Any problem with these methods of protecting admin.php? (Cloudflare and cookie)

Foynat

Member
Since installing Xenforo 2.1 yesterday I've seen a huge number of attempts to brute force login on both the regular login page and on admin.php. Is there any problem with setting the Security Level: High in Cloudflare for
or are there ordinary forum functions which need access to admin.php?

As a further security step I was thinking of setting a cookie, to be required to access admin.php, but again the same question comes up: will it break some functionality of my forum to restrict access to admin.php in this way?

Thank you for any insight anyone can give on this!
 
That shouldn't be a problem. Some people password protect this file using .htaccess or only allow a specific IP.
This file is not needed for normal forum functions except managing your forum.
 
You can also use fail2ban
I just installed fail2ban, works with ssh out of the box but I am trying to find info about which jail I should use for xenforo..
I am a newbie and I'd need a guide. So far Google didn't give me much satisfaction. Anyone that can point me in the right direction?

I have xenforo 2.1 on Nginx
 
If you don't have a zillion people that legitimately need to get into the admin area, check out Cloudflare Access (it's free if you have 5 or less people that need access).
Yup I just use Cloudflare Access for Xenforo and Wordpress logins https://www.cloudflare.com/teams/access/

Example tutorial at https://community.cloudflare.com/t/...ess-to-protect-an-area-of-your-website/101706

I use Github account for authentication with CF Access :)

1602941172673.png

You can choose other authentication methods too

1602941533075.webp
 
Last edited:
I just installed fail2ban, works with ssh out of the box but I am trying to find info about which jail I should use for xenforo..
I am a newbie and I'd need a guide. So far Google didn't give me much satisfaction. Anyone that can point me in the right direction?

I have xenforo 2.1 on Nginx
Not sure if this is what you want, but you did quote me so i will reply. (im using apache)

I've protected the admin panel like so https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/

Created jail

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
action = cloudflare-apiv4
%(action_mwl)s

/etc/fail2ban/action.d

create cloudflare-apiv4

Add something like this: https://technicalramblings.com/blog...ion-with-automated-set_real_ip_from-in-nginx/

After x amount of failed login attempts the IP will be banned in cloudflares Firewall.
 
May be most easy way if you use cloudflare for your forum and have static IP

cloudfl.webp
 
Firewall rules definitely, work... however with the new Access tab, it's more geared for that. For example say you want to block access to the "admin.php" URL to everyone except people who authenticate as someone who is allowed (I created a Reliquary Admins group of users in Cloudflare) or based on IP range. If I'm on a known IP, just let me in... if I'm not, then allow me to authenticate to get in. It's what the Access tab was designed for vs. making firewall rules.

1604978235801.webp
 
Back
Top Bottom