Fantastico
Andrew Cantino
Introduction
Fantastico is an add-on module for cPanel that allows easy, automated installation of open source content management systems, bulletin boards, wikis, and other tools. Some examples include Mambo, phpBB, Drupal, phpWebSite, and Gallery.
Installing Mambo
Today we're going to try installing the 'Mambo Open Source' Fantastico package.
- First, login to your cPanel account and click on the 'Fantastico' panel.
- The left side of the Fantastico panel contains a list of the available packages to install. Click on 'Mambo Open Source'
- The right side of the Fantastico panel should now contain information about the Mambo package. When you're ready, click on the 'New Installation' link.
- Enter the name of a new, non-existent directory in the 'Install in directory' field. Let's use mambo.
- For the administrator username and password, enter admin and a password of your choosing.
- Enter a site name for 'Site name', for example, Test Mambo Install. Enter your name for 'Admin full name', and your e-mail for 'Admin e-mail'
- Click 'Install Mambo Open Source', then 'Finish Installation.' Note the Mambo URL and the Mambo Administration URL that you are given. These should look like http://username.people.haverford.edu/mambo/ and http://username.people.haverford.edu/mambo/administrator/.
- Visit /mambo/ and check out the example site that has been created for you. When you're ready, go to the Administration URL and login with the username and password that you created in Fantastico.
Mambo
Mambo has an excellent online administration system. I'm not going to teach you how to use Mambo, as that's beyond the scope of this lesson, but you should play around in the administrative panels and figure things out. The 'Help' menu is a good place to start. Additionally, here are some useful references:
Another nice thing about Mambo is it's ability to install many modules. See Mambo Portal.Securing Fantastico
Fantastico is an impressive product, but it has some issues. First, some packages don't always correctly install. If a package doesn't install correctly, it's usually a .htaccess or file permission issue. Second, Fantastico has some security issues.
- It takes a while for Fantastico to update, so versions of packages in Fantastico are often a few revisions old, thus opening your site to abuse through recent security holes.
- Fantastico installs packages, but it doesn't make any attempt to secure them.
Securing Mambo as an example
Security is always an issue when installing something, but it's often even more of an issue with open source products because anyone can download the source and comb it for security holes to abuse. (On the other hand, anyone can also fix holes, and this is a strong argument for open source software, as security through obscurity often fails anyways.) How do we secure something that we've installed, either by hand or with Fantastico?
- Start with a Google search. I googled securing mambo and found some useful sites, including 'Securing Mambo', which includes a link to a PDF on securing Mambo.
- Read everything available.
- Use good passwords.
- Apply .htaccess files liberally. You can do this by hand or you can use the cPanel tools. The more PHP and Perl files you can hide behind .htaccess files, the less likely a bug in those files will be abusable on your system. For Mambo, use an .htaccess file to password protect the mambo/administrator directory. Also limit who can access the administrator directory by restricting to certain IP ranges and domains. See the comprehensive guide to .htaccess to learn more.
- Make sure that file permissions make sense. It's important to make configuration files un-editable once you're done setting up your site.
- Keep your software up-to-date! Login to Fantastico regularly to install any needed updates. Also, subscribe to any security announcement mailing lists for packages you uses.
- Be careful how you name things. For example, while the Mambo configuration.php file isn't accessible from the web by default, if you were to copy it to a backup, say called configuration.php.old, that file would be visible from the web, and it would show your MySQL password in it! This also happens when you edit with Emacs, and get backup files ending in tilde.
Assignments
For next Thursday (June 20th), I'd like everyone to try installing and setting up either Mambo, phpWebsite, TikiWiki, or WordPress on their cPanel accounts using Fantastico. Use one of these four packages to create a website on a topic of your choosing. You will demo your creations on the 20th.
(Optionally, you can create your own CGI-driven website instead of using one of the Mambo packages.)
Other Suggested Assignments
Install some Fantastico packages
Try installing a few different Fantastico packages and see what's available to you. Do a Google search and try securing the packages that you install. Remember to remove any packages that you're not using, as any unused code provides a possible avenue for someone to get into your system. You can remove an installed Fantastico package by logging into your cPanel, going to Fantastico, selecting the package type in the left-hand pane, and clicking on 'Remove site' under 'Current installations.'
This document was generated using AFT v5.094