Main Products: • FDSE • AXS • Guardian   Forum Contact Info About Site Map

 

©2013 FDSC All Rights Reserved

Security checklist

To maximize security, make sure you have taken these steps:

• Have you set your admin password?

  If you haven't, or if you're not sure of what the admin password is, review the "First Time Configuration" section within the FDSE User Guide.

  Do *not* install this script without setting the admin password. The first person to visit the admin page will be given full access. You want that person to be you.

  In particular, if you attempt to install this script and have a few problems, do not walk away and leave the script files on the server without having set the admin password. It may be that the problems are temporary, such that later on an anonymous user could visit and have full access to the admin area. If you are not able to install, then delete all the files.

• Is your password a good one? Use 8 characters with a mix of upper and lowercase letters, numbers and punctuation.

  Use an FDSE password which is different from all of your other passwords for other systems.

• Are you running the latest stable version of FDSE? Have you signed up for update notification of new versions?

  Every few versions tend to contain a small security fix or two. If you have an old version of the script, then there are probably security vulnerabilities which have been published and are thus well-known to the hacker community.

  If for any reason you are not able to maintain your script by listening for updates and installing them periodically, then you should consider a different search solution. Remotely-hosted solutions from Google.com, Atomz.com, or Freefind.com might be more suited to your needs.

• Have you customized your system to separate the publicly-accessible scripts from the private data and libraries? Review Security: Changing the location of the searchdata folder to see how.

• If your server requires the *.cgi extension for execution, and if your server does no processing at all on *.pl files (such that they return their original source code), then you should rename your primary settings file.

  To do so, navigate to the folder "search/searchdata" and find the file named "settings.pl". This is a data file, but it uses an active extension to make it more difficult for people to download it over the web. On servers that do not process the *.pl extension, this file should be renamed "settings.cgi". FDSE will check for both "settings.cgi" and "settings.pl" during start-up, and so you do not need to make any other configuration change. Just rename the file and your system will continue to work, and will be more secure.

• If you are using the proxy.pl utility, have you read about and understood the security issues involved? They are documented in the help file Advanced Search: Highlighting search terms in the actual document.

• If you are using FDSE to index and search password-protected web pages, have you read about and understood the security issues involved? They are documented in the help file Crawling password-protected web pages that return 401 Auth Required.

• You may want to customize your file and folder names.

  By default, FDSE is installed as "/search/search.pl". FDSE auto-detects its own path with each execution, and so you can safely rename the folder and file names to something like "/mysearch/query.pl". Note of course that if you make this change, you will have to make a similar change in any standalone search forms or links which point back to your FDSE installation.

  Customizing this path is helpful in the event that, at some future time, there may be a security vulnerability that is discovered in FDSE. Hackers may then add the default FDSE path to their probes. Probes are automated tools that visit hundreds of websites automatically and test thousands of different paths for all the CGI scripts that have known bugs. Changing the path and filename will confuse these automated probes.

  Note that if you change the base filename to something other than "search.pl" or "search.cgi", then you will need to repeat that change within the "cmd_admin.pl" utility if that utility is used.

    "Security checklist"
    http://www.xav.com/scripts/search/help/1157.html