Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x
Author Message
aespinal
Hangin' Around


Joined: Nov 12, 2006
Posts: 41

PostPosted: Tue Nov 14, 2006 3:55 pm Reply with quote

I installed sentinel, last version.
I did everything by the book, but when I upload .htaccess with the correct information, it stops me from getting to admin, asking username and password...

Any help will be appreciated.
 
View user's profile Send private message
hitwalker
Sells PC To Pay For Divorce


Joined:
Posts: 5661

PostPosted: Tue Nov 14, 2006 5:32 pm Reply with quote

well then you mist a lot .....
first you have to set your admin in sentinel configuration page...
 
View user's profile Send private message
aespinal
PostPosted: Tue Nov 14, 2006 5:58 pm Reply with quote

Ok, I manage to make it works, but everytime I click an admin option I am forced to input to password... What do I have to change on the setting to avoid that?
 
montego
Site Admin


Joined: Aug 29, 2004
Posts: 9449
Location: Arizona

PostPosted: Wed Nov 15, 2006 11:12 am Reply with quote

That does not make sense. Make sure browser is allowing cookies.

_________________
Only registered users can see links on this board! Get registered or login!
Only registered users can see links on this board! Get registered or login! 
View user's profile Send private message Visit poster's website
aespinal
PostPosted: Wed Nov 15, 2006 12:14 pm Reply with quote

Browser allowing cookies is set.
I cannot access the admin if .htaccess is there...
It asks for a password that I don't know...
Only could access admin when change the name of .htaccess.
Please help!
 
montego
PostPosted: Wed Nov 15, 2006 12:31 pm Reply with quote

Quote:

It asks for a password that I don't know...

That is the key right there. Sure wish the NukeSentinel(tm) manual was up-to-date with good setup instructions... the RavenNuke 2.02.02 distro actually has an excellent HowToInstall manual and a good page on this.

Unfortunately, I am having to get to work and will not be back on-line for another 16 hours or so.

Someone else is going to have to walk you through the whole HTTPAuth/CGIAuth setup process.... sorry.
 
hitwalker
PostPosted: Wed Nov 15, 2006 1:36 pm Reply with quote

this should cover it.....

Make sure that you have completed the Base RavenNuke76(tm) Configuration and the Forum Configuration before you configure NukeSentinel&trade. The Forum configuration can be reached by going into the administration screen, clicking on "modules administration" then selecting "Forums" and then selecting "Configuration" under the general administration section. You need to set a domain name (do not prefix domain name with Only registered users can see links on this board! Get registered or login! as well as a cookie domain (generally the same as your domain name) and do other settings such as timezone etc. After completing the Forum configuration and saving the changes, you may want to set the general preferences for your site under Administration Menu / Preferences. These settings can always be adjusted later but having them correct at the outset will help to prevent initial problems.

Track all IP's
Sentinel will carry out the following Email Admin, Block, and redirect to Default Page upon the following attacks; Union, Admin, Author, CLike, and Filter, exploit attempts.
Script blocker setting is preset to Email Admin only, as NukeSentinel(tm) is very aggressive in keyword matching and there are many false positives, so we leave this up to the Admin to decide.
You will want to review all blocker settings to suit your personal preferences.
You can't yet use the write to .htaccess setting but you soon will.
If you click on Admin Auth List, you should see the NukeSentinel(tm) ADMIN record that you added during Configuration.

Next, goto Blocker Configuration and Review the settings for all the Blockers. Most have been preset but you should still review them all.
Save these settings for each blocker type that you modify.

Now, you should be able to SAFELY activate the Admin Access Protection part of NukeSentinel(tm).
Go back to the NukeSentinel(tm) Administration main panel.
In the Administrative Settings section you should see a drop down box beside Admin Auth:. Hopefully you will see "Off", "Admin HTTPAuth", and "Admin CGIAuth".
It's okay if "Admin CGIAuth" is NOT there.
Simply click "Admin HTTPAuth" and save the settings.
If all is working for you, you will now be prompted with the standard Browser HTTP Authentication Pop Up.
Type in your NS id/pass and it should then let you in. Assuming it does, Close all browser sessions that you might have open so we can REALLY test this.
Open up a new, single browser session and type Only registered users can see links on this board! Get registered or login! or Only registered users can see links on this board! Get registered or login! and select GO or press enter.
You should see your nuke site with the Welcome message. Next, type Only registered users can see links on this board! Get registered or login! or Only registered users can see links on this board! Get registered or login! and select GO or press enter.
You should be prompted with the HTTP Authorization screen.
Enter your NS id/pass and submit it.
Assuming it works, you should now see the regular nuke Admin login screen.
Enter your nuke admin id/pass and submit it.
You should now see your nuke ACP.

If you do not have HTTP Auth and/or .htaccess, do not panic.
Read on and hopefully it can all be explained.

There are 2 basic ways that PHP can be integrated into Apache. One is as an Apache module and the other is as a CGI program. If your host is running PHP as an Apache module, then you have the capability of using HTTP Authentication as a function of the browser and you do not even need .htaccess/.staccess. If, however, your host is running PHP as a CGI program, then we have to use the same HTTP Authentication but with a .htaccess and .staccess (a password file). As an Apache module you have more flexibility than as a CGI. There are pro's and con's to each but I will only address the impact as it relates to NukeSentinel(tm). The reason we introduced this scheme is to protect your admin.php file from being so easily cracked. It provides an extra layer of security to gain access to the standard phpnuke Admin Control Panel (ACP). There are other safe-guards built into NukeSentinel(tm) that protects admin.php, but this is a very nice and secure caveat.

Should you find yourself in the smaller group of users that require CGI Auth (as we call it), the following procedure will need to be done to use and activate CGI Auth (HTTP Authentication using .htaccess and .staccess).

* Change your permissions on both .htaccess and .staccess to 777
* Place the paths to .htaccess and .staccess in the NukeSentinel(tm) Admin Control Panel
* Select CGI Auth Access from the drop down box
* From the NukeSentinel Admin Control Panel, select Scan For New Admins
* Now select Admin Auth List and make sure that all admins have been assigned passwords
* Now, you should see a link that says Build CGIAuth file: -- Click it. That will build your .staccess id:pass file.
* Now back in the main NS ACP, in the .staccess box, you will see a link that says CGI Auth Setup -- click it. It should produce a new window with the following information:
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------



USERNAME will be your username and the path may be different

* Copy and paste that into your .htaccess file

That is the procedure. It sounds more complicated than what it is and I took the long way around hoping you'd understand it more clearly.
 
montego
PostPosted: Thu Nov 16, 2006 5:33 am Reply with quote

Thanks hitwalker!
 
aespinal
PostPosted: Thu Nov 16, 2006 10:25 am Reply with quote

I greatly appreciate this wonderfull explanation.
My problem continues with the .htaccess file, when is there, the system stops me, then I assume it is related to the lines "require valid-user" in

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>

If the function of those lines are to request for second time to validate the admin, I think I don't need it... Without that request, the .htaccess would go...
 
montego
PostPosted: Fri Nov 17, 2006 5:58 am Reply with quote

In the NukeSentinel administration setup, what method of "Admin Auth" did you choose?

What happens if you comment out those lines? Do you still get your first pop-up when you asked for admin.php? If so, then you are using HTTPAuth, which is fine, and you do not need those lines.
 
aespinal
PostPosted: Fri Nov 17, 2006 9:21 am Reply with quote

With the following .htaccess lines and HTTPAuth, everything works fine

<Files .staccess>
deny from all
</Files>

Do am I protected?
 
kguske
Site Admin


Joined: Jun 04, 2004
Posts: 6383

PostPosted: Fri Nov 17, 2006 10:43 am Reply with quote

If you have a separate HTTP authentication login before logging into your admin page, and different user ids and different, difficult-to-guess passwords for both, you should be protected.

_________________
I google, therefore I exist...
Only registered users can see links on this board! Get registered or login!
 
View user's profile Send private message
montego
PostPosted: Sat Nov 18, 2006 7:19 am Reply with quote

And with HTTPAuth, you also do not need to have the .staccess file, and you can also remove the statements from your .htaccess:

<Files .staccess>
deny from all
</Files>

If after you do this, you still get the pop-up for your first access within a new browser window to admin.php, you are protected (but kguske's comments should also be taken into consideration - these should just be standard things we do these days with our logins).
 
aespinal
PostPosted: Sat Nov 18, 2006 8:50 am Reply with quote

Thanks, friends for all your help.
I have a last request:
I know how to change the admin.php file and indicates it on the config.php, but when I do that, it works ok, but when logout, the system still looks for admin.php.
Is there other file that I need to change?
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6792
Location: Ha Noi, Viet Nam

PostPosted: Sat Nov 18, 2006 9:14 am Reply with quote

Leave that to its defult setting it doesnt offer any benefits to change the location of the admin file and can even cause thigs to stop working, especially any modules you might add.
 
View user's profile Send private message Send e-mail
Display posts from previous:       
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    Ravens PHP Scripts And Web Hosting Forum Index -> NukeSentinel™ v2.5.x

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©