RSS

LuxCal Forum

The place for questions, suggestions and news about the LuxCal Event Calendar

User:   Password:   Remember Me?   
LuxCal Forum / General / Problems / How does one secure a luxcal installation
Posted:  07 Feb 2013 11:18
I may have dreamed this but I thought that when my installation completed I was presented with a list of files I should protect. Unfortunately I didn't print the list and now I can't find it anywhere.

Does such a list really exist and if so where can I find it?
__________________
John
Posted:  07 Feb 2013 12:54
Hello John,

I'm not sure what you mean, Roel might, I don't know of any files you need to protect. When you have completed the installation, assuming you are running 2.7.3, you would need to delete the install.php and upgrade273.php files.

You should also keep a backup copy of the lcconfig.php file. It contains the LuxCal version number and the parameters for the MySQL database.

In the / root directory you will find the installation_guide.html file which you might want to refer too.

Dan
__________________
"Little Guy"
Some own motorcycles, others ride them.

Find great LuxCal examples by Schwartz at http://www.calendarforum.dk/index.html
Posted:  07 Feb 2013 17:29   Last Edited By: Roel B.
Hi John,

You haven't been dreaming. This is the text you've seen after successful installation:

Please note that it is good practice to directly . . .
- back up the configuration file lcconfig.php in the root folder of the calendar
- delete the installation fileinstall.php from the root folder of the calendar
Log in to the calendar, go to the administration menu (top right) and:
- on the Settings page set the TimeZone to your local time zone
- on the Settings page choose your preferred settings
- on the Categories page define a number of useful event categories
Protect the 'emlists', 'files' and 'logs' folders
- for instance: add to these folders a .htaccess file with 'Options -Indexes'

The last part is about protecting folders. The 'emlists', 'files' and 'logs' folders can contain (under certain circumstances) text files (e.g. email lists) or .sql files (database backup files). If you don't protect these folders, these files could be read by unauthorized users. This is maybe not directly a disaster, but nevertheless, it's better to prevent problems.
Roel
Posted:  07 Feb 2013 18:56
Hi Roel,

When I was done the installation, I know I didn't take the time to read the screen. sad As you can tell from my post about the only thing I remembered was making a backup of lcconfig.php.

Perhaps in the download you could include a .htaccess file to protect these folders and files since it's most likely that LuxCal is installed in it's own directory and there won't be a risk of overwriting a current .htaccess file.

Just a thought.

Sincerely;
Dan
__________________
"Little Guy"
Some own motorcycles, others ride them.

Find great LuxCal examples by Schwartz at http://www.calendarforum.dk/index.html
Posted:  08 Feb 2013 00:04   Last Edited By: Roel B.
Hi Dan,
I thought about this too.
The trouble is that each server is configured differently and sometimes there is already a .htaccess fille in the calendar's root folder and sometimes users will want to use other ways to protect folders. In the calendar I've taken the basic measure of adding an empty index.html file to each folder, to take care that users can't see directory listings, but a hacker will find a way around this basic protection.
I'm reluctant to add server-related "solutions" which may interfere with already present solutions or which may work on an apache server, but not on an IIS server, etc.
Roel
Posted:  08 Feb 2013 18:20
Hi Roel,

Makes sense. At least now it's in the forum for future reference. thump_up

Dan
__________________
"Little Guy"
Some own motorcycles, others ride them.

Find great LuxCal examples by Schwartz at http://www.calendarforum.dk/index.html