Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > Management Articles

Reply
 
Thread Tools
SecureMe V1.0 - Secure Your Admin Panel
invisiblea
Join Date: Feb 2008
Posts: 65

 

Show Printable Version Email this Page Subscription
invisiblea invisiblea is offline 08-07-2008, 10:00 PM

Hello guys,

It just came to my mind to make something to secure the ACP of my vBulletin. I'd like to share it with you guys too!

Basically what it does is just allow the IP's you provide to access the ACP. You can add as many IP's you need(For your staff)

Step 1) Create a file named .htaccess
Step2)
Add this in the file..

Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ?Access Control?
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from YOUR HOME IP
# whitelist work IP address
allow from YOUR OFFICE IP
allow from YOUR OFFICE IP 2
Just replace the IP with YOUR HOME IP. Like wise you can add more
Reply With Quote
  #2  
Old 08-08-2008, 06:50 PM
II AnDo II II AnDo II is offline
 
Join Date: Jun 2008
Posts: 19
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

sounds good thanks
Reply With Quote
  #3  
Old 08-08-2008, 08:27 PM
hauli hauli is offline
 
Join Date: Aug 2008
Location: Switzerland
Posts: 5
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

verry good idea! thanx
Reply With Quote
  #4  
Old 08-08-2008, 08:29 PM
dt_truck11's Avatar
dt_truck11 dt_truck11 is offline
 
Join Date: Apr 2008
Location: Wisconsin, USA
Posts: 88
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

this is a great idea, but wht about the users who have aol or somtin where their ip changes whenever they sign on.
Reply With Quote
  #5  
Old 08-08-2008, 09:56 PM
youradhere4222 youradhere4222 is offline
 
Join Date: Sep 2007
Location: Houston, TX
Posts: 234
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

This is a good idea, but it's not for me or for those who often access their ACP from computers other than their own.

I had this implemented but I finally figured that the nuisance of not being able to access your ACP from anything but your own computer outweigh the extra protection this provides.
Reply With Quote
  #6  
Old 08-08-2008, 10:09 PM
syrus.xl's Avatar
syrus.xl syrus.xl is offline
 
Join Date: Jun 2005
Location: In a cyber world...
Posts: 999
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I wouldn't use this... There are easier ways to protect the admincp directory. I've known people to block their own IP's doing it this way.

1. Rename it, and change the variable in the config.php file.
2. Add user and password protection.
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.

Just a few ideas...
Reply With Quote
  #7  
Old 08-09-2008, 12:59 AM
youradhere4222 youradhere4222 is offline
 
Join Date: Sep 2007
Location: Houston, TX
Posts: 234
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by syrus.xl View Post
3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.
Do you have instructions on how to do this?
Reply With Quote
  #8  
Old 08-09-2008, 11:10 AM
Mephisteus's Avatar
Mephisteus Mephisteus is offline
 
Join Date: Dec 2001
Location: The Netherlands
Posts: 288
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by youradhere4222 View Post
Do you have instructions on how to do this?
That's fake security, and it's something you shouldn't rely on. A browser can easily fake a referer and thus it just becomes more of a nuisance. It can be faked so easily that if a hacker can get through whatever is next, said hacker will have no problem getting past this particular hurdle.

It'd be better to do it the other way around, if accessed through the main page (through a link that you should remove) show the 404 not found error page. Go with the Auth as shown above but add all known ranges for your provider if you have a changing IP, you'll still block a whole lot more and if it doesn't match, show the 404 error.

The 404 leads someone just probing to believe there's nothing there and thus move on.

If you really don't want to use the IP you can force an htaccess pop up on all sub-directories that don't exist, and then manually add an identical screen for the acp directory. Of course you don't want any broken referers on your site then since users would get a popup.

But in all seriousness, the regular vBulletin login with a user specific login, an htaccess with a singular login (and another username and password) and changing the directory to something with uppercase/lowercase/numbers/special characters will increase security to such a point where if they get passed it you really should be wondering if the server got compromised.

Most of this *should* make sense, but since I wrote it as I was thinking it it might be a bit messy

PS
Sorry to hijack the thread
Reply With Quote
  #9  
Old 08-09-2008, 12:07 PM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Moved to Articles.
Reply With Quote
  #10  
Old 05-10-2009, 11:43 PM
mac-warez mac-warez is offline
 
Join Date: Oct 2008
Posts: 133
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Someone should re-write for LightTPD
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:32 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04361 seconds
  • Memory Usage 2,282KB
  • Queries Executed 23 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_code
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (9)postbit
  • (10)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete