Secure AdminCP and Installation [Deleted]

Adam Howard

Well-known member
TheVisitors submitted a new resource:

Secure AdminCP (version 1.0) - Secure your administrator control panel

Both rogue members, guest, and cyber bots want to desperately gain access and take over your site. While nothing is 100% hack or crack proof, it's always a good idea to make things just a little harder.

1) Mask / Hide your Super Administrator

The idea is the less people who know what your user name is, the less change anyone can log in as you.

/library/config.php

Code:
$config['superAdmins'] = '1';

  • Change this...

Read more about this resource...
 
TheVisitors updated Secure AdminCP with a new update entry:

TIP: FTP Access

TIP:
  • If you ever give someone FTP access (developer / hired help), be sure to restrict their access to public directory and do not give them access to anything above it.
  • Remember to remove access once completed
  • You should also backup your database before & after.
  • Remember to change your database user name & password after completed (don't forget about your config.php file).
  • It may also be a good idea to change the name of your Super Administrator after as well (if...

Read the rest of this update entry...
 
Question and Answers:
When I place .htpasswd above public access, why doesn't it work?
  • Remember to include the path in .htaccess
  • You may need to CHMOD the folder & file .htpasswd 755 (it should have its own folder)

When I rename .htpasswd to something else, why doesn't it work?
  • You must also include the new name in .htaccess
  • The name must also start with a period / dot (example, .something )
Will this work with Lite Speed?
  • Yes
Will this work with Nginx ?
  • The basic concept will, but Nginx does not currently support .htaccess
Will you be updating this or making another guide for Nginx?
  • I personally, have never been able to get Nginx to password protect folders or files (don't ask me why). Nginx has however played around with the concept of adding .htacess support and I personally hope one day that they do.
 
Last edited:
TheVisitors updated Secure AdminCP with a new update entry:

config.php

Chmod it to world readable? :p

Holy cr*p ! Talk about a bad typing error. :eek:

Should be 640 NOT 644

Advise anyone who mistakenly used 644 to do the following.
  • Chmod config.php to 640
  • Change your database user name and password
  • Apply changes to your config.php
  • Change your Super Administrator user name and password
Thanks to Darkimmortal...

Read the rest of this update entry...
 
One extra thing I do is limit access to admin.php by IP address. I'm fortunate enough to have a static IP at home and work, and the ability to point my browser through one of my VPS boxes if I'm not at home or work.

I've got this in my .htaccess file

Code:
<FilesMatch "admin.php">
 Order Deny,Allow
 Deny from all
 allow from XXX.XXX.XXX.XXX
 allow from XXX.XXX.XXX.XXX
 allow from XXX.XXX.XXX.XXX
</FilesMatch>
 
One extra thing I do is limit access to admin.php by IP address. I'm fortunate enough to have a static IP at home and work, and the ability to point my browser through one of my VPS boxes if I'm not at home or work.

I've got this in my .htaccess file

Code:
<FilesMatch "admin.php">
Order Deny,Allow
Deny from all
allow from XXX.XXX.XXX.XXX
allow from XXX.XXX.XXX.XXX
allow from XXX.XXX.XXX.XXX
</FilesMatch>

This is good advice. Although I didn't include it because the vast majority of people don't have a static IP. Although I would still recommend you password protect it, as IP's can be spoofed.
 
This is good advice. Although I didn't include it because the vast majority of people don't have a static IP. Although I would still recommend you password protect it, as IP's can be spoofed.
True. I've also got password protection on the file (and it's working with nginx ;)). So they don't get the error message I bounce them back to the forum as though they never even hit the admin.php file
Code:
ErrorDocument 403 http://www.z22se.co.uk/forum/
 
True. I've also got password protection on the file (and it's working with nginx ;)). So they don't get the error message I bounce them back to the forum as though they never even hit the admin.php file
Code:
ErrorDocument 403 http://www.z22se.co.uk/forum/

I personally could never get Nginx to work for protected directories. I never did understand as to why. I followed a bunch of guides and other resources, but just never could get it to work. Everything else I could ever want to do with Nginx was not an issue.... Password protection however was.
 
I personally could never get Nginx to work for protected directories. I never did understand as to why. I followed a bunch of guides and other resources, but just never could get it to work. Everything else I could ever want to do with Nginx was not an issue.... Password protection however was.
To be honest, I didn't actually have to configure anything. There is a plugin which automatically installs and configures it through Cpanel http://nginxcp.com/ which is what I have installed and working.
 
I keep being repeatedly asked to sign-in thought .htaccess every time I click a link within my AdminCP. It seems to accept me and then easily forget me. What could I be doing wrong?

I've received the above from a few people and the answer was the same each time (seriously people should read and follow many of those tips)

....... DO NOT use the same user name and / or password (either or both) for your .htaccess and AdminCP log-in.

BAD:

.htaccess user name X
AdminCP user name X

OR

.htaccess password is Y
AdminCP user name is Y

OR

.htaccess user name is Y and password X
AdminCP user name is Y and password X

OR

.htaccess user is Y and password X
AdminCP user name is X and password Y


GOOD:

.htaccess user name is Y and password X
AdminCD user name is 1 and password 2

All 4 should be completely different from one another. Having them the same in any carbonation is not only a security threat, but can also cause either cookies issues or sometimes depending on server setup, site issues as well.
 
Proposed update for version 1.3 (as an optional tip)

Code:
ServerSignature Off
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC,OR]
RewriteCond %{THE_REQUEST} (\\r|\\n|%0A|%0D) [NC,OR]
 
RewriteCond %{HTTP_REFERER} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_COOKIE} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{REQUEST_URI} ^/(,|;|:|<|>|”>|”<|/|\\\.\.\\).{0,9999} [NC,OR]
 
RewriteCond %{HTTP_USER_AGENT} ^$ [OR]
RewriteCond %{HTTP_USER_AGENT} ^(java|curl|wget) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|curl|wget|python|nikto|scan) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
 
#Block mySQL injects
RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
 
RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
 
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
# Note: The final RewriteCond must NOT use the [OR] flag.
 
# Return 403 Forbidden error.
RewriteRule .* index.php [F]

The above should be added in both .htaccess within your XenForo's root directory (add as last line of re-write that is already there) and also added to .htaccess found in /library/

Feedback welcomed :)
 
Top Bottom