jvmtech/neos-hardening

Harden request headers, login interface and passwords to increase backend security.

Maintainers

Details

github.com/jvm-tech/JvMTECH.NeosHardening

Source

Issues

Installs: 9 756

Dependents: 0

Suggesters: 0

Security: 0

Stars: 5

Watchers: 2

Forks: 1

Open Issues: 2

Type:neos-package

1.0.4 2023-08-15 12:44 UTC

Requires

MIT b3a8c7fb84e00356a4d44fe49fb5dbc046768fc1

This package is auto-updated.

Last update: 2024-11-06 13:16:15 UTC

README

Latest Stable Version License

Harden request headers, login interface and passwords to increase backend security.

Installation

composer require jvmtech/neos-hardening

Active by default

  • Remove Neos version info from request headers *
  • Set min password strength requirements

Optional features

  • Change the default login url "/neos" to something like "/neos-random-suffix" *: 
    JvMTECH:
  NeosHardening:
    loginUri: 'neos-random-suffix'
  • Replace the dynamic login url check with a custom RegEx (not needed if you just replace loginUri): 
    JvMTECH:
  NeosHardening:
    loginUriRegex: '/^(neos)?($|\/)/'
  • Limit login interface access to specified ip addresses: 
    JvMTECH:
  NeosHardening:
  allowedIPs:
    IPv4:
      - '172.20.30.40'
      - '172.20.0.0/24'
    IPv6:
      - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
  • Define password strength requirements, defaults: 
    JvMTECH:
  NeosHardening:
    checkPasswordStrengthOnAddUser: true
    checkPasswordStrengthOnSetUserPassword: true
    passwordRequirements:
      minLength: 8
      upperAndLowerCase: true
      numbers: true
      specialChars: false
      maxConsecutiveLetters: 0 # disabled
      maxConsecutiveNumbers: 0 # disabled
  • An example for secure passwords (should be your standard because you use a password manager, right? 😉): 
    JvMTECH:
  NeosHardening:
    passwordRequirements:
      minLength: 16
      upperAndLowerCase: true
      numbers: true
      specialChars: true
      maxConsecutiveLetters: 3
      maxConsecutiveNumbers: 3

# "djxAHQC0bzc_tjd9nmg" would fail
# "djx@HQC0bzc_tjd9nmg" would work
  • Disable user on too many failed login attempts: 
    JvMTECH:
  NeosHardening:
    checkFailedLogins: true
    blockAfterFailedLogins: 5
  • Prevent reuse of old passwords: 
    JvMTECH:
  NeosHardening:
    checkPasswordHistory: true
    passwordHistoryLength: 10

*) Why hiding stuff?

Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "security by obsurity".

Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.

by jvmtech.ch