4. Separate directories for CGI and contents
http://example.com
/cgi-bin/*.cgi /mt-static/
/*.html
Execute all files Prohibit CGI
5. Restrict accesses
Conceal CGI inside the DMZ, or restrict access by IP
addresses
/cgi-bin/*
more info on http://httpd.apache.org/docs/2.2/en/mod/mod_authz_host.html
6. Rename mt.cgi script
Prevent a bot access and a random guessing
https://example.com/cgi-bin/mt/mt.cgi
AdminScript XXXX.cgi
Specify as a configuration directive
in mt-config.cgi
7. Protect mt.cgi by the basic authentication
Allow access to mt-comments.cgi or mt-cp.cgi, but deny
access to mt.cgi
/cgi-bin/mt.cgi
9. You must use a different ID /
Password for the basic
authentication from your MT account
SSL is mandatory otherwise the
ID / Password can be captured
during the network transaction
10. Use SSL for the admin access
Encrypt the transaction between your browser and MT
SSL
SSL
11. Required configure in mt-config.cgi
Use relative path
StaticWebPath /mt-static
Not to mix http and https connections when fetching
images and CSS in the admin screen.
12. Configure URL for admin / and non admin CGI
AdminCGIPath Path for the admin CGI (SSL)
https://example.com/cgi-bin/mt/
CGIPath Path for the non-admin CGI
http://example.com/cgi-bin/mt/
But this is NOT enough to prohibit the non-SSL
access to the admin script
14. 2. Redirect http access to https
httpd.conf
<Directory "/home/example/www">
etc....
.htaccess
RewriteEngine On
RewriteCond %{SERVER_PORT} ^80$
RewriteRule ^(cgi-bin/mt.cgi)$
https://%{SERVER_NAME}/$1 [R,L]
in one line
</Directory>
15. SSL cert is not expensive today
e.g. RapidSSL GeoTrust, Inc)
Go Daddy SSL are
$20 - 40 / a year
