Skip to content

Harden request headers, login interface and passwords to increase backend security.

License

Notifications You must be signed in to change notification settings

jvm-tech/JvMTECH.NeosHardening

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

9 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

JvMTECH.NeosHardening Package for Neos CMS

Latest Stable Version License

Harden request headers, login interface and passwords to increase backend security.

Installation

composer require jvmtech/neos-hardening

Active by default

  • Remove Neos version info from request headers *
  • Set min password strength requirements

Optional features

  • Change the default login url "/neos" to something like "/neos-random-suffix" *:
    JvMTECH:
      NeosHardening:
        loginUri: 'neos-random-suffix'
    
  • Replace the dynamic login url check with a custom RegEx (not needed if you just replace loginUri):
    JvMTECH:
      NeosHardening:
        loginUriRegex: '/^(neos)?($|\/)/'
    
  • Limit login interface access to specified ip addresses:
    JvMTECH:
      NeosHardening:
      allowedIPs:
        IPv4:
          - '172.20.30.40'
          - '172.20.0.0/24'
        IPv6:
          - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
    
  • Define password strength requirements, defaults:
    JvMTECH:
      NeosHardening:
        checkPasswordStrengthOnAddUser: true
        checkPasswordStrengthOnSetUserPassword: true
        passwordRequirements:
          minLength: 8
          upperAndLowerCase: true
          numbers: true
          specialChars: false
          maxConsecutiveLetters: 0 # disabled
          maxConsecutiveNumbers: 0 # disabled
    
  • An example for secure passwords (should be your standard because you use a password manager, right? 😉):
    JvMTECH:
      NeosHardening:
        passwordRequirements:
          minLength: 16
          upperAndLowerCase: true
          numbers: true
          specialChars: true
          maxConsecutiveLetters: 3
          maxConsecutiveNumbers: 3
    
    # "djxAHQC0bzc_tjd9nmg" would fail
    # "djx@HQC0bzc_tjd9nmg" would work
    
  • Disable user on too many failed login attempts:
    JvMTECH:
      NeosHardening:
        checkFailedLogins: true
        blockAfterFailedLogins: 5
    
  • Prevent reuse of old passwords:
    JvMTECH:
      NeosHardening:
        checkPasswordHistory: true
        passwordHistoryLength: 10
    

*) Why hiding stuff?

Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "security by obsurity".

Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.


by jvmtech.ch