Secure AdminCP and Installation [Deleted]

[Gonanda]

Recommended - IMPORTANT - Strongly advised (I'd call this a requirement)

######################################################################
# Protect your .htaccess file
<Files .htaccess>
        order allow,deny
        deny from all
</Files>

And

<Files "(.htaccess\^\.ht|~$|\.bak$|\.BAK$)">
        order allow,deny
        deny from all
</Files>

 

[Adam Howard]

This is need do in httpd.conf. That's much better. Anyway, you are huge paranoiac like me. I like your view on this task! THANK YOU!

The guide was designed with "shared hosting" in mind as well. Adding it to htaccess works on a properly configured shared hosting environment.

If adding that to htaccess doesn't work, its normally a good sign to find a new host.

 

[imlps]

Hi Adam,

You mentioned "Change your Super Administrator's title to Member or to whatever common title is used on your site", but how can I stop this hidden Super Admin from showing under Staff Online Now? I untick the show online status in his option but no help.

 

[Jeremy]

@Shyuan, if you have yourself hidden (ie, invisible) it will not show to guests or members; except those with the permissions to view those who are invisible. You'll show up for yourself and those specific members. 1.2 also has hidden staff, which will help in this matter.

 

[imlps]

@King Kovifor, I think I understand now. Other than myself, others aren't able to see me online as member & staff right?

 

[Jeremy]

Yes. You and anyone who has permission to view invisible users.

 

[imlps]

Yes. You and anyone who has permission to view invisible users.

Thank you for your clarification

 

[Adam Howard]

Hi Adam,

You mentioned "Change your Super Administrator's title to Member or to whatever common title is used on your site", but how can I stop this hidden Super Admin from showing under Staff Online Now? I untick the show online status in his option but no help.

Allow yourself a custom user title and assign yourself that and as @King Kovifor siad, you can also make yourself hidden.

 

[imlps]

Thanks @Adam Howard for this reseource i have done everything you taught.

 

[Adam Howard]

Tested and works on both XenForo 1.1.x and 1.2.x

 

[Adam Howard]

Tip:

• Do not use the same user name and password for your database anywhere.
• Your user name and password for your Super Administrator should also not match your database user name and password

^ Will be posting an update to include that. Can not believe someone was using that (will not name who).

 

[Adam Howard]

Adam Howard updated Secure AdminCP with a new update entry:

user name and password for database

Updated to include a general reminder that you should never use your databases user name and password anywhere else or for anything else.

And it should go without saying that they should not ever be used again on your own site, including your Super Administrator account (they should not match).

Read the rest of this update entry...

 

[Adam Howard]

Question:

How long should I make my password?

Answer:

There is a little bit of debate on this.

Some will argue that length isn't important, because a bot can run down through hundreds and thousands of combinations at once. Indeed this is true and it is why 2 step verification is slowly gaining in popularity.

While others will argue that a good long password is good enough, because they still need your user name.

I fall somewhere in between these two.

Overall, you want to use some common sense and obviously don't want it to be to short. But the overall goal shouldn't be so much about length, but rather how complicated it is.

For example,

john1234567 is going to be easier for someone to crack than it is @qAJh0n^3_-

Both of those are the same length at 11 characters long. The 2nd one is going to be a little better off than the first one, but not by much.

A good password example would be something along the lines of

VpoYKn4UJt3MdGWWOT#UeMd*FZAE9ZXDt#3xNKTT7iJoFBTOXy!Gw20Cwqc*Enwp3Zr1z*N$v$FpjWsE#qUPpk1L8^T4IZUp!JlF

This example is 100 characters in length. And while it is technically better than the first 2 examples, it too is not fool proof (nothing ever is). But if given the choice between the 3, of course I would suggest the 3rd option.

This is where hiding your user name will also add to the level of security. Because as you should know, you need a combination of the two in order to access something. And in theory, the more members you have, the more someone has to weed through.

 

[zooki]

cool advice. thanks

 

[imlps]

• Do not use the same user name and password for your database anywhere.

Hi Adam, generally I understand this simple rule. However, I don't quite understand how a person can use the same username and password for database anywhere. Password is possible to be the same, but in cPanel we usually have different database and user prefix (note: I am not saying table prefix). For example if your username to login cPanel is abcdefgh, then when you create a database or user, it would be abcdefgh_7able or abcdefgh_4dmin. I mean abcdefgh_ would usually different in terms of creating database via cPanel since you have different cPanel login usernames. I assume most of us using cPanel here, unless you are pointing to those who use other control panels where you can freely choose or not to use any database and user's prefix? Sorry if I don't understand you right here.

