Site Security Keeping Your Community Safe from Hackers and Other Unwelcome Visitors.

Reply
 
Thread Tools

  #1  
Old 11-29-2005, 09:11 PM
GoldenSQL - Tom's Avatar
GoldenSQL - Tom GoldenSQL - Tom is offline
TAZ Regular
 
Join Date: Nov 2005
Posts: 56
GoldenSQL - Tom is on a distinguished road
Default Protecting IPB
Hey,

I have been hearing alot about .htaccess and I heard that you can password protect a certain file.

Well I am using IPB 2.1.3 and I was wondering, if I could use .htaccess to put a username/password to protect a file. I would like to add an extra layer of security on my admin.php file by adding yet another username and password just to access the admincp login page.

I would also like to be able to set it up so that only certain IP's can access the admin.php file.

If you could help me set this up that would be great!

Last edited by GoldenSQL - Tom; 11-29-2005 at 09:27 PM..
Reply With Quote
  #2  
Old 11-30-2005, 12:06 AM
Zachery's Avatar
Zachery Zachery is offline
Moo
 
Join Date: Feb 2004
Admin Experience: Guru
Location: Ohio
Age: 29
Posts: 1,292
Zachery is on a distinguished road
Default
I don't think you can protect just a file...
Reply With Quote
  #3  
Old 11-30-2005, 01:56 PM
simsim simsim is offline
means seasme
 
Real Name: Usamah
Join Date: Nov 2005
Admin Experience: Intermediate
Posts: 74
simsim is on a distinguished road
Default
Since you want to add an extra layer of security, just password-protect the whole directory which contains the admin.php file.

I don't know of the structure of the IPB files, but in vBulletin there are three main directories which an admin would like to protect: admincp, modcp & includes directories.

Any way, I think the following link is useful to you:
http://www.webhostgear.com/63.html

simsim
Reply With Quote
  #4  
Old 11-30-2005, 03:07 PM
Zachery's Avatar
Zachery Zachery is offline
Moo
 
Join Date: Feb 2004
Admin Experience: Guru
Location: Ohio
Age: 29
Posts: 1,292
Zachery is on a distinguished road
Default
The admin file is in the same directory. vB uses files with OOP, IPB uses EXTREME OOP and everything is centered around the index.php and included by a varible after the ?

index.php?act=showthread etc
Reply With Quote
  #5  
Old 11-30-2005, 03:08 PM
GoldenSQL - Tom's Avatar
GoldenSQL - Tom GoldenSQL - Tom is offline
TAZ Regular
 
Join Date: Nov 2005
Posts: 56
GoldenSQL - Tom is on a distinguished road
Default
IPB doesn't have the admin.php file in a folder, so I can't protect the directory it's in thats why I wanted to use .htaccess to protect that file with a password and a username.
Reply With Quote
  #6  
Old 11-30-2005, 03:45 PM
Zachery's Avatar
Zachery Zachery is offline
Moo
 
Join Date: Feb 2004
Admin Experience: Guru
Location: Ohio
Age: 29
Posts: 1,292
Zachery is on a distinguished road
Default
Don't believe its possible, you might be able to use a HTTP_AUTH method via hacking.
Reply With Quote
  #7  
Old 11-30-2005, 04:01 PM
KeithMcL's Avatar
KeithMcL KeithMcL is offline
Freelance Web Designer
 
Real Name: Keith
Join Date: Jan 2004
Admin Experience: Advanced
Location: Dublin, Ireland
Age: 39
Posts: 2,864
KeithMcL has a spectacular aura about
Default
What about adding an additional if statement to the admin file itself?
Reply With Quote
  #8  
Old 11-30-2005, 04:09 PM
simsim simsim is offline
means seasme
 
Real Name: Usamah
Join Date: Nov 2005
Admin Experience: Intermediate
Posts: 74
simsim is on a distinguished road
Default
I googled twice & it came with this:
http://forums.asmallorange.com/index.php?showtopic=3573

I think you should be registered to see the code.

& thanks Zachery for the explanation.
Reply With Quote
  #9  
Old 12-13-2005, 08:01 AM
lvt's Avatar
lvt lvt is offline
Tazmanian
 
Join Date: Dec 2005
Admin Experience: Guru
Location: GMT+8
Posts: 117
lvt is on a distinguished road
Default
Quote:
Originally Posted by Spirix
IPB doesn't have the admin.php file in a folder, so I can't protect the directory it's in thats why I wanted to use .htaccess to protect that file with a password and a username.
If you use .htaccess how can your members see the board while the admin.php file is in the IPB root directory ?

You should rename this admin.php file to whatever you want, you can even rename the config file to have your board more "securised".

