Remember that you first have to configure the parameters of the standard and high levels prior to configuring the highest protection:
Note: if at least one parameter of the highest protection level takes an invalid value, the protection level whose parameters are completely configured takes effect with respect to parameters of other protection levels.
The concept of one-time passwords empowers the standard authorization scheme and significantly reinforces the web project security. The one-time password system requires a physical hardware token (device) (e.g., Aladdin eToken PASS) or special OTP software. These passwords are especially recommended for use by the site administrators since they significantly improve security of the “Administrators” user group.
Note. You have to enable the one-time password system for the site to be protected at the highest protection level.
You can enable (or disable) one-time passwords on the Settings > Proactive Protection > Two-step authentication form by clicking Enable one-time passwords (or Disable one-time passwords).
For the one-time password scheme, a corresponding tab is shown in the user profile form. The one-time password mechanism is configured for each user individually.
To enable users to authenticate using one-time passwords:
- Check Enable Compound Passwords.
- Enter the Secret key supplied with your OTP software.
- Initialize the device by entering two one-time passwords generated by the device consequently (for example: 111111 and 222222).
- Save changes.
Now a user can authorize using their login and a compound password - a combination of the standard password and a one-time device password (6 digits). The one-time password (see item 2 on figure) must be entered in the Password field after the standard password (item 1 on figure) without space.
The OTP authorization system was developed by the Initiative for Open Authentication OATH. The implementation is based on the HMAC algorithm and the SHA-1 hash function. To calculate the OTP value, the system takes the two parameters on input: the secret key (initial value for the generator) and the counter current value (the required cycles of generation). Upon initialization of the device, the initial value is stored in the device as well as on the site. The device counter increments each time a new OTP is generated, the server counter - upon each successful OTP authentication.
Hence, if a device button was pushed more than once (f.e. accidentally) but no successful OTP authentication took place, and the push count exceeds the Password Check Window Size value, the generator counter will become desynchronized making a user unable to authorize.
In this case, a device and a user must be resynchronized by resetting the server value to that stored in a device. This procedure requires that a system administrator (or a user owning sufficient permission) generates two consequent OTP values and enters them in the user parameters form.
To avoid desynchronization, you can increase the Password Check Window Size value to, say, 100 or 1000.
The File integrity control form (Settings > Proactive Protection > Integrity Control) serves to check the integrity of the system kernel, system area and public files.
Check the system integrity on a regular basis (at least weekly) for the site to be protected at the highest level. Perform the integrity control check before updating the system and collect the new file data afterwards.
Note. Some module updates may require the control script to be signed anew.
Running the Integrity Check
- Enter and remember your password. A strong password should have at least 10 characters containing letters and digits.
- Confirm the password in the corresponding field.
- Specify and remember a keyword. It must differ from the password.
- Click Next.
If you made no mistake with the password confirmation, the following message will appear:
Now you can collect the file information in order to check the system integrity.
Gathering the File Information
- Click the Actions tab and check the Collect File Information option:
- Click Next. The following form will open:
- Set the data collection parameters:
- Data Collection Area – select the system folders you want to process.
- File Extensions – specify extensions of files whose information is to be collected. Separate multiple extensions with comma, without space.
- Encryption Password – type here and remember the password which will be used to encrypt and decrypt the verification file.
- Step Duration – specify the duration of a single data collection step, in seconds.
- Click Next to start data collection. Upon completion, download the data file to your local computer for better security.
The verification data file is now ready, you can check the system integrity.
Checking the System Integrity
Every (except the first) time you start the system integrity check, the verification script is checked for unintentional or malicious changes.
- Enter the password that you have used to sign the verification script and click Next.
Ensure the verification script prints the keyword you have specified for signing.
Note: if the keyword differs from the one you have previously entered, the integrity control script is compromised which means it has been modified and cannot be trusted. In this case, you have to supersede the control script (for example, rollback to version 8.0.0).
- Click the Actions tab and activate the Check Files option.
- Click Next to open the verification data file selection form:
- Select one of the existing log files or upload the log file from your machine using Browse. The following form will open.
- In the appropriate filed, type in the decryption password you specified when creating the verification data file.
- Specify the duration of a single check step (less times give more server stress).
- Click Next to start checking the system integrity. On completion, the following report will be displayed:
Web antivirus is a special software to help prevent malicious actions that may be performed on a website. Such software detects known or potentially dangerous portions of HTML code and cuts these codes away thus blocking viruses.
Note: web antivirus should not be regarded as a replacement for the conventional antivirus software.
To enable or disable the web antivirus function, just click the button on the Web Antivirus form (Settings > Proactive Protection > Web Antivirus).
to detect viruses potentially injected before until the buffering occurs, add either of the following code:
auto_prepend_file = /www/bitrix/modules/security/tools/start.php
or to .htaccess:
php_value auto_prepend_file "/www/bitrix/modules/security/tools/start.php"
To select an action the system will undertake when a virus activity is detected, click the Parameters tab:
- Cut object from site code - deletes dangerous code;
- Record in log and notify administrator - this option specifies to only log the virus activity; no dangerous code will be removed. The website administrator will be notified of the virus event via the e-mail once in the time interval denoted in the Notification Interval field.
If, for some reason, you do not web antivirus to be applied to specific portions of the web page HTML code, specify such code on the Exceptions tab.