I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Security
but I'd like to know how to require editors to log in first, and how to disable account creation.
Also, I'm not sure how to disable running PHP scripts in any directories except the script directories. Can I just copy this ato the end of my httpd.conf file and then reboot the server:
<Location "/wiki/images"> php_admin_flag engine off AddType text/plain .html .htm .shtml </Location>
All related comments on how to secure a wiki are welcome.
TIA
Try these pages: http://meta.wikimedia.org/wiki/Setting_user_rights_in_MediaWiki#Configuring_... http://meta.wikimedia.org/wiki/Preventing_Access
-- Zigger
On Sat, 29 Jan 2005 16:39:58 +0000 (UTC), Rusty Shackleford wrote:
I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Securitybut I'd like to know how to require editors to log in first, and how to disable account creation.
Also, I'm not sure how to disable running PHP scripts in any directories except the script directories. Can I just copy this ato the end of my httpd.conf file and then reboot the server:
<Location "/wiki/images"> php_admin_flag engine off AddType text/plain .html .htm .shtml
</Location>
All related comments on how to secure a wiki are welcome. ...
On Sat, Jan 29, 2005 at 04:39:58PM +0000, Rusty Shackleford wrote:
I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Securitybut I'd like to know how to require editors to log in first, and how to disable account creation.
Add the following lines to LocalSettings.php: # Prevent new user registrations - only users with sysop status can # create users. $wgWhitelistAccount = array ( "sysop" => 1 ); # You must be a logged in user to edit pages. Combining this # restriction with the previous restriction means we control who can # edit pages. $wgWhitelistEdit = true;
You should notice that the login page is different - all you'll have now are two boxes for username and password rather than the five seen previously.
Also, I'm not sure how to disable running PHP scripts in any directories except the script directories. Can I just copy this ato the end of my httpd.conf file and then reboot the server:
<Location "/wiki/images"> php_admin_flag engine off AddType text/plain .html .htm .shtml
</Location>
I think so. I've used <Directory /some/where/images> instead of location, but it works for me.
All related comments on how to secure a wiki are welcome.
You may want to add an Apache rewrite rule so that requests for the login page are redirected to use HTTPS and passwords are encrypted: RewriteCond %{QUERY_STRING} ^title=Special:Userlogin RewriteRule /(.*) https://wiki.example.com/$1 [R,L,QSA] You'll need to make sure it's either in a HTTP VirtualHost or add a RewriteCond to check it was a HTTP request, possibly using %{SERVER_PROTOCOL}. Once you've redirected to HTTPS your browser should stay using HTTPS, protecting the cookies MediaWiki sets.
I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Security
but I'd like to know how to require editors to log in first, and how
to
disable account creation.
Add the following lines to LocalSettings.php: # Prevent new user registrations - only users with sysop status can # create users. $wgWhitelistAccount = array ( "sysop" => 1 ); # You must be a logged in user to edit pages. Combining this # restriction with the previous restriction means we control who can # edit pages. $wgWhitelistEdit = true;
I finally got round to doing this (without the messy mail indentation etc) but it doesn't seem to have had any effect. We're running 1.3.1 for various reasons.
Is there a time lag for the changes to be implemented perhaps? any other clues?:-) thanks. the spammers have been getting busy...
I've read this page:
http://meta.wikimedia.org/wiki/Documentation:Securitybut I'd like to know how to require editors to log in first, and how
to
disable account creation.
Add the following lines to LocalSettings.php: # Prevent new user registrations - only users with sysop status can # create users. $wgWhitelistAccount = array ( "sysop" => 1 ); # You must be a logged in user to edit pages. Combining this # restriction with the previous restriction means we control who can # edit pages. $wgWhitelistEdit = true;
You should notice that the login page is different - all you'll have
now
are two boxes for username and password rather than the five seen previously.
I posted the other day that I had done this on mediawiki 1.3.1 to no effect and the consensus was 'upgrade to 1.3.11!' It turns out that we were running 1.3.11 but the folder was still called 1.3.1. I've added these lines to no avail. So this is actually a repost of the same problem. Our wiki is being crippled by spam now and if I can't get this to work, we have to take it offline soon. As the person who 'sold' them the idea, i'm being asked to resolve it (and said I thought I could). So if anyone has any ideas why these lines don't work, I'd be grateful - otherwise this wiki has to go offline altogether...
Jason Davies wrote:
I posted the other day that I had done this on mediawiki 1.3.1 to no effect and the consensus was 'upgrade to 1.3.11!' It turns out that we were running 1.3.11 but the folder was still called 1.3.1. I've added these lines to no avail. So this is actually a repost of the same problem. Our wiki is being crippled by spam now and if I can't get this to work, we have to take it offline soon. As the person who 'sold' them the idea, i'm being asked to resolve it (and said I thought I could). So if anyone has any ideas why these lines don't work, I'd be grateful - otherwise this wiki has to go offline altogether...
For starters, make sure these lines are *at the end* of LocalSettings.php, not at the beginning. If they appear before the line that includes DefaultSettings.php, they will be overwritten.
Confirm that the right file's being used.
Confirm that the spam you're seeing is actually forbidden by the settings (eg, is it from logged-in users already existing?)
Try the SpamBlacklist extension.
-- brion vibber (brion @ pobox.com)
Confirm that the right file's being used.
as you will have seen...this incredibly obvious step was one I missed. (the architecture of the directories is a little illogical - I didn't set it up).
Confirm that the spam you're seeing is actually forbidden by the settings (eg, is it from logged-in users already existing?)
I've deleted all users in php admin that I didn't know.
I notice that Firefox doesn't allow people to type in a log-in though....
I can now create users in php admin? I will have to look into it...(I'll try not to post more daft questions...)
thanks for getting back so quick.
mediawiki-l@lists.wikimedia.org