Admin protection

F

Floris

Guest
Surely you're not telling me people running Lighttpd or nginx run a bad server? :p
If you are on a web server that doesn't offer directory or file protection, yeah .. lighttpd and nginx offer that.
 

Brandon_R

Guest
I'd assume that the admin.php file can be renamed... (assuming that references to admin.php in the code are done via a PHP variable similar to vBulletin). You could make it as inconspicuous as faq.php with some generic FAQ text for unauthorised users or you could even rename it 404.php then add some extra security like showing a 404 page if the user's usergroup isn't admin...

possibilities are endless!
Security by obfuscation is ineffective IMHO.
 

Been Told

Well-known member
But that wasn't what you said:

;)
People on bad hosting don't have .htaccess != People who don't have .htaccess are on bad hosting

There are hosts out there that, although they run on Apache, don't allow their shared hosting customers to use .htaccess files.

Or to put it another way:

It's always cold when it snows. But that doesn't mean it always snows when it's cold.
 

Erik

Well-known member
People on bad hosting don't have .htaccess != People who don't have .htaccess are on bad hosting

There are hosts out there that, although they run on Apache, don't allow their shared hosting customers to use .htaccess files.

Or to put it another way:

It's always cold when it snows. But that doesn't mean it always snows when it's cold.
I think he was just playing. ;)
 

Forsaken

Well-known member
Security by obfuscation is ineffective IMHO.
Mimicry of other posts is ineffective as well.

Removing version # from footer = ineffective; people will still realize that you're using XenForo and that you're likely within the last few versions, and they'll just use multiple exploits over different version #'s.

Changing the admin.php to a new name/directory will effectively stop people from attempting to gain access through it unless they've already gotten the admin password, effectively making most security measures pointless.

Notice the difference? I do. 
 

Dean

Well-known member
Every time I see this thread I keep thinking it is about indemnification insurance.
 

feldon30

Well-known member
Trying to accomplish security through obscurity?
Yes, and like all black-and-white arguments, this one is getting pretty stale.

Renaming your admincp directory to something else is a meaningful, measurable deterrent. It means you will waste precious minutes or hours of a hacker's time just trying to find the front door before he can even get STARTED trying to break in.

It's no different than changing the listening port for SSH on your server, and making it not pingable, and I see that advice in every article I've ever read about hardening a Linux/RHE server.

Relying too much on any one type of security is foolish. It's why I don't use absurdly complex passwords with punctuation like ( and ", because it misses the point that your password is more likely to be stolen not because it's not sufficiently complex, but because of other factors.

If you use the same password on multiple websites (as 99% of users do), and one gets compromised, then a hacker will try that password on random websites (including your bank) to see if you used the same info. And we haven't even mentioned your computer being compromised by rootkit, virus, or keylogger. Yes some people use their name, the name of their cat, or 123456 for the password. But most people getting hacked aren't getting hacked because they didn't use enough punctuation in their password.

Putting the biggest meanest padlock on your trailer won't help if they have a flatbed to haul the whole thing away. But if your trailer is also chained to a pole sunk in 3 feet of concrete, and also has Lojack, well you can sleep easy.
 

Jesepi

Well-known member
You should always deploy security in multiple layers, and not depend on one particular end-all solution.
 
Top