jvmtech/neos-hardening

Harden request headers, login interface and passwords to increase backend security.

Installs: 9 756

Dependents: 0

Suggesters: 0

Security: 0

Stars: 5

Watchers: 2

Forks: 1

Open Issues: 2

Type:neos-package

1.0.4 2023-08-15 12:44 UTC

This package is auto-updated.

Last update: 2024-11-06 13:16:15 UTC


README

Latest Stable Version License

Harden request headers, login interface and passwords to increase backend security.

Installation

composer require jvmtech/neos-hardening

Active by default

  • Remove Neos version info from request headers *
  • Set min password strength requirements

Optional features

  • Change the default login url "/neos" to something like "/neos-random-suffix" *:
    JvMTECH:
      NeosHardening:
        loginUri: 'neos-random-suffix'
    
  • Replace the dynamic login url check with a custom RegEx (not needed if you just replace loginUri):
    JvMTECH:
      NeosHardening:
        loginUriRegex: '/^(neos)?($|\/)/'
    
  • Limit login interface access to specified ip addresses:
    JvMTECH:
      NeosHardening:
      allowedIPs:
        IPv4:
          - '172.20.30.40'
          - '172.20.0.0/24'
        IPv6:
          - '2001:0db8:85a3:0000:0000:8a2e:0370:7334'
    
  • Define password strength requirements, defaults:
    JvMTECH:
      NeosHardening:
        checkPasswordStrengthOnAddUser: true
        checkPasswordStrengthOnSetUserPassword: true
        passwordRequirements:
          minLength: 8
          upperAndLowerCase: true
          numbers: true
          specialChars: false
          maxConsecutiveLetters: 0 # disabled
          maxConsecutiveNumbers: 0 # disabled
    
  • An example for secure passwords (should be your standard because you use a password manager, right? 😉):
    JvMTECH:
      NeosHardening:
        passwordRequirements:
          minLength: 16
          upperAndLowerCase: true
          numbers: true
          specialChars: true
          maxConsecutiveLetters: 3
          maxConsecutiveNumbers: 3
    
    # "djxAHQC0bzc_tjd9nmg" would fail
    # "djx@HQC0bzc_tjd9nmg" would work
    
  • Disable user on too many failed login attempts:
    JvMTECH:
      NeosHardening:
        checkFailedLogins: true
        blockAfterFailedLogins: 5
    
  • Prevent reuse of old passwords:
    JvMTECH:
      NeosHardening:
        checkPasswordHistory: true
        passwordHistoryLength: 10
    

*) Why hiding stuff?

Hiding the Neos version in the request headers and moving the login to an new url is nothing else than "security by obsurity".

Yes. But it's another layer to make it a little bit harder to get into your system. Therefore, it's a low-hanging fruit we should take.

by jvmtech.ch