HESK Security check list

[Klemen]

I wrote an article about simple steps that make HESK more secure.

Read the article here: HESK Security check list

Comments and suggestions are welcome!

[mfdfire]

Thanks - good info!

[MOB]

Great work.

About step 4.

Isn't it easy for a hacker to fetch your robots.txt to see what directories you want spiders not to crawl? Same directories you plan on renaming?

For example, I rename the admin folder to: nome

But then on the robots.txt I put the following:

Code: Select all

Disallow: /nome/

[Klemen]

Of course, that's why don't put it in the robots.txt file Unless there is a link to the admin folder somewhere search engines shouldn't find it.

[rachna]

Hello:
I have installed hesk on my server and it is working great. The only issue I See is that it does not maintain threads so I loose the previous conversation with the same customer. Meaning if someone wrote to me from an email id text@yahoo.com and he writes again as text@yahoo.com then it is created as a new ticket so I loose previous conversation, is it possible to set i tup that way, am I missing some settings?

Regards,
Rachna

[Klemen]

Please keep this thread focused on HESK security. For unrelated questions open a new post.

[Tpk]

I think SHA1 is definitely unsafe nowadays, you should consider replace sha something more secure like bcrypt or argon2.
Here may be helpful resources to do this aright.

[Klemen]

Agreed, the SHA1 should and will be upgraded to a more modern password storage algorithm.

Added it to our "to do" list.