Dear All,

I am planning to move my admincp pages to a different host. I have a separate machine for monitoring and other supporting tasks and this allows me to do some really draconian IP filtering on such tools. :)

What are the risks of doing this?

Can I just install a second instance of the site on the second machine and delete the admincp pages from the main box?

Kees Jan

What you can do is remove Admin CP files off the primary box, place a set of original vBulletin files onto the other box, and setup config.php to access the database of the primary installation. Do not run install.php! (But remove it.)

Dear Dismounted,

So there is no caching in vbulletin that may make this difficult?

What kind of caches are you talking about?

Dear Dismounted,

Well, that is my question: does vbulletin or Apache cache stuff that would make moving the admincp to a different machine harder?

Kees Jan

What you can do is remove Admin CP files off the primary box, place a set of original vBulletin files onto the other box, and setup config.php to access the database of the primary installation. Do not run install.php! (But remove it.)

I would also suggest making this set of files completely inaccessible to outsiders or else you run into licensing issues with Jelsoft. That would fall under "multiple sites without multiple licenses" if not password protected from others.

Dear j883376,

Yes, I am aware of the licensing issues that such a setup would bring. The whole point of this setup would be to have the admincp inaccessible to anyone but admininstrators.


Well, from what I gather there are no real technical limitations. You guys brought up some valid points (licensing, not running install from both locations) , so I think I'll go ahead and set this up.

Thanks for your input.

Kees Jan

PS. This also ties into my post about limiting database grants (https://vborg.vbsupport.ru/showthread.php?t=211588). Having the admin control panel on a separate machine allows me to instruct MySQL to not give ALTER/DROP/CREATE privileges to the admin machine. This makes SQL injection just that little bit less powerful on my site.

[/URL]. Having the admin control panel on a separate machine allows me to instruct MySQL to not give ALTER/DROP/CREATE privileges to the admin machine. This makes SQL injection just that little bit less powerful on my site.
It will also stop you doing some administration duties, since they may require such privileges.

That would fall under "multiple sites without multiple licenses" if not password protected from others.
Actually, AFAIK, it would not. Both sets of files are pointing to the same set of data, with no domain discrimination. That does not break the license agreement.

Yes, I am aware of the licensing issues that such a setup would bring. The whole point of this setup would be to have the admincp inaccessible to anyone but admininstrators.
Simply password protecting the admincp folder will do that, no need for another server.

Dear Paul M,

I meant to say that the regular forum mysql user should not have CREATE/ALTER/DELETE privileges and the administrative site should. My bad. :)

As for the password protecting, that would not allow me to lock down the database user for vbulletin.

Plus (and you don't know this of course) I have a lot more running on that admin machine than just the vbulletin forum. That machine also runs the monitoring for instance. I hang out of the admin machine more than on for forum. :) For me it is more logical to have all that on one machine, while for most forums it is more logical to use the default setup of having admin tasks on the forum machine as well.

Kees Jan

Im pretty sure you need DELETE for the forum to run properly, not sure about ALTER/CREATE.

Well - conclusion first - this is maybe useless. The problem is that the second (your Admin machine) would need the SQL rights you want to take away in order to do administrative tasks.
To write them in the DB of your first machine, you either have to setup a replica - the replica user would then have the rights you want to take away or some kind of tunnel - then again the problem remains the same.
At least INSERT / SELECT is required to run Vbulletin and that's already enough to dump the passwords or add another admin to your forum - if there's an injection possible.
I just want to say that all this might not give the security enhancements you're looking for because at least one DB user needs to rights at your VB database.
Maybe, rename the AdminCP folder, add a Password Protection and if you want to lookdown IP's do it directly in the Webserver configuration.
Or move your AdminCP - at the same server - inside a SSL environment setting up a redirection, Client Cert Authentication is the key.

Like said, DB access is still required with the rights you care about, doesn't matter where your AdminCP is placed. IP's can be spoofed as well so the time is maybe better spent configuring your primary machine that injections are already as hard as possible. Moving something insecure away doesn't make it more secure anyways if there's a problem because even at the other machine, the security problems, if any, will stay.

Dear Angel-Wings,

Hmm. Excellent points. Certainly food for thought. This is beginning to sound like less and less of a good idea. Thanks for you advise.

Kees Jan