imported>ThorstenStaerk |
imported>ThorstenStaerk |
| Line 1: |
Line 1: |
| − | Mediawiki is a wiki software used by wikipedia and this wiki.
| + | All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config. |
| | | | |
| − | = Setup = | + | = Disable Root Login = |
| − | * [[Set up mediawiki with SUSE]]
| |
| | | | |
| − | = Configuration =
| + | You might want to disable root login with: |
| − | For all configuration options in LocalSettings see http://www.mediawiki.org/wiki/Category:MediaWiki_configuration_settings.
| + | <pre>PermitRootLogin no</pre> |
| | | | |
| − | == Disable anonymous editing ==
| + | But in some settings, you still need direct root login without sudo for some purpose (often for remote [[scripting]]). In these situation, permitting root login only for [[public key authentication]] might be a solution: |
| | + | <pre>PermitRootLogin without-password</pre> |
| | | | |
| − | To disable anonymous editing, edit LocalSetting.php. Below the line containing $wgDBpassword, add the following lines:
| + | = Disable X11Forwarding = |
| − | $wgGroupPermissions['*' ]['edit'] = false;
| |
| − | $wgGroupPermissions['*' ]['createpage'] = false;
| |
| − | $wgGroupPermissions['*' ]['createtalk'] = false;
| |
| − | These lines disallow creating and editing pages for all groups (*), it remains allowed only for logged-in users.
| |
| | | | |
| − | == Allowing pictures ==
| + | If you do not want to use X11 forwarding, you should disable it altogether by setting |
| | + | <pre>X11Forwarding No</pre> |
| | + | While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed. |
| | | | |
| − | If you are the only editor of a wiki (otherwise [[security]] flaws!) and want to allow pictures from all over the web, add the following line to the LocalSettings.php
| + | = Restrict the set of allowed users = |
| − | $wgAllowExternalImages = true;
| |
| − | below the line
| |
| − | require_once( "includes/DefaultSettings.php" );
| |
| | | | |
| − | == Allow all html tags ==
| + | The '''AllowUsers''' directory is very useful in limiting SSH access to some of your users. For example, you might have some users, which should be allowed to login on a physical terminal (so they cannot be assigned /bin/false or nologin as a shell), but should not be able to login via SSH. |
| | | | |
| − | If you are the only editor of a wiki (otherwise [[security]] flaws!) and want to allow any html code in your wiki, read and follow http://www.mediawiki.org/wiki/Manual:%24wgRawHtml | + | If you got just one or two active users, use of this setting is also recommended, because one never knows what might create a new user that has a weak password (probably a bogus package's post-install script?). |
| | | | |
| − | == Changing the sidebar ==
| + | <pre>AllowUsers user1 user2</pre> |
| | | | |
| − | This is done on the [[application]] level; just edit [[Mediawiki:Sidebar]].
| + | = AllowGroups / DenyUsers = |
| | | | |
| − | == beautify URL ==
| + | '''AllowGroups''' and '''DenyUsers''' work just as '''AllowUsers'''. |
| | | | |
| − | By default, mediawiki's main page is in http://whatever/index.php/Main_Page. To get rid of "index.php", read and follow http://www.mediawiki.org/wiki/Manual:Short_URL
| + | = Disable password authentification = |
| | | | |
| − | == allow searching for short terms ==
| + | If you know that all of your users will login via public key, you can disable password authentification altogether: |
| − | On a default installation of mediawiki you cannot search for words shorter than 4 characters. So a search for "foo" will not yield results. To change this, read and follow [[allow searching for short terms in mediawiki]].
| + | <pre>PasswordAuthentification no</pre> |
| | | | |
| − | == introduce path-based navigation ==
| + | Setting only this single setting will defy 99,9% of all brute force bots out there that are attacking your server constantly, but the downside is (of course) that you cannot login to your server from a machine that is not in ~/.ssh/authorized_keys. |
| − | Want an article '''foo/bar''' to have a heading that links to '''foo'''?
| |
| − | http://www.mediawiki.org/wiki/Help:Subpages or http://www.mediawiki.org/wiki/Extension:BrettCrumbs
| |
| | | | |
| − | == Namespaces == | + | = Putting sshd on a non-standard port = |
| − | Namespaces in Mediawiki allow you to limit searches within a group of articles, the namespace. For setting them up, see http://www.mediawiki.org/wiki/Manual:Using_custom_namespaces.
| |
| | | | |
| − | == CSS ==
| + | This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config: |
| − | See [[MediaWiki:Common.css]] and [[MediaWiki:Monobook.css]].
| + | <pre>Port port |
| | + | ListenAddress 0.0.0.0:port</pre> |
| | | | |
| − | == Google Analytics ==
| + | '''Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.''' |
| − | Google Analytics allows you to track how many visitors from where visited your site when, remained how long and much more. The only thing you have to do is to register your site with http://www.google.com/analytics and put a JavaScript code snippet into your page. This code snipped should be directly above the
| |
| − | </head>
| |
| − | tag in your page's HTML code.
| |
| | | | |
| − | === MediaWiki 1.19.1 === | + | = Block hosts with /etc/hosts.deny = |
| − | To get google analytics included with MediaWiki 1.19.1, paste the code snippet you got from google into includes/OutputPage.php like this:
| |
| | | | |
| − | linuxintro:/includes # diff -rup OutputPage-0.php OutputPage.php
| + | Hosts known to be malicious can be added to the /etc/hosts.deny file. You can also use a script like denyhosts that maintaines this file automatically based on sshd log file analysis. |
| − | --- OutputPage-0.php 2012-09-03 07:50:46.000000000 +0000
| |
| − | +++ OutputPage.php 2012-09-03 07:58:01.000000000 +0000
| |
| − | @@ -2411,6 +2411,19 @@ $templates
| |
| − |
| |
| − | $closeHead = Html::closeElement( 'head' );
| |
| − | if ( $closeHead ) {
| |
| − | +$ret.="<script type=\"text/javascript\">
| |
| − | +
| |
| − | + var _gaq = _gaq || [];
| |
| − | + _gaq.push(['_setAccount', ''''UA-15123456-1'''']);
| |
| − | + _gaq.push(['_trackPageview']);
| |
| − | +
| |
| − | + (function() {
| |
| − | + var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
| |
| − | + ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
| |
| − | + var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
| |
| − | + })();
| |
| − | +
| |
| − | +</script>\
| |
| − | ";
| |
| − | $ret .= "$closeHead\
| |
| − | ";
| |
| − | }
| |
| | | | |
| − | Remember to replace the bold account number above by yours.
| + | = Changing the MOTD (Message Of The Day) = |
| | | | |
| − | === MediaWiki 1.16 ===
| + | To change the MOTD, edit /etc/motd and /etc/issue. In theory issue is printed before the login, while the MOTD is printed after a successful login, but this applies more or less loosely in most modern systems. |
| − | To get this done with mediawiki 1.16, paste the code snippet you got from google into includes/OutputPage.php like this: | |
| − | <pre>
| |
| − | linuxintro:/includes # diff -rup OutputPage-0.php OutputPage.php
| |
| − | --- OutputPage-0.php 2012-08-18 22:13:13.000000000 +0000
| |
| − | +++ OutputPage.php 2012-08-18 22:18:08.000000000 +0000
| |
| − | @@ -2140,6 +2140,19 @@ class OutputPage {
| |
| − | if ($wgUseTrackbacks && $this->isArticleRelated())
| |
| − | $ret .= $this->getTitle()->trackbackRDF();
| |
| − |
| |
| − | +$ret.="<script type=\"text/javascript\">
| |
| − | +
| |
| − | + var _gaq = _gaq || [];
| |
| − | + _gaq.push(['_setAccount', 'UA-15123456-1']);
| |
| − | + _gaq.push(['_trackPageview']);
| |
| − | +
| |
| − | + (function() {
| |
| − | + var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
| |
| − | + ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
| |
| − | + var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
| |
| − | + })();
| |
| − | +
| |
| − | +</script>\
| |
| − | ";
| |
| − | $ret .= "</head>\
| |
| − | ";
| |
| − |
| |
| − | $bodyAttrs = array();
| |
| − | </pre>
| |
| − | | |
| − | Remember to replace the account number (UA-15123456-1 in the above example) by yours.
| |
| − | | |
| − | == FaceBook like buttons ==
| |
| − | To get FaceBook's "like" buttons below your mediawiki pages, find the following line in skins/MonoBook.php:
| |
| − | <div id="footer"<?php $this->html('userlangattributes') ?>>
| |
| − | below it add the line
| |
| − | | |
| − | === MediaWiki 1.19 ===
| |
| − | Same as 1.16, but use $this->html('title')
| |
| − | | |
| − | === MediaWiki 1.16 ===
| |
| − | <pre>
| |
| − | <iframe src="http://www.facebook.com/plugins/like.php?href=<?php echo urlencode($skin->mTitle->getFullURL()); ?>&layout=standard&show_faces=false&width=450" scrolling="no" frameborder="0" allowTransparency="true" style="border:none; overflow:hidden; width:450px; height:40px"></iframe>
| |
| − | </pre>
| |
| − | | |
| − | == Captchas ==
| |
| − | Want to open up your wiki to human beings, but not to bots? Use the [https://www.mediawiki.org/wiki/Extension:ConfirmEdit ConFirmEdIt plugin].
| |
| − | | |
| − | == Review ==
| |
| − | Want to review changes before they are public? Use the [http://www.mediawiki.org/wiki/Extension:FlaggedRevs FlaggedRevs extension].
