vb.org Archive

vb.org Archive (https://vborg.vbsupport.ru/index.php)
-   Management Articles (https://vborg.vbsupport.ru/forumdisplay.php?f=217)
-   -   SecureMe V1.0 - Secure Your Admin Panel (https://vborg.vbsupport.ru/showthread.php?t=187576)

invisiblea 08-07-2008 10:00 PM

SecureMe V1.0 - Secure Your Admin Panel
 
Hello guys,

It just came to my mind to make something to secure the ACP of my vBulletin. I'd like to share it with you guys too!

Basically what it does is just allow the IP's you provide to access the ACP. You can add as many IP's you need(For your staff)

Step 1) Create a file named .htaccess
Step2)
Add this in the file..

Code:

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ?Access Control?
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from YOUR HOME IP
# whitelist work IP address
allow from YOUR OFFICE IP
allow from YOUR OFFICE IP 2

Just replace the IP with YOUR HOME IP. Like wise you can add more

II AnDo II 08-08-2008 06:50 PM

sounds good thanks

hauli 08-08-2008 08:27 PM

verry good idea! thanx

dt_truck11 08-08-2008 08:29 PM

this is a great idea, but wht about the users who have aol or somtin where their ip changes whenever they sign on.

youradhere4222 08-08-2008 09:56 PM

This is a good idea, but it's not for me or for those who often access their ACP from computers other than their own.

I had this implemented but I finally figured that the nuisance of not being able to access your ACP from anything but your own computer outweigh the extra protection this provides.

syrus.xl 08-08-2008 10:09 PM

I wouldn't use this... There are easier ways to protect the admincp directory. I've known people to block their own IP's doing it this way.

1. Rename it, and change the variable in the config.php file.
2. Add user and password protection.
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.

Just a few ideas...

youradhere4222 08-09-2008 12:59 AM

Quote:

Originally Posted by syrus.xl (Post 1594351)
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.

Do you have instructions on how to do this?

Mephisteus 08-09-2008 11:10 AM

Quote:

Originally Posted by youradhere4222 (Post 1594431)
Do you have instructions on how to do this?

That's fake security, and it's something you shouldn't rely on. A browser can easily fake a referer and thus it just becomes more of a nuisance. It can be faked so easily that if a hacker can get through whatever is next, said hacker will have no problem getting past this particular hurdle.

It'd be better to do it the other way around, if accessed through the main page (through a link that you should remove) show the 404 not found error page. Go with the Auth as shown above but add all known ranges for your provider if you have a changing IP, you'll still block a whole lot more and if it doesn't match, show the 404 error.

The 404 leads someone just probing to believe there's nothing there and thus move on.

If you really don't want to use the IP you can force an htaccess pop up on all sub-directories that don't exist, and then manually add an identical screen for the acp directory. Of course you don't want any broken referers on your site then since users would get a popup.

But in all seriousness, the regular vBulletin login with a user specific login, an htaccess with a singular login (and another username and password) and changing the directory to something with uppercase/lowercase/numbers/special characters will increase security to such a point where if they get passed it you really should be wondering if the server got compromised.

Most of this *should* make sense, but since I wrote it as I was thinking it it might be a bit messy :p

PS
Sorry to hijack the thread :p

Marco van Herwaarden 08-09-2008 12:07 PM

Moved to Articles.

mac-warez 05-10-2009 11:43 PM

Someone should re-write for LightTPD

avsunforum 06-22-2009 08:36 PM

Oww Thanks


All times are GMT. The time now is 06:17 PM.

Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.

X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.01166 seconds
  • Memory Usage 1,731KB
  • Queries Executed 10 (?)
More Information
Template Usage:
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)bbcode_code_printable
  • (2)bbcode_quote_printable
  • (1)footer
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (6)option
  • (1)post_thanks_navbar_search
  • (1)printthread
  • (11)printthreadbit
  • (1)spacer_close
  • (1)spacer_open 

Phrase Groups Available:
  • global
  • postbit
  • showthread
Included Files:
  • ./printthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/class_bbcode_alt.php
  • ./includes/class_bbcode.php
  • ./includes/functions_bigthree.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • printthread_start
  • bbcode_fetch_tags
  • bbcode_create
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • printthread_post
  • printthread_complete