How does OpenJournalSystems.com handle OJS Security?David Green
OpenJournalSystems.com place the utmost emphasis on security and we’re always looking for ways to improve. We use many different layers of security to help protect your OJS site from being hacked. Each layer by itself is capable of stopping an attack. When all of the layers are combined, the overall security level goes up geometrically, creating a stronger OJS security system. We have implemented cutting-edge security policies and protocols that includes OJS as well as server security hardening.
- OJS File Upload Validation Plugin: File Upload Validation Plugin enables the Admin/JM to choose the approved file types, which can be uploaded by an author during the submission process. This plugin will prevent the upload of OJS malware, such as PHTML files, which are used by hackers to gain entry into an OJS web server and upload malicious files.
- OJS Registration Notification Plugin: Registration Notification Plugin sends an email notification to a predetermined email address whenever a user has been registered for a journal. This email contains the user name, email, affiliation, journal and role(s) registered for, and the option to delete them form OJS. This plugin enables the Admin/JM to verify or block the registration of any new user.
- OJS Files Directory Protection: OJS file directory placed in a non-web-accessible location and cannot be accessed directly via the web server.
- Restrict File Permissions: Getting OJS file permissions right is one of the most important factors in maintaining the security of OJS installation. We use restrict file permissions for better security while maintaining OJS functionality.
- OJS Encryption: Changing OJS configuration to use SHA1 hashing rather than MD5 for better security.
- Server Security Hardening:
- ConfigServer Firewall: ConfigServer Firewall, known and referred to simply by most cPanel and WHM users as CSF, is one of the best, most effective firewall configuration scripts in the market today. Designed to considerably increase server security, having this in place will allow you to use a robust interface to manage firewall features and settings.
- CPHulk Brute-Force Protection: CPHulk prevent a server falling victim to brute force login attempts. A brute force is a password guessing technique that consists of trying to login with a user name and password over and over, changing either the username and/or the password if not successful. Given enough time even a moderately secure, random character password can fall victim to this as some attackers will try every combination they can if given the chance. CPHulk will detect and block these attacks by checking for failed login attempts. This can affect you if the failed logins are originating from your internet connection. The steps below will guide you on how to unblock yourself depending on the access you have.
- Lynis Security Audit: Lynis is an open source security auditing tool. Used by system administrators, security professionals, and auditors, to evaluate the security defenses of their Linux and UNIX-based systems. It runs on the host itself, so it performs more extensive security scans than vulnerability scanners.
- Munin Network Monitoring Tool: Munin is a system, network, and infrastructure monitoring application that provides real time monitoring and alerting services for servers and alerts the system administrator when things go wrong.
- Clamav Malware Scanner: Clam AntiVirus (ClamAV) software toolkit able to detect many types of malicious software, including viruses and trojans. One of its main uses is on entire home directory, and mail servers as a server-side email virus scanner.
- Server Side Security Scripts: Proprietary Security Scripts to prevent execution of OJS deface malware and closing of any unused ports.