PDA

View Full Version : htpassword admincp


Greek76
03-29-2007, 10:19 AM
Ok Im attempting to create a .htpassword file to protect my admin cp. So I read some of those sites on .htpassword. Reason being Ive had some trolls and some very shady ip addresses viewing my forum so I want to protect my forum. My question is when I create the file how would I go about actually protecting the admin panel. Would it be like this code below? Is that all I need to protect is my admin panel?


AuthName "Admin file"
AuthType Basic
AuthUserFile /home/bla bla/public_html/forum/Admin panel/.htpasswd
Require valid-user=username
Require valid-password=password

Is that correct?

Then upload file to the admin directory?

Thanks

nexialys
03-29-2007, 01:19 PM
there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...

Greek76
03-29-2007, 05:35 PM
So what do you recomend. Ive read plenty of posts of people creating htpasswords files and uploading them to their forum to password protect files.

TECK
03-30-2007, 06:29 AM
there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...
Are you sure? vBulletin.com does not think the same way:
http://www.vbulletin.com/forum/admincp/

It's extremly important to protect your /admincp with htpasswd.
DO NOT use an online tool generator (security warning) and update through FTP, just telnet into your server and run the commands there.

Run this:
(pwd will show you the /full/path/to/your/protected/folder path)

su -
cd /your/protected/folder
pwd
pico .htaccess

In pico, paste this:
AuthUserFile /full/path/to/your/protected/folder/.htpasswd
AuthName restricted
AuthType Basic
<Limit GET>
require valid-user
</Limit>
Now, hit CTRL+O (letter) on your keyboard, which executes the Write command.
You will be prompted with the file name .htaccess at the bottom of your screen. Confirm the file is named correctly, and hit enter to save your file. You may now exit pico by hitting CTRL+X.

To create a .htpasswd file and insert it's first user, run this:
cd /your/protected/folder
htpasswd ?c .htpasswd johnsmith

You will be prompted to put in a password for johnsmith and then to confirm it.
If you want to add another user, just run this:
htpasswd .htpasswd newuser

Pretty easy, ehh? I hope you dont run Apache with php-fcgi, because that's another story...

Marco van Herwaarden
03-30-2007, 06:56 AM
there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...
And what if there is a new vulnerability found (vB or a modification) that makes the ACP vulnerable?

TECK
03-30-2007, 07:07 AM
Thanks Marco. :)

Cap'n Steve
04-02-2007, 02:15 AM
They're just assuming that you'll use bad passwords. I guess it's better to be safe than sorry, though.

Greek76
04-03-2007, 09:16 AM
Thanks for the posts guys!

Are you sure? vBulletin.com does not think the same way:
http://www.vbulletin.com/forum/admincp/

It's extremly important to protect your /admincp with htpasswd.
DO NOT use an online tool generator (security warning) and update through FTP, just telnet into your server and run the commands there.

Run this:
(pwd will show you the /full/path/to/your/protected/folder path)

su -
cd /your/protected/folder
pwd
pico .htaccess

In pico, paste this:
AuthUserFile /full/path/to/your/protected/folder/.htpasswd
AuthName restricted
AuthType Basic
<Limit GET>
require valid-user
</Limit>
Now, hit CTRL+O (letter) on your keyboard, which executes the Write command.
You will be prompted with the file name .htaccess at the bottom of your screen. Confirm the file is named correctly, and hit enter to save your file. You may now exit pico by hitting CTRL+X.

To create a .htpasswd file and insert it's first user, run this:
cd /your/protected/folder
htpasswd ?c .htpasswd johnsmith

You will be prompted to put in a password for johnsmith and then to confirm it.
If you want to add another user, just run this:
htpasswd .htpasswd newuser

Pretty easy, ehh? I hope you dont run Apache with php-fcgi, because that's another story...


I dont know I have my site hosted at hostgator. I have to check to see exactly what server they are using.

subzero06
04-03-2007, 05:04 PM
I think you can do this in your host cpanel called
"Protected Password Directory"
and you just select the admincp folder directory.

TECK
04-04-2007, 03:13 AM
What if you don't want to use software like cPanel?
This is the worst software you can put on your server... they compile PHP into their RPM so you are forced to use their version. Not to mention the bulky code and the 1500$ price tag. Crazy.

Greek76
04-04-2007, 06:02 PM
I attempted to upload htpassword file in the same format I posted in my first post but its not working.

bashy
04-04-2007, 07:25 PM
i spose you could always use folder password from your server control panel, this works very well :)