/administering-your-site/security/hardening-modx-revolution
Issue or Suggestion
I believe we need couple of words here about robots.txt file, let me show some example: I often get modx websites into development where the following is indicated:
I must say that I didn't see that ever internal MODX directories were indexed (core,connectors,manager), but the fact that you voluntarily report where the key directories are located is big problem. I think that these should be removed from robots.txt and will never be added again.