If you need somewhere to house the website let me know.
That is on IIS, FTP or HTTP upload/editing. Behind a Firewall if you want (=less risk of being hacked).
Server located in Australia so it may have some lag for European users...
Cheers Chris

Hosting is not an issue, the issue is content management.

In case that it helps...
At Tacticat we use a not-too-old version of PHP-nuke as CMS.
No hacking so far, after some 18 months. Nuke is not Joomla but it works for us.

No firewalls, the only precaution we've added is to restrict the web site to russian and another country IP addresses (can't remember which other country). No russian sailors at Tacticat.

We're being probed everyday and have had a couple of DoS (Denial of Service attacks) that were solved by our provider.


Maybe we are just lucky (crossing fingers).

Amando.

I know two simple CMS which has not been hacked yet. The two I wrote <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" /> 'Hackers', or more likely, the script kiddies, targets the large systems which they can get the most "cred" for cracking. I suppose that's why the systems I did have not been cracked to date.

Using HTML is OK for one, two or three skilled operators, but even then it is a bother. There will be problems with consistency, messed up pages and concurrency. When the current operator(s) move on, you need someone skilled at HTML as replacement and this person can be hard to find. A CMS is great for allowing several people to cooperate on running a website, from anywhere in the world. No client software except a browser is needed unlike what you do with pure HTML.

There is no easy solution. The obvious thing to do is to upgrade our Joomla version as soon as new versions are available. Switching CMS will be a lot of work, and we might be off just as bad as with the current CMS (PHP-nuke used to be cracked a lot earlier, when I looked at it). The safest solution is to SSH to the server and use vi for editing. I would not want to do that, even if it is what I usually have to when things break down.
Putting the webserver behind a firewall, preferably a proxy firewall, seems to help a lot.

There are no clear answers to this. If possible, I would suggest an upgrade and a firewall. Even the buildt in packet filtering in Linux these days do OK for protection.

As a suggestion you could setup a virtual Web development desktop, let multiple web authors connect to this desktop using Remote Desktop client from there home computer, map local drives for simple file and picture transfer, use MS Expression to mange the website, Expression can be coded in HTML, ASP, JS and many other technologies. What to use exactly would depend on how many collaboration web authors there are and what functionality you would like to have, blogs, vlogs, picture gallery, video, RSS, forums etc.
You would achieve a central content storage that single or multiple web authors can access and build there part of the web site from, also simple to backup remotely.

In a nutshell the web development tools, library of content should be avaible online to the authors. That means many authors can work on it and also take turns, I guess you will have many people queued up for this well paid job…

Said all that; the most important thing is to choose a solution/technology that suits the main content creators to make it as easy as possible for them to keep the site up & alive, well organised and good looking a distant 2nd and 3rd

That was my 2 cent

Cheers Chris

Chris,

my experience is that you really dont want RDP open to the Internet.
Uploading any kind of file to a server on the internet using the MS filesystem (CIFS) seem to be slow. It's not a fast protocol (CIFS) suitable for anything but work on a LAN in my opinion. Further, the more advanced technology you put on a website, the harder it becomes both to manage and to secure. Programmers and developers are human and make mistakes. These mistakes are what crackers use to compromise security. More code equals more errors and more paths into your system.

Agree that the tools, libraries etc. should be accessible online. That is what a CMS do, besides taking control of how things are presented. With a CMS, like Joomla, the authors dont break the design of the website like no doubt would happen with Expression. Expression is a tool for designing sites, while a CMS is a tool for filling the website with content. That is an important difference.



Spot on!

The developer is more important than the user? That would defeat the purpose of the site. There are plenty of extremely amateurish sites around, obviously created without a CMS, that drive me crazy. Not to minimize the significance of the security issues, but at least the F16 site looks good - and imo is appealing to people wanting to learn about the class.

One positive with Joomla is that there is an active user/developer community. If there are security problems (and assuming the problem actually lies there and not with mysql or something) at least there is a mechanism for getting these fixed eventually.

Anyhow, to come back to the original point - thanks again Paul for all your work on this.

Nope. Doesn't make any difference if it's the web application itself that is vulnerable. We've been running this particular web server for 7 years and it hosts hundreds of websites. In this time we've seen a handful of hacking attempts and the vast majority of them are down to poorly written PHP.

Paul

Mark,

I think both Chris and I agree that the primary goal is to build the best end user experience and put the best content on the website. What we were discussing was the best way for those to who fill in the content to do it.

I think the formula16.org website looks very good and have very good contents. It is a credit to the work done by Paul and the others who have contributed. I especially like the visualization of the box rule!

Unfortunately, it's not always exposure they're after. Often they just want access to a box to add to their botnets.



That's true. For some other websites I do, I've got a very long way using Template Toolkit which can take care of many of the consistency issues. If done right, it can also provide a good way to run a staging server to preview the site after any changes, and obvious feature which most content "management" systems seem to lack.



The downside is that you know HTML, doing anything in a CMS seems painfully cumbersome, and you get the bonus risks of being hacked because your CMS was written by people who don't have a clue.



Yep, and that was last done less that two weeks ago...



Won't help at all with this type of exploit, but may reduce the damage that they do as a result.



Yep - we've been using that for years. Our policy prevents opening up listening ports, which is what the second stage of many exploits rely on.

You're right that there are no easy answers. I intend to stick with Joomla for the moment, and when it gets hacked I'll just rant to the forum and get laughed at by my colleagues <img src="http://www.catsailor.com/forums/images/graemlins/grin.gif" alt="" />

The site's still off-line, I'm afraid. I'll probably collapse from jet lag this evening (although I might just get drunk first), but hopefully I'll have some time to fix it tomorrow.

Paul

The site is back online. If anyone cares, here's what happened:

PHP comes with one of the worst security risks known to man, "register globals". When this is turned on, any parameters you pass in the URL overwrite global variables with the same name in your PHP. Now, imagine that your CMS relies on a global variable that specifies a directory where it can find its config from, and that this location can also be a URL (i.e. can reference a file on another webserver). Yep, that's right: simply specify a URL parameter and you can execute arbitrary PHP on the webserver.

So, everyone turns off register globals. Unfortunately, this breaks a lot of poorly written Joomla components. So the clever people at Joomla invented register globals emulation, and turned it on by default, because obviously having some components not working is far far worse than leaving a gaping security hole in your CMS.

Paul

Thanks Paul you are the man!

I agree, Paul you are the man !

Many thanks thanks !

Wouter

Soo...what's the link?? I can't find it on google.

Thanks! BTW, they have 3 Blades and 3 Spitfires here in Dubai, along with many other cats, and a great cat club on the beach!

Tim are you coming to GYC next week?

Yes, I have both the 6th and 20th off so I plan on being there for both of those races. See you there.

Sweetbeans, want to sail both days? I mean like saturday and sunday?

I thought the "cat club" in Dubai had shut down or was about to shut down, which club are you talking about.

Gareth