Pool Security

Security is an Onion

There is more to pool security than a 1 page bullet-point list and there is no magical program to keep you from getting hacked, this is just a primer.

Pre-Installation

• Get onto your production box, setup ssh keys
• Update and install all the dependencies, mail etc
• Make sure apache/php/mysql/$mailserver are playing nice together
• Run phpsecinfo
• Make sure display_errors is Off in your php.ini
• Make sure your session.save_path is NOT web accessible in your php.ini
• And if you're not running it yet and reading along, run phpsecinfo

Apache / MySQL / PHP

• Make sure your .htaccess works for MPOS + anything else running within its subdir or equiv
• If you have an SSL cert, make sure you have installed it correctly
• Enable [cookies][secure] in global config and [strict__https_only] in security config
• Your MySQL user should not be root, setup a new user with permissions you set

MPOS

• Turning on [twofactor] will protect your users from themselves
• Get an SSL cert and take the extra 10 minutes, it's worth it
• Make sure your [cookie] settings are correct
• Memcache should be enabled unless you absolutely cannot use it (I don't believe you)
• Strict mode will stop a few types of attacks, so use it
• If you're paranoid use strict__verify_server and set the strict__bind_'s to your server info

Finishing Up

• Remove unnecessary software; Your production box doesn't need phpmyadmin
• Download and run phpsecinfo