It just came to my mind to make something to secure the ACP of my vBulletin. I'd like to share it with you guys too!
Basically what it does is just allow the IP's you provide to access the ACP. You can add as many IP's you need(For your staff)
Step 1) Create a file named .htaccess
Step2)
Add this in the file..
Code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName ?Access Control?
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from YOUR HOME IP
# whitelist work IP address
allow from YOUR OFFICE IP
allow from YOUR OFFICE IP 2
Just replace the IP with YOUR HOME IP. Like wise you can add more
This is a good idea, but it's not for me or for those who often access their ACP from computers other than their own.
I had this implemented but I finally figured that the nuisance of not being able to access your ACP from anything but your own computer outweigh the extra protection this provides.
I wouldn't use this... There are easier ways to protect the admincp directory. I've known people to block their own IP's doing it this way.
1. Rename it, and change the variable in the config.php file. 2. Add user and password protection. 3. Add redirect if admincp is accessed directly (requires FTP to change - not recommended for users that access their admincp often.
That's fake security, and it's something you shouldn't rely on. A browser can easily fake a referer and thus it just becomes more of a nuisance. It can be faked so easily that if a hacker can get through whatever is next, said hacker will have no problem getting past this particular hurdle.
It'd be better to do it the other way around, if accessed through the main page (through a link that you should remove) show the 404 not found error page. Go with the Auth as shown above but add all known ranges for your provider if you have a changing IP, you'll still block a whole lot more and if it doesn't match, show the 404 error.
The 404 leads someone just probing to believe there's nothing there and thus move on.
If you really don't want to use the IP you can force an htaccess pop up on all sub-directories that don't exist, and then manually add an identical screen for the acp directory. Of course you don't want any broken referers on your site then since users would get a popup.
But in all seriousness, the regular vBulletin login with a user specific login, an htaccess with a singular login (and another username and password) and changing the directory to something with uppercase/lowercase/numbers/special characters will increase security to such a point where if they get passed it you really should be wondering if the server got compromised.
Most of this *should* make sense, but since I wrote it as I was thinking it it might be a bit messy
08-07-2008, 10:00 PM
08-08-2008, 06:50 PM
