1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Secure AdminCP and Installation [Deleted]

Discussion in 'Tips and Guides' started by Adam Howard, Feb 29, 2012.

  1. Adam Howard

    Adam Howard Well-Known Member

    TheVisitors submitted a new resource:

    Secure AdminCP (version 1.0) - Secure your administrator control panel

    Read more about this resource...
     
    R_A, Andrew and 8thos like this.
  2. DRE

    DRE Well-Known Member

    You've been through a lot of stuff man.
     
  3. Adam Howard

    Adam Howard Well-Known Member

    True. But it's all a learning experience and I can pass on my knowledge.
     
  4. Adam Howard

    Adam Howard Well-Known Member

    TheVisitors updated Secure AdminCP with a new update entry:

    TIP: FTP Access

    Read the rest of this update entry...
     
    Andrew likes this.
  5. Adam Howard

    Adam Howard Well-Known Member

    Question and Answers:
    When I place .htpasswd above public access, why doesn't it work?
    • Remember to include the path in .htaccess
    • You may need to CHMOD the folder & file .htpasswd 755 (it should have its own folder)

    When I rename .htpasswd to something else, why doesn't it work?
    • You must also include the new name in .htaccess
    • The name must also start with a period / dot (example, .something )
    Will this work with Lite Speed?
    • Yes
    Will this work with Nginx ?
    • The basic concept will, but Nginx does not currently support .htaccess
    Will you be updating this or making another guide for Nginx?
    • I personally, have never been able to get Nginx to password protect folders or files (don't ask me why). Nginx has however played around with the concept of adding .htacess support and I personally hope one day that they do.
     
    Last edited: Sep 24, 2013
  6. Luke F

    Luke F Well-Known Member

    Chmod it to world readable? :p
     
    SneakyDave and Mikey like this.
  7. Adam Howard

    Adam Howard Well-Known Member

    Holy cr*p !

    Talk about a bad typing error.

    Should be 640 NOT 644
     
  8. Adam Howard

    Adam Howard Well-Known Member

    TheVisitors updated Secure AdminCP with a new update entry:

    config.php

    Read the rest of this update entry...
     
  9. Luke F

    Luke F Well-Known Member

    Same again :p
     
    SneakyDave likes this.
  10. Adam Howard

    Adam Howard Well-Known Member

    Incorrect.

    644 is standard on .htaccess

    This guide was made to support most Apache / Apache2 setups including on basic shared web hosting. More advance methods can be used, but typically require more server access.
     
  11. MattW

    MattW Well-Known Member

    One extra thing I do is limit access to admin.php by IP address. I'm fortunate enough to have a static IP at home and work, and the ability to point my browser through one of my VPS boxes if I'm not at home or work.

    I've got this in my .htaccess file

    Code:
     
    <FilesMatch "admin.php">
     Order Deny,Allow
     Deny from all
     allow from XXX.XXX.XXX.XXX
     allow from XXX.XXX.XXX.XXX
     allow from XXX.XXX.XXX.XXX
    </FilesMatch>
    
     
    TheVisitors likes this.
  12. Adam Howard

    Adam Howard Well-Known Member

    This is good advice. Although I didn't include it because the vast majority of people don't have a static IP. Although I would still recommend you password protect it, as IP's can be spoofed.
     
    MattW likes this.
  13. MattW

    MattW Well-Known Member

    True. I've also got password protection on the file (and it's working with nginx ;)). So they don't get the error message I bounce them back to the forum as though they never even hit the admin.php file
    Code:
    ErrorDocument 403 http://www.z22se.co.uk/forum/
    
     
    Adam Howard and SneakyDave like this.
  14. Adam Howard

    Adam Howard Well-Known Member

    I personally could never get Nginx to work for protected directories. I never did understand as to why. I followed a bunch of guides and other resources, but just never could get it to work. Everything else I could ever want to do with Nginx was not an issue.... Password protection however was.
     
  15. MattW

    MattW Well-Known Member

    To be honest, I didn't actually have to configure anything. There is a plugin which automatically installs and configures it through Cpanel http://nginxcp.com/ which is what I have installed and working.
     
    TheVisitors likes this.
  16. Mutt

    Mutt Well-Known Member

    does the 640 correction also apply to #3 .htaccess as well ?
     
  17. Adam Howard

    Adam Howard Well-Known Member

    No. .htaccess must be 644 (minimum) The correction only applies to config.php
     
  18. Adam Howard

    Adam Howard Well-Known Member

  19. Adam Howard

    Adam Howard Well-Known Member

    I've received the above from a few people and the answer was the same each time (seriously people should read and follow many of those tips)

    ....... DO NOT use the same user name and / or password (either or both) for your .htaccess and AdminCP log-in.

    BAD:

    .htaccess user name X
    AdminCP user name X

    OR

    .htaccess password is Y
    AdminCP user name is Y

    OR

    .htaccess user name is Y and password X
    AdminCP user name is Y and password X

    OR

    .htaccess user is Y and password X
    AdminCP user name is X and password Y


    GOOD:

    .htaccess user name is Y and password X
    AdminCD user name is 1 and password 2

    All 4 should be completely different from one another. Having them the same in any carbonation is not only a security threat, but can also cause either cookies issues or sometimes depending on server setup, site issues as well.
     
  20. Adam Howard

    Adam Howard Well-Known Member

    Proposed update for version 1.3 (as an optional tip)

    Code:
    ServerSignature Off
    RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
    RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
     
    RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
    RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
     
    RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
    RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
    RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
     
    #Block mySQL injects
    RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
     
    RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
     
    RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
    RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
    RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
    # Note: The final RewriteCond must NOT use the [OR] flag.
     
    # Return 403 Forbidden error.
    RewriteRule .* index.php [F]
    The above should be added in both .htaccess within your XenForo's root directory (add as last line of re-write that is already there) and also added to .htaccess found in /library/

    Feedback welcomed :)
     

Share This Page