| |
| − | | |
| − | = Backup =
| |
| − | If you want to do a backup of your mediawiki installation, you need to backup the articles, the programs, the configuration files and the media file (like pictures etc.).
| |
| − | | |
| − | == Articles ==
| |
| − | On the application layer:
| |
| − | php maintenance/dumpBackup.php --full >backup.xml
| |
| − | On the database layer, if your database name is ''wikidb'':
| |
| − | mysqldump ''wikidb'' >wikidbdump.sql
| |
| − | | |
| − | == Media files ==
| |
| − | See http://www.kefk.org/webworking/mediawiki/backup_und_restore.
| |
| − | | |
| − | = Update =
| |
| − | See http://www.mediawiki.org/wiki/Manual:Upgrading
| |
| − | | |
| − | = Migrate =
| |
| − | == between computers ==
| |
| − | This describes how to migrate a wiki from one computer to another. It copies the mediawiki software and the content. Let's assume your mediawiki is running on computer ''earth'' and you want to have it running on ''mars''.
| |
| − | * copy your mediawiki software
| |
| − | * on ''mars'', delete LocalSettings.php
| |
| − | * call your wiki on mars. You get the opportunity to set up your wiki.
| |
| − | [[Image:Snapshot-mediawiki-setup.png]]
| |
| − | * attention! If you use two mediawiki instances on one host, always use the same passwords for the database use
| |
| − | * on earth, do a backup of your content to backup.xml. Copy it to your local computer.
| |
| − | * log on to the wiki on mars as WikiSysop, choose Special Pages -> Import Pages and upload backup.xml.
| |
| − | * all pages are imported! Look for Main_Page's history, you will find an addtional version containing earth's actual main page.
| |
| − | * you may have to adjust upload_max_filesize in /etc/php5/apache2
| |
| − | | |
| − | == between databases ==
| |
| − | * [[migrating mediawiki from MySQL to SQLite]]
| |
| − | | |
| − | = Extensions =
| |
| − | * http://www.mediawiki.org/wiki/Security_issues_with_authorization_extensions
| |
| − | | |
| − | = See also =
| |
| − | * [[how to make dokuwiki a good mediawiki]]
| |
| − | * [[Convert a dokuwiki to mediawiki]]
| |
| − | * http://lifehacker.com/5396832/customize-mediawiki-into-your-ultimate-collaborative-web-site
| |
| − | * http://www.thepetwiki.com/wiki/Dogs -- example for facebook like buttons in mediawiki
| |
| − | * http://renareich.com/2010/04/27/adding-facebook-like-mediawiki/
| |
| − | | |
| − | = Comments =
| |
All following configuration takes place in /etc/ssh/sshd_config. Be sure to look for existing statements, since in most cases chances are that the configuration option already exists in your default sshd_config.
Disable Root Login
You might want to disable root login with:
PermitRootLogin no
But in some settings, you still need direct root login without sudo for some purpose (often for remote scripting). In these situation, permitting root login only for public key authentication might be a solution:
PermitRootLogin without-password
Disable X11Forwarding
If you do not want to use X11 forwarding, you should disable it altogether by setting
X11Forwarding No
While X11 is not a real danger for your server, it may cause users to unwillingly reveal private data because a remote client can spoof on the local X server, e.g. capturing passwords as they are typed.
Restrict the set of allowed users
The AllowUsers directory is very useful in limiting SSH access to some of your users. For example, you might have some users, which should be allowed to login on a physical terminal (so they cannot be assigned /bin/false or nologin as a shell), but should not be able to login via SSH.
If you got just one or two active users, use of this setting is also recommended, because one never knows what might create a new user that has a weak password (probably a bogus package's post-install script?).
AllowUsers user1 user2
AllowGroups / DenyUsers
AllowGroups and DenyUsers work just as AllowUsers.
Disable password authentification
If you know that all of your users will login via public key, you can disable password authentification altogether:
PasswordAuthentification no
Setting only this single setting will defy 99,9% of all brute force bots out there that are attacking your server constantly, but the downside is (of course) that you cannot login to your server from a machine that is not in ~/.ssh/authorized_keys.
Putting sshd on a non-standard port
This is security by obfuscation only and is of little value if someone uses port scanner to check, whether a ssh daemon is running on a non-standard port. Anyway, it can be useful if you need to access your server from somewhere, where TCP port 22 outgoing is blocked. Just extend your sshd_config:
Port port
ListenAddress 0.0.0.0:port
Note: If you still want the default of 22, you must specify it explicitly now, since you have a differing port already configured.
Block hosts with /etc/hosts.deny
Hosts known to be malicious can be added to the /etc/hosts.deny file. You can also use a script like denyhosts that maintaines this file automatically based on sshd log file analysis.
Changing the MOTD (Message Of The Day)
To change the MOTD, edit /etc/motd and /etc/issue. In theory issue is printed before the login, while the MOTD is printed after a successful login, but this applies more or less loosely in most modern systems.
