Go Back   vb.org Archive > vBulletin 3 Discussion > vB3 Programming Discussions
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools Display Modes
  #1  
Old 03-29-2007, 10:19 AM
Greek76's Avatar
Greek76 Greek76 is offline
 
Join Date: Aug 2006
Location: Planet Earth
Posts: 440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default htpassword admincp

Ok Im attempting to create a .htpassword file to protect my admin cp. So I read some of those sites on .htpassword. Reason being Ive had some trolls and some very shady ip addresses viewing my forum so I want to protect my forum. My question is when I create the file how would I go about actually protecting the admin panel. Would it be like this code below? Is that all I need to protect is my admin panel?


Quote:
AuthName "Admin file"
AuthType Basic
AuthUserFile /home/bla bla/public_html/forum/Admin panel/.htpasswd
Require valid-user=username
Require valid-password=password
Is that correct?

Then upload file to the admin directory?

Thanks
Reply With Quote
  #2  
Old 03-29-2007, 01:19 PM
nexialys
Guest
 
Posts: n/a
Default

there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...
Reply With Quote
  #3  
Old 03-29-2007, 05:35 PM
Greek76's Avatar
Greek76 Greek76 is offline
 
Join Date: Aug 2006
Location: Planet Earth
Posts: 440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

So what do you recomend. Ive read plenty of posts of people creating htpasswords files and uploading them to their forum to password protect files.
Reply With Quote
  #4  
Old 03-30-2007, 06:29 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nexialys View Post
there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...
Are you sure? vBulletin.com does not think the same way:
http://www.vbulletin.com/forum/admincp/

It's extremly important to protect your /admincp with htpasswd.
DO NOT use an online tool generator (security warning) and update through FTP, just telnet into your server and run the commands there.

Run this:
(pwd will show you the /full/path/to/your/protected/folder path)

su -
cd /your/protected/folder
pwd
pico .htaccess


In pico, paste this:
Code:
AuthUserFile /full/path/to/your/protected/folder/.htpasswd
AuthName restricted
AuthType Basic
<Limit GET>
	require valid-user
</Limit>
Now, hit CTRL+O (letter) on your keyboard, which executes the Write command.
You will be prompted with the file name .htaccess at the bottom of your screen. Confirm the file is named correctly, and hit enter to save your file. You may now exit pico by hitting CTRL+X.

To create a .htpasswd file and insert it's first user, run this:
cd /your/protected/folder
htpasswd ?c .htpasswd johnsmith


You will be prompted to put in a password for johnsmith and then to confirm it.
If you want to add another user, just run this:
htpasswd .htpasswd newuser

Pretty easy, ehh? I hope you dont run Apache with php-fcgi, because that's another story...
Reply With Quote
  #5  
Old 03-30-2007, 06:56 AM
Marco van Herwaarden Marco van Herwaarden is offline
 
Join Date: Jul 2004
Posts: 25,415
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Quote:
Originally Posted by nexialys View Post
there is no absolute reason why you would have to htpassword your admincp... trolls or not, if they don't have an admin account, they can't hit farther than the login page in the admincp...
And what if there is a new vulnerability found (vB or a modification) that makes the ACP vulnerable?
Reply With Quote
  #6  
Old 03-30-2007, 07:07 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks Marco.
Reply With Quote
  #7  
Old 04-02-2007, 02:15 AM
Cap'n Steve's Avatar
Cap'n Steve Cap'n Steve is offline
 
Join Date: Feb 2004
Location: Kalamazoo, MI, USA
Posts: 745
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

They're just assuming that you'll use bad passwords. I guess it's better to be safe than sorry, though.
Reply With Quote
  #8  
Old 04-03-2007, 09:16 AM
Greek76's Avatar
Greek76 Greek76 is offline
 
Join Date: Aug 2006
Location: Planet Earth
Posts: 440
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks for the posts guys!

Quote:
Originally Posted by TECK View Post
Are you sure? vBulletin.com does not think the same way:
http://www.vbulletin.com/forum/admincp/

It's extremly important to protect your /admincp with htpasswd.
DO NOT use an online tool generator (security warning) and update through FTP, just telnet into your server and run the commands there.

Run this:
(pwd will show you the /full/path/to/your/protected/folder path)

su -
cd /your/protected/folder
pwd
pico .htaccess


In pico, paste this:
Code:
AuthUserFile /full/path/to/your/protected/folder/.htpasswd
AuthName restricted
AuthType Basic
<Limit GET>
	require valid-user
</Limit>
Now, hit CTRL+O (letter) on your keyboard, which executes the Write command.
You will be prompted with the file name .htaccess at the bottom of your screen. Confirm the file is named correctly, and hit enter to save your file. You may now exit pico by hitting CTRL+X.

To create a .htpasswd file and insert it's first user, run this:
cd /your/protected/folder
htpasswd ?c .htpasswd johnsmith


You will be prompted to put in a password for johnsmith and then to confirm it.
If you want to add another user, just run this:
htpasswd .htpasswd newuser

Pretty easy, ehh? I hope you dont run Apache with php-fcgi, because that's another story...

I dont know I have my site hosted at hostgator. I have to check to see exactly what server they are using.
Reply With Quote
  #9  
Old 04-03-2007, 05:04 PM
subzero06 subzero06 is offline
 
Join Date: Dec 2006
Posts: 92
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

I think you can do this in your host cpanel called
"Protected Password Directory"
and you just select the admincp folder directory.
Reply With Quote
  #10  
Old 04-04-2007, 03:13 AM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

What if you don't want to use software like cPanel?
This is the worst software you can put on your server... they compile PHP into their RPM so you are forced to use their version. Not to mention the bulky code and the 1500$ price tag. Crazy.
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 09:43 AM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.04462 seconds
  • Memory Usage 2,262KB
  • Queries Executed 11 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (1)ad_showthread_firstpost
  • (1)ad_showthread_firstpost_sig
  • (1)ad_showthread_firstpost_start
  • (2)bbcode_code
  • (4)bbcode_quote
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)navbar
  • (3)navbar_link
  • (120)option
  • (1)pagenav
  • (1)pagenav_curpage
  • (1)pagenav_pagelink
  • (10)post_thanks_box
  • (10)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (10)post_thanks_postbit_info
  • (10)postbit
  • (9)postbit_onlinestatus
  • (10)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • pagenav_page
  • pagenav_complete
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete