-
Notifications
You must be signed in to change notification settings - Fork 371
Secure RosarioSIS
This article aims at giving security hints for RosarioSIS.
Instead of creating the RosarioSIS database with the default postgres user, first create a user that can login and create database. Then login with that user and create the RosarioSIS database so that the RosarioSIS user is its owner. So in case your RosarioSIS user password is discovered, the whole PostgreSQL server is not compromised.
If you have succesfully installed RosarioSIS on your production server:
Here is the list of files which contain the version number of RosarioSIS, in case you would like to hide it:
Be careful when you update RosarioSIS. If you overwrite the files, the above files will be accessible again!
Change the default usernames and passwords (admin, teacher, student, parent) and adopt a password policy.
Here are some php.ini directives that can be modified for session security:
; session.use_strict_mode specifies whether the module will use strict session id mode. ; If this mode is enabled, the module does not accept uninitialized session ID. ; If uninitialized session ID is sent from browser, new session ID is sent to browser. ; Applications are protected from session fixation via session adoption with strict mode. ; Defaults to 0 (disabled). ; http://php.net/manual/en/session.configuration.php#ini.session.use-strict-mode session.use_strict_mode = 1 ; http://php.net/session.hash-function session.hash_function = sha256
Here is a good set of Apache rules to block attacks: 5G Blacklist 2013
However, you should remove this line for RosarioSIS to work:
RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
WebSecTools, protect your website.
Mozilla Observatory, test your server security.