Title
KeyExisting Key New Key
Create as
Find in this manual
Case sensitive

Replace with
Online League Security Recommendations
Let's talk a bit about security and your online league. Thousands of websites are hacked every day due to poor server security or application misconfiguration. OOTP online leagues often have web sites as well as FTP services available for its league members. OOTP has configuration options to help increase your site's security, but other applications on your server could also put you at risk. Third party applications such as forums, file trackers, or other web applications that your league uses could put you at potential risk if ignored. Make sure that you apply application security patches and limit the ways that your server could be exposed to threats.

OOTP allows you flexibility in the security of your online league configuration. You can configure your online options similarly to previous versions of OOTP, where one FTP account handles all of the functions. However, OOTP offers additional features that offer less exposure to attack. For the health of your league's site, we recommend that you take a few extra minutes to consider the more secure recommended configuration described below:

Server Directories
For maximum security, we recommend that you create three separate directories on your server for the three types of files that will be uploaded. The three directories that you should create are as follows:

  • Team Uploads Directory - This is where managers in your league will upload their exports for each simulation period.
  • League File Directory - This is where the commissioner will upload the league file after each sim. It is also the directory from which individual managers will download the league file. If you choose to have managers download the league file via HTTP this folder should also allow web access.
  • Reports Directory - This is where the league reports will be uploaded. This directory should allow web access.
Of course, you can name these directories anything you want. The values above are simply the purpose for which we will use them.

Server FTP Accounts
Using two separate FTP accounts for your online league minimizes the number of potential ways in which a hacker could compromise a FTP account with read/write access. The FTP accounts are as follows:

  • Commissioner Account - This account needs to have read/write access to all three directories listed above via FTP.
  • Manager Account - This account only needs write access via FTP to the Team Uploads Directory. It does not need FTP access at all to the Reports Directory. Optionally, this account can have FTP read-only access to the League File Directory if you choose the option for managers to download the league file via FTP.
Note: The security of this recommended configuration relies heavily on what permissions the FTP accounts above are given. Limiting permissions as described above will minimize the ability of a hacker to obtain these accounts and do damage to your server!

All of these settings can be found on the Online Options page. That screen also describes where you should use the recommended settings described on this page.