P/S: if you rename these files you will also need to modify some lines of code in the source.
Reply With Quote
  #10  
Old 12-13-2005, 09:45 AM
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
Tazmanian
 
Join Date: Jan 2004
Admin Experience: Guru
Location: Southern California
Posts: 2,897
Wayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to all
Default
Try the following in your .htaccess file:

<Files admin.php>
order allow,deny
allow from <YOUR IP ADDRESS>
deny from all
</Files>

It will only work if you access the file directly though. Not sure you can add a query string into .htaccess.

http://www.webdeveloper.com/servers/...ess_magic.html
http://www.hostingmanual.net/other/htfun.shtml
Reply With Quote
  #11  
Old 12-13-2005, 08:18 PM
PalePhoenix's Avatar
PalePhoenix PalePhoenix is offline
Prince of Dorkness
 
Real Name: Phillip
Join Date: Dec 2005
Admin Experience: Guru
Location: Arizona, US
Age: 43
Posts: 5,994
PalePhoenix is just really nicePalePhoenix is just really nice
Default
Is there any value to altering CHMOD (octals)? My FTP client lets me just right-click to alter various file properties, tho I wouldn't be messing with .htaccess. Is there a particular reason you're looking for added security measures?
__________________
chimère
join a GLBTQ forum, or just Relax
Reply With Quote
  #12  
Old 12-13-2005, 09:55 PM
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
Tazmanian
 
Join Date: Jan 2004
Admin Experience: Guru
Location: Southern California
Posts: 2,897
Wayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to all
Default
.htaccess and CHMOD serve two very different but still security related functions.

.htaccess allows you to control who can access files via a web browser and nothing else. It can be used to deny people access to your entire site by IP address, it can prevent hotlinking of images, it can redirect people to other pages on your site or allow for a custom HTTP Error page. It can do a lot of things. Security is one of them but very minor. Basically .htaccess is a specific configuration file for Apache. It isn't a server thing and it won't prevent users on the server from accessing files directly. This is why you can deny access to an includes directory but the PHP scripts can still access them. They run under a different user than what the web browser has access to. .htaccess protects at the HTTP Daemon level.

CHMOD sets permissions on which users on the server can access your files. You can deny access to your admin.php by setting its permissions to 700 but then you won't be able to access it via a web browser either. The webserver wouldn't be able to read them for parsing. To view the page, you would have to login via SFTP or SSH and reset the permissions, use the file and then reset the permissions again. Such a pain that .htaccess allows you to get around. CHMOD is good for denying other users on a shared server from accessing or deleting your files, say a worm looking for a vulnerable script. It is good to prevent hackers gaining access through insecure protocols like telnet or FTP from deleting all your files. It protects at the filesystem level.

To run a secure site, both are needed in varying degrees.
Reply With Quote
  #13  
Old 12-14-2005, 12:48 AM
PalePhoenix's Avatar
PalePhoenix PalePhoenix is offline
Prince of Dorkness
 
Real Name: Phillip
Join Date: Dec 2005
Admin Experience: Guru
Location: Arizona, US
Age: 43
Posts: 5,994
PalePhoenix is just really nicePalePhoenix is just really nice
Default
Thank you, Wayne, that does unfuzz a bit for me. I thought .htaccess was an Apache thing, and/or a Windows thing. We have Linux. I cannot claim to know a whole lot about all this server-side stuff, but I knew enough to go with that particular OS. Anything you suggest I keep in mind as traffic increases?
__________________
chimère
join a GLBTQ forum, or just Relax
Reply With Quote
  #14  
Old 12-14-2005, 11:11 AM
Wayne Luke's Avatar
Wayne Luke Wayne Luke is offline
Tazmanian
 
Join Date: Jan 2004
Admin Experience: Guru
Location: Southern California
Posts: 2,897
Wayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to allWayne Luke is a name known to all
Default
.htaccess is strictly an Apache thing. If you do not use it, you have to find out what the equivalent is for your webserver. IIS uses NTAUTH.
Reply With Quote
  #15  
Old 12-16-2005, 03:09 PM
GoldenSQL - Tom's Avatar
GoldenSQL - Tom GoldenSQL - Tom is offline
TAZ Regular
 
Join Date: Nov 2005
Posts: 56
GoldenSQL - Tom is on a distinguished road
Default
Quote:
Originally Posted by Wayne Luke
Try the following in your .htaccess file:

<Files admin.php>
order allow,deny
allow from <YOUR IP ADDRESS>
deny from all
</Files>

It will only work if you access the file directly though. Not sure you can add a query string into .htaccess.

http://www.webdeveloper.com/servers/...ess_magic.html
http://www.hostingmanual.net/other/htfun.shtml
Instead of doing it by Ip's can I do it with passwords?
Reply With Quote
Reply

  Admin Zone Forums > The Community Zone > Managing an Online Community > Site Security





Currently Active Users Viewing this Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Protecting a forum from malicious admins/moderators - asking for ID a solution? rn2030 Members & Staff 5 09-07-2005 08:31 PM
Protecting the members emailaddy's - Can it be done? Zora Site Security 15 08-31-2004 07:19 AM
Protecting yourself legally Deb25 Members & Staff 5 07-19-2004 11:51 PM
Protecting your email access to AOL members. Wayne Luke Members & Staff 14 04-25-2004 04:19 PM


 

All times are GMT -4. The time now is 03:27 AM.


Powered by: vBulletin
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Page generated in 0.08539891 seconds with 13 queries
The Admin Zone © copyright 2003-2014 All Rights Reserved. Content published on The Admin Zone requires permission for reprint.