On Thu, Aug 1, 2013 at 11:33 AM, Joel Davidson <jrd@prismnet.com> wrote:
I know Bruce put some
basic levels of security via passwords into mh, but just how secure
does that make it?  I think anyone who puts a misterhouse system on
the internet without additional levels of security is asking for
trouble.  

Completely agree.  In my opinion the security within MH is a joke, it is there to prevent authorized users from accidentally ending up where they shouldn't be, but it does a poor job of securing against hackers.

The easy solution for me was the following:
- Apache2 server
- ProxyForward
- Apache Directory Authorization
- SSL (if you are accessing MH from a public connection)
- Fail2Ban 

I use the proxyforward module in apache to proxy access to the MH port through the regular port 80 of my web server.  Access to the domain that directs to MH is password controlled.  If you enter a bad password three times Fail2Ban blocks access from your IP for 15 minutes, do it again and you are out for 2 hours ... Escalating to a permanent ban.  

I would not want to be the person who tried to secure MH.  Instead, I think we are better served relying on well established programs to maintain this security.