Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > vBulletin 3 Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
Making your Admincp More secure!
iNRoC
Join Date: Jul 2008
Posts: 151

 

Clifton, New Jersey
Show Printable Version Email this Page Subscription
iNRoC iNRoC is offline 11-27-2008, 10:00 PM

Hi guys, over my relatively short time as an administrator of a few forums, I've learned a few "tricks" that will throw off some of the more "Noobish" people who have a desire to hack your forum. I figured I would go ahead and post them

Trick # 1:Rename your admincp folder

This is actually a surprisingly little known feature of vbulletin. Rename the admincp on your hosting space to anything else, the more random, the better. Open up your config.php inside the /includes/ folder, and find the line containing

PHP Code:
$config['Misc']['admincpdir'] = 
and change the variable stored there to the name of your directories new name. Basically, this will make it so anyone who doesn't know the exact location of your admincp, cant find it.

Trick #2: The Dummy Admin Panel

This one goes well with trick #1. Goto your admin panel's login screen,and go to your browsers File-> Save As page, and save the .php file to your HD. Now, open edit out the personal data in that admincp (look around the form data for "hidden" fields), and upload it to a directory on your server. Basically, the idea here is to make a non-functional admincp login page, to fool people into thinking they have the right URL when they really don't.

Trick #3: The IP Deny .htaccess

Now, this trick involve knowing all of your admin's IP addresses. If your administrators do not have "rotating" IP's, then you can use a simple .htaccess file to allow only you and your administrators IP ranges to access the admin panel. Quite an efficient way of safeguarding your admin panel

Trick #4: A Passworded .htaccess

If your admin's do have dynamic IP addresses, there is another .htaccess solution you can use, though this one is a little less secure. Simply create a .htaccess that requires a username and password, this give double password protection on the panel, making it harder to get it. The downside is, if someone gives out the password, its useless :/

Trick #5: The Multi Hash

Now this is one you'll have to figure out on your own, its a little bit tricky to pull off, and PHP/SQL knowledge is required. The current login system for all the users for vbulletin is a MD5 hash, which is encrypted in your sql database itself. Now, to login, the system takes your input, encrypts it, and compares it to the result in the database. When hackers use scripts/exploits to try and pull a password from your database, it comes out as a hash, which they then have to run a dictionary attack against(It takes forever to brute force a MD5 password) Now, a few webmasters have found ways to "multi-hash" the login script, so that it would be something like this user input ->hash ->hash -> hash -Compare result to db. This effectively hinders any hacker from getting your hash and decrypting it, as a dictionary attack would not work on it.

Trick #6 (Though not a trick at all): Picking your staff

Above all, probably the most important thing to ever remember. Don't be generous with giving Moderator/ Admin/ Cpanel/ FTP access. Unless the user is someone you can trust, and has at least a little experience, theres no reason to let anybody in any control panel.

Posted by an administrator by my site. Org post: http://onehitwebdev.com/forum/showthread.php?t=44
Reply With Quote
  #22  
Old 08-27-2013, 04:15 PM
CAG CheechDogg's Avatar
CAG CheechDogg CAG CheechDogg is offline
 
Join Date: Feb 2012
Location: Riverside, California USA
Posts: 1,080
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by Lynne View Post
Nice article! It's so easy to take some steps to make this area of your board more secure, yet many admins don't bother.
Wow! 4 years later and this helped me out tremendously! Lately someone who was a member of our website has been trying to ddos us and gain access to our admin panel, this did the trick!

Simple yet so effective!
Reply With Quote
  #23  
Old 01-29-2016, 12:23 AM
okedisini okedisini is offline
 
Join Date: Dec 2015
Posts: 1
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

step by step please
Reply With Quote
  #24  
Old 01-29-2016, 01:39 AM
Dragonsys's Avatar
Dragonsys Dragonsys is offline
 
Join Date: Jan 2008
Location: DFW, Texas
Posts: 743
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by okedisini View Post
step by step please
step by step of which part?
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 03:22 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.03969 seconds
  • Memory Usage 2,234KB
  • Queries Executed 18 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)bbcode_php
  • (2)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (2)pagenav_pagelink
  • (4)post_thanks_box
  • (2)post_thanks_box_bit
  • (4)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (1)post_thanks_postbit
  • (4)post_thanks_postbit_info
  • (3)postbit
  • (4)postbit_onlinestatus
  • (4)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • fetch_musername
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • post_thanks_function_fetch_thanks_bit_start
  • post_thanks_function_show_thanks_date_start
  • post_thanks_function_show_thanks_date_end
  • post_thanks_function_fetch_thanks_bit_end
  • post_thanks_function_fetch_post_thanks_template_start
  • post_thanks_function_fetch_post_thanks_template_end
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete