Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
jakec
Site Admin


Joined: Feb 06, 2006
Posts: 3048
Location: United Kingdom

PostPosted: Sat Oct 13, 2007 2:14 am Reply with quote

I see the latest version of Joomla (1.0.13) includes improved password storage using a random salt.
 
View user's profile Send private message
Raven
Site Admin/Owner


Joined: Aug 27, 2002
Posts: 17077

PostPosted: Sat Oct 13, 2007 4:46 am Reply with quote

It's too late to try to push anything like this for v2.0. We can add a Mantis issue for future consideration. Dictionary attacks and the other methods that are used w/o a super computer are easily foiled by using a smart password. Anything over 6 long that is not a common word is very safe.
 
View user's profile Send private message
utssace
Worker
Worker


Joined: Feb 18, 2006
Posts: 155
Location: Virginia

PostPosted: Sat Oct 13, 2007 8:07 am Reply with quote

PHrEEkie wrote:
If you read up on some topics over at Waraxe, you'll see that all Nuke passwords are straight md5 hashes, and that they (the hacking community) have a few different software solutions for cracking md5 hashes. Using injection to add an entry to the authors tables is just one way to gain access. The other is to hijack an admin cookie (which contains the information about the hashed password), then use their brute force software to crack the hash. Then they simply login with your username and pass.

If you educate yourself on the available server-side security options, you can create additional layers that a hacker would need to get through, even if he had a nuke admin login/pass. There is no such thing as 100% authorization until we can do a fingerprint or retina scan over the internet Wink Therefore, all you can do is make it an extreme hassle and waste of time for a hacker to get in.

Understand this... a VAST majority of all Nuke sites just contain content. Most hackers only want to tag your site with their banner or whatever. The TRUE motivated hacker seeks personal information like credit card numbers or what have you... these hackers will spend the time to try and breach additional layers, because there is a real potential monetary goal involved. Hackers who just want to hang graffiti on your site will NOT spend the days or weeks getting through extra layers, and will move on to an easier site. So, the moral to the story is, the use of an extra layer or two tends to discourage about 99% of any attacks, and that's a good number to have in your corner.

PHrEEk


You talk about "server-side security options". Since I like most people
use hosting and have to rely on the host to be sure the server is secuire,
What can I read on "site-side" security measures. I have read some about
using HTACCESS to further password directories. Is it effective enough
to just HTACCESS the root of the site or does NukeSentinel take care of
that?. My site is in a subfolder, so my root is still exposed. And what are
some other options than htaccess?
 
View user's profile Send private message Visit poster's website
PHrEEkie
Subject Matter Expert


Joined: Feb 23, 2004
Posts: 358

PostPosted: Sat Oct 13, 2007 2:59 pm Reply with quote

Well, if your site is in a subfolder, then .htaccess'in your root will in effect also cause a login popup for the subfolder. I'm guessing that wouldn't work too well for you. htaccess doesn't only protect folders and subfolders, it also can protect individual files. If you try to load Nuke Admin and get a popup asking for authorization, you are good, and have that extra layer already established. If it doesn't, then you can use .htaccess file limiting to accomplish that. At a minimum, here's what should happen:

1. You load Nuke admin.
2. You are prompted for a login/password from a popup (server-side).
3. You login
4. You are presented with the Nuke Admin login page (and captcha if enabled).
5. You login
6. You are presented with the Nuke Admin area.

All login names and passwords should be DIFFERENT and passwords should be ROBUST as well! Example passwords:

Bad:
helloimadmin
78goadmin
spiders9letmein

Good:
&gH77_@!!zZz
teLLus-592&_fG

Robust passwords,
A: Do not contain logical dictionary words
B: Alternate upper and lower-case alpha characters
C: Mix in numeric as well as special characters

I avoid using # or * in passwords, as some severs I've run into don't like these characters (it's rare, but exists).

IMPORTANT - Your web control panel and MySQL user should follow the SAME rules above, and again be different than your Nuke logins. Many people use their web panel login as their MySQL user/pass, and so a few years back a hack existed which allowed a config.php to be viewed as a text file, which revealed the MySQL user/pass. If that was the same as your web control panel, the hacker now had access to your entire domain! Keep all logins and passwords separate.

PHrEEk

_________________
PHP - Breaking your legacy scripts one build at a time. 
View user's profile Send private message
utssace
PostPosted: Sun Oct 14, 2007 7:18 am Reply with quote

You taught me some good stuff here PHrEEkie.

I didn't know that special characters can be used in passwords. Never tried
it. I guess I thought that if usernames in Nuke Admin doesn't allow them
then passwords too. Is there a maximum number of character for a
password?

As for the site control panel, my host set up my passwords according to
what I wanted, but my panel password and phpMyadmin user and pass
are the same. I wish I could change my own passwords in my control
panel for the main account. I will ask my host about this. This was the
reason for my problem, my passwords were to old and very weak.
 
Raven
PostPosted: Sun Oct 14, 2007 10:01 am Reply with quote

Every host I know of allows users to change their own passwords. Are you sure you don't have a way in your control panel?
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©