Securing OJS installations after installation-- How to?

oah433 · June 14, 2018, 12:57am

Hi
I have installed OJS successfully and (2.4.8 and 3.1) versions successfully and during setup I gave full permission to couple of files (the ones mentioned in the read-me file) so shall I revoke these full-permissions after the installation is done? What measures should be taken to better secure the site after the installation is done?

Also I checked the “secure your OJS installation” on this page

https://openjournalsystems.com/faq/how-do-you-handle-ojs-site-security/

and it says the following about “restricting the file permission”

4- Restrict File Permissions: Getting OJS file permissions right is one of the most important factors in maintaining the security of OJS installation. We use restrict file permissions for better security while maintaining OJS functionality.

But it doesn’t say what files should be restricted and how, any ideas, tips on that and how to implement it?

Regards.
OAH.

asmecher · June 14, 2018, 1:04am

Hi @oah433,

That site contains misleading information about OJS security. See PKP Position on Online Harassment for a statement about that company.

It’s difficult to give specific instructions for file permissions, as servers will have a number of different configurations. Essentially 777 permissions (on UNIX-like platforms) are never safe to use. There is a more comprehensive description of OJS’s requirements for file permissions in the FAQ area of this forum: How should file permissions be set?

The most important considerations for security are described in docs/README under “Recommended Configuration”. Note in particular the need for your files directory to be kept outside the web root, or protected – this is mentioned on the installation form, in the README, and elsewhere, but does get overlooked.

Regards,
Alec Smecher
Public Knowledge Project Team

oah433 · June 14, 2018, 6:34am

Thank you so much. I will check it out and proceed from there.

Just to double confirm, by the “files” directory: you mean the file to which the submissions are uploaded, right?

Regards.
OAH.

asmecher · June 14, 2018, 7:27am

Hi @oah433,

Yes, that’s right – it’s configured in the files_dir directive in config.inc.php.

Regards,
Alec Smecher
Public Knowledge Project Team

oah433 · June 14, 2018, 11:56pm

Found it. Thx a ton
I have Plesk on the server and by default it is preventing access to any folder which doens’t have an index page. I think that will do the trick.

Thx again.
OAH

asmecher · June 15, 2018, 12:01am

Hi @oah433,

Perhaps – but that isn’t a common setup, I don’t think. Just to be sure, if your files_dir is still inside your web root somewhere, I’d suggest trying out a full URL to a file inside your files_dir in your browser to see if you can download it directly that way. If so, your system isn’t safe and you’ll need to prevent access to the contents of that directory, either by moving outside the web root or by using a mechanism like an .htaccess file.

Regards,
Alec Smecher
Public Knowledge Project Team