Pardon me, I knew what you were talking about now, after reading the other post of yours in the updates! Some people would really use the database name and username else where.

• Your user name and password for your Super Administrator should also not match your database user name and password

Hehe, i didn't know someone would actually do that. Not being mean, but this is really intolerable.

 

[Adam Howard]

I get asked this a lot. What do I add to my htaccess file?

I personally recommend if you need to ask that question, it maybe better that you stick with the default one supplied by XenForo. However for those of you who really want to know

Options -Indexes
Options +FollowSymLinks
#
#Password protection
#
AuthName "Who's your daddy?"
AuthType Basic
AuthUserFile /path-to-password-file/
AuthGroupFile /dev/null
<Files admin.php>
require valid-user
</Files>
#
#   Mod_security can interfere with uploading of content such as attachments. If you
#   cannot attach files, remove the "#" from the lines below.
#<IfModule mod_security.c>
#   SecFilterEngine Off
#   SecFilterScanPOST Off
#</IfModule>
Options FollowSymLinks
ErrorDocument 401 http://www.amazon.com/?_encoding=UTF8&camp=213733&creative=393193&linkCode=shr&tag=socialuncens-20
ErrorDocument 403 http://www.amazon.com/?_encoding=UTF8&camp=213733&creative=393193&linkCode=shr&tag=socialuncens-20
ErrorDocument 404 http://www.sociallyuncensored.eu/forums/
ErrorDocument 500 default

<IfModule mod_rewrite.c>
   RewriteEngine On
   
   RedirectMatch 301 401.shtml http://www.amazon.com/?_encoding=UTF8&camp=213733&creative=393193&linkCode=shr&tag=socialuncens-20
   RedirectMatch 301 403.shtml http://www.amazon.com/?_encoding=UTF8&camp=213733&creative=393193&linkCode=shr&tag=socialuncens-20
   RedirectMatch 301 404.shtml http://www.sociallyuncensored.eu/forums/
   RewriteCond %{HTTP_HOST} !^www\.sociallyuncensored\.eu$
   RewriteRule ^(.*)$ http://www.sociallyuncensored.eu/?$1 [R=301,L]
   
   RewriteCond %{HTTP_REFERER} !^$
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?sociallyuncensored\. [NC]
   RewriteCond %{HTTP_REFERER} !^http(s)?://(cdn\.)?sociallyuncensored.com [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?google\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?bing\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?yahoo\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?duckduckgo\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?xenforo\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?twitter\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?facebook\. [NC]
   RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?amazon\. [NC]
   RewriteCond %{HTTP_REFERER} !search\?q=cache [NC]
   RewriteRule \.(jpg|jpeg|png|gif|svg|css|js|pdf|zip)$ http://www.sociallyuncensored.eu/hotlink.jpg [NC,R,L]
   
   #   If you are having problems with the rewrite rules, remove the "#" from the
   #   line that begins "RewriteBase" below. You will also have to change the path
   #   of the rewrite to reflect the path to your XenForo installation.
   #RewriteBase /xenforo

   #   This line may be needed to enable WebDAV editing with PHP as a CGI.
   #RewriteRule .* - [E=HTTP_AUTHORIZATION:%{HTTP:Authorization}]

   RewriteCond %{REQUEST_FILENAME} -f [OR]
   RewriteCond %{REQUEST_FILENAME} -l [OR]
   RewriteCond %{REQUEST_FILENAME} -d
   RewriteRule ^.*$ - [NC,L]
   RewriteRule ^(data/|js/|styles/|install/|favicon\.ico|crossdomain\.xml|robots\.txt) - [NC,L]
   RewriteRule ^.*$ index.php [NC,L]

# 5G BLACKLIST/FIREWALL (2013)
# @ http://perishablepress.com/5g-blacklist-2013/

   RewriteCond %{QUERY_STRING} (\"|%22).*(<|>|%3) [NC,OR]
   RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
   RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
   RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
   RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|and|if) [NC,OR]
   RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
   RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
   RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
   RewriteRule .* - [F]

   RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
   RewriteRule .* - [F]
   
   #My Block mySQL injects
   RewriteCond %{QUERY_STRING} (;|<|>|’|”|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|cast|set|declare|drop|update|md5|benchmark) [NC,OR]
   RewriteCond %{QUERY_STRING} \.\./\.\. [OR]
   RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
   RewriteCond %{QUERY_STRING} \.[a-z0-9] [NC,OR]
   RewriteCond %{QUERY_STRING} (<|>|’|%0A|%0D|%27|%3C|%3E|%00) [NC]
   #   Note: The final RewriteCond must NOT use the [OR] flag.
</IfModule>

# 5G:[USER AGENTS]
<IfModule mod_setenvif.c>
   # SetEnvIfNoCase User-Agent ^$ keep_out
   SetEnvIfNoCase User-Agent (\<|\>|\'|\$x0|\%0A|\%0D|\%27|\%3C|\%3E|\%00|\+select|\+union|\&lt) keep_out
   SetEnvIfNoCase User-Agent (binlar|casper|checkprivacy|cmsworldmap|comodo|curious|diavol|doco) keep_out
   SetEnvIfNoCase User-Agent (dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|libwww|nutch) keep_out
   SetEnvIfNoCase User-Agent (planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspid|zmeu|zune) keep_out
   <limit GET POST PUT>
     Order Allow,Deny
     Allow from all
     Deny from env=keep_out
   </limit>
</IfModule>

# 5G:[REQUEST STRINGS]
<IfModule mod_alias.c>
   RedirectMatch 403 (https?|ftp|php)\://
   RedirectMatch 403 /(https?|ima|ucp)/
   RedirectMatch 403 /(Permanent|Better)$
   RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
   RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
   RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
   RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
   RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
   RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
   RedirectMatch 403 \.well\-known/host\-meta
   RedirectMatch 403 /function\.array\-rand
   RedirectMatch 403 \)\;\$\(this\)\.html\(
   RedirectMatch 403 proc/self/environ
   RedirectMatch 403 msnbot\.htm\)\.\_
   RedirectMatch 403 /ref\.outcontrol
   RedirectMatch 403 com\_cropimage
   RedirectMatch 403 indonesia\.htm
   RedirectMatch 403 \{\$itemURL\}
   RedirectMatch 403 function\(\)
   RedirectMatch 403 labels\.rdf
   RedirectMatch 403 /playing.php
   RedirectMatch 403 muieblackcat
</IfModule>

#Deny attempts to view the Htaccess file.
<Files "(.htaccess\^\.ht|~$|\.old$|\.OLD$|\.bak$|\.BAK$)">
Order allow,deny
Deny from all
</Files>

<limit GET POST PUT>
deny from 0.
deny from 10.0.0.0/8
deny from 172.16.0.0/12
deny from 192.168.0.0/16
deny from 169.254.0.0/16
#deny from softlayer.com
deny from 5.10.83.0/25
</limit>

 

[Adam Howard]

Adam Howard updated Secure AdminCP with a new update entry:

added new step

Originally this was a 4 step guide, it is now a 5 step guide. The new step talks about your /install/ folder.

Read the rest of this update entry...

 

[Adam Howard]

To password protect for nginx

        location /YOUR-forum-path/admin.php {
        auth_basic "Private";
        auth_basic_user_file /usr/share/nginx/htpasswd;
    include /etc/nginx/php.conf;
        }

        location /YOUR-forum-path/install/ {
    index index.php index.html index.htm;
        auth_basic "Private";
        auth_basic_user_file /usr/share/nginx/htpasswd;
        include /etc/nginx/php.conf;
        }

So if your forum is located at /community/ you'd change "YOUR-forum-path" to community

If you need further help with nginx, I would suggest your hire @MattW

 

[Floyd R Turbo]

This is a very well explained guide and discussion, thank you to all.

I do have one question, @Jeremy you mention that 1.2 has "hidden staff", but is that explicitly different from just unchecking "Show Online Status"? If so, please let me know where this option is located, can't seem to find it.

Also is there currently a way (in core) to completely hide a particular member, even from the members' list? So if I created a new account to serve as the SA, I could hide it, change the username to a random character string, and then change the id in config.php to that account.

 

[Jeremy]

You cannot globally hide an account.

Edit the user and unclick the "Display user as staff" option.