Xoops Tips - TIPS - Security - Protecting Xoops Admin Login

Security : Protecting Xoops Admin Login

Posted by tl001 on 2004/6/15 22:38:27 (14767 reads)

Some people (count me as one of them ) are not very comfortable with admin.php located in the root directory. The location of the file does pose a security risk; and crackers could really take hack at it. Adding two .htaccess files will help you protect against misuses/crackes of your admin login and system module.

Web Server: Apache
Required:
Your hosting company allows .htaccess;
You have a static or semi-static IP address

Assumptions:
Wesmaster A has a static IP 123.456.789.012
Webmaster B has a DSL line and a semi-static IP 456.789.123.456 (the last two sets change every time the DSL reconnects)

In the root .htaccess file, enter the following


<Files admin.php>
order deny,allow
deny from all
allow from 123.456.789.012
allow from 456.789
</Files>

In the /modules/system/.htaccess file, enter the following


AuthName "protected"
AuthType Basic 
<Limit GET POST>
order deny,allow
deny from all
allow from 123.456.789.012
allow from 456.789
</Limit>

If you do xoops admin from multiple places, then just add the IP addresses into the allow from list. If it happens that you have to do urgent admin from someone else’s computer, use FTP to download the .htaccess files, add the IP of the computer you are using, upload. Once you have finished your admin, delete the new IP from the files.

The comments are owned by the poster. We aren't responsible for their content.

Poster	Thread
tl001	Posted: 2005/10/21 17:10 Updated: 2005/10/22 10:33
Webmaster Joined: 2004/6/10 From: Posts: 282	Re: Protecting Xoops Admin Login The recent cracking of Xoops.org site highlights the importance of protecting your admin module and admin.php file. Unless the cracker gained access through the shell, protected admin would stop the cracker from doing any damages to the site. There is no excuse of not protecting the admin section of your site even it means cumbersome to admin/manage your site. Someone had once claimed that putting this in place would "limit" webmaster's ability of managing the site from "anywhere". Well, admin is not supposed to be done in a cafe unless it is urgent. When comes to security, between easiness and security, I will choose security always and hope you will too. Better safe than sorry.

LionHeart	Posted: 2005/10/24 7:47 Updated: 2005/10/24 7:47
Just popping in Joined: 2005/10/24 From: Posts: 1	Re: Protecting Xoops Admin Login Does anyone know what is the best way to do this using IIS6? -LH

bezoops	Posted: 2005/10/28 17:20 Updated: 2005/10/28 17:22
Just popping in Joined: 2005/10/28 From: Posts: 1	Re: Protecting Xoops Admin Login Other one protection to admin, is access to your hosting the control panel, go to " Password Protect Directories" and protect /html/modules/system/admin/ with a user name and a password. When you access to /html/admin.php, nothing its happened, but if you make clic in any admin option, ask you for this user-psw in a little window. In you dont pass, you receive a message of "Access denied". When this is correct and marking "remenber", you can navigate for admin options without problems. Other password more?. Yes, and all those that are necessary...

tl001	Posted: 2005/10/28 17:48 Updated: 2005/10/28 17:49
Webmaster Joined: 2004/6/10 From: Posts: 282	Re: Protecting Xoops Admin Login Password protects admin directory is fine but you miss the importance of IP-based authentication. Anyone can take hack at the directory if you only password-protect the directory - the same as you would have not put there in the first place. If crackers could crack your admin password then they could crack your directory password. The essence of IP authentication is to limit the access to the admin directory only to certain IPs, so nobody else can try it. The cracker could spoof their IPs, but they need to know who your ISP is, which is extremely hard to do.