How to maximize data security?
Brought to you by:
canajun2eh,
yalnifj
Menu
▾
▴
Data security is the most important thing on a genealogy website.
How to maximize data security?
I have disabled certain functions of php from running, and the firewall configuration can only be linked to mysql natively, hiding the source station through a reverse proxy.
.
1. Can I restrict the execution of php scripts to certain directories through apache or nginx?
2. If you put the media folder or index folder outside the pgv directory, will it be more secure?
On 15/12/2018 03:36, xiaofo wrote:
--
Lester Caine - G8HFL
Contact - https://lsces.co.uk/wiki/?page=contact
L.S.Caine Electronic Services - https://lsces.co.uk
EnquirySolve - https://enquirysolve.com/
Model Engineers Digital Workshop - https://medw.co.uk
Rainbow Digital Media - https://rainbowdigitalmedia.co.uk
In addition, in order to prevent the genealogy database from being stolen by others, can it be allowed to only allow pgv files to query the database by restricting the prohibition?
Can you share your detailed profile? Let's discuss together. thank you!
Last edit: xiaofo 2018-12-15
On my site, I have the /index and /media directories outside the web-addressable file space, and I use the Media Firewall feature to allow PhpGedView to serve up the media files when required.
You still need the /index and /media directories in the PhpGedView installation, and they still need 777 permissions, but there's no data in there, except for the /media directory where there's an automatically generated .htaccess file. This .htaccess file engages the media firewall to serve files that are missing from the /media directory.
On my server, the "web" directory is where incoming HTTP or HTTPS requests land. Within this directory, there are a "phpGedView" directory as well as other directories, each for a different application (or whatever) that I want browsers to be able to access. Some of these other directories are password protected by means of .htaccess files that specify password protection.
A robots.txt file in the "web" directory stops well-behaved search engines from traversing web-accessible directories that I don't want them to look at. Unfortunately, there are search engines out there (Bing and Bingpreview included!) that don't look at or obey all robots.txt directives. Misbehaving IP addresses get blocked. I block Bingpreview, and my site needed to be registered in Bing's Webmaster Tools before Bing would look at the robots.txt file. I'm still not convinced that Bing is behaving itself now.
In the server's file space, at the same level as "web", there's a "private" directory. This is not accessible by browsers, although FTP can get to it. In that "private" directory, there's a subdirectory "phpGedView", and then in that, there are "index" and "media" directories. These directories have 777 permission.
I checked the wiki and if the media directory is outside the web directory, it is not protected by the media firewall.
https://wiki.phpgedview.net/en/index.php/Configuration_-_Multimedia
Is it ok now?
My directory structure is like this.
Web/pgv
Web/index
Web/media
Set web/pgv in nginx as the root of the website.
The final result should be the same as yours, is it?
I would recommend that web/pgv not be the root of the web site, because if the web site root is the actual installation directory of PhpGedView, you can't easily install other software. There is a strong possibility of file or directory name collision. Each software package should be in its own directory on the server.
The Wiki hasn't been maintained in over 10 years, and it won't be, either.
The Wiki should be telling you that you can have a mix of media file locations. Media files that are in the regular "/media" directory subordinate to the PhpGedView installation are not protected, since they are directly accessible by simply pointing your browser at the file in question. For example: https://abc.com/media/xyz.jpg . Media files that are not in browser-accessible locations can be protected by the media firewall feature, but you should use the Manage Media functions built into PhpGedView to move these files from the unprotected "/media" directory to the protected one.
The only way to test whether your set-up is working is to temporarily disable the media firewall and then point your browser at one of those media files in the supposedly protected directory.
If you choose to point your web root at the "web" directory, with PhpGedView still being in the "pgv" directory, you can redirect any incoming requests that don't use the "pgv" subdirectory. Just have an index.php file in the "web" directory that looks like the one my site has:
I think it should first protect the database information. How to protect the database, prevent hacker attacks, it is very important thing. For media folders, you can use NGIXX or Apache configuration files, through redirect hide the real address. Or use the media firewall.
It is best to save the user upload file to another server to prevent the hack from attacking the file by uploading it.