Any problem with these methods of protecting admin.php? (Cloudflare and cookie)

Foynat

Member
Since installing Xenforo 2.1 yesterday I've seen a huge number of attempts to brute force login on both the regular login page and on admin.php. Is there any problem with setting the Security Level: High in Cloudflare for
or are there ordinary forum functions which need access to admin.php?

As a further security step I was thinking of setting a cookie, to be required to access admin.php, but again the same question comes up: will it break some functionality of my forum to restrict access to admin.php in this way?

Thank you for any insight anyone can give on this!
 

Mr. Jinx

Well-known member
That shouldn't be a problem. Some people password protect this file using .htaccess or only allow a specific IP.
This file is not needed for normal forum functions except managing your forum.
 

digitalpoint

Well-known member
If you don't have a zillion people that legitimately need to get into the admin area, check out Cloudflare Access (it's free if you have 5 or less people that need access).
 

Mik_27

Member
You can also use fail2ban
I just installed fail2ban, works with ssh out of the box but I am trying to find info about which jail I should use for xenforo..
I am a newbie and I'd need a guide. So far Google didn't give me much satisfaction. Anyone that can point me in the right direction?

I have xenforo 2.1 on Nginx
 

eva2000

Well-known member
If you don't have a zillion people that legitimately need to get into the admin area, check out Cloudflare Access (it's free if you have 5 or less people that need access).
Yup I just use Cloudflare Access for Xenforo and Wordpress logins https://www.cloudflare.com/teams/access/

Example tutorial at https://community.cloudflare.com/t/...ess-to-protect-an-area-of-your-website/101706

I use Github account for authentication with CF Access :)

1602941172673.png

You can choose other authentication methods too

1602941533075.png
 
Last edited:

madness85

Active member
I just installed fail2ban, works with ssh out of the box but I am trying to find info about which jail I should use for xenforo..
I am a newbie and I'd need a guide. So far Google didn't give me much satisfaction. Anyone that can point me in the right direction?

I have xenforo 2.1 on Nginx
Not sure if this is what you want, but you did quote me so i will reply. (im using apache)

I've protected the admin panel like so https://xenforo.com/community/resou...and-the-install-directory-using-htaccess.353/

Created jail

[apache]

enabled = true
port = http,https
filter = apache-auth
logpath = /var/log/apache*/*error.log
action = cloudflare-apiv4
%(action_mwl)s

/etc/fail2ban/action.d

create cloudflare-apiv4

Add something like this: https://technicalramblings.com/blog...ion-with-automated-set_real_ip_from-in-nginx/

After x amount of failed login attempts the IP will be banned in cloudflares Firewall.
 
Top