Ravens PHP Scripts: Forums
 

 

View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke
Author Message
ishadami
New Member
New Member


Joined: Aug 05, 2005
Posts: 5

PostPosted: Sun Aug 28, 2005 1:22 pm Reply with quote

hi i am new at nuke as can be understood from topic Smile
i am using 7,6 and 3,1 patch
sentinel 2,3,2
protector 1,5b2
floodgate 0,9 for security
and cnbya 4,4,2
coppermine 1,3,1a
i wonder whether there occurs any problem for security if i delete admin.php or redirect to mypage.php when i am not using
thanks
 
View user's profile Send private message Visit poster's website
ladysilver
Hangin' Around


Joined: May 03, 2004
Posts: 49
Location: Cyberspace

PostPosted: Sun Aug 28, 2005 2:23 pm Reply with quote

You have some options, such as renaming "admin.php" something else. The problem with redirect is that "admin.php" can sometimes still be pulled up. For instances, typing Only registered users can see links on this board! Get registered or login! might redirect to index.php, but Only registered users can see links on this board! Get registered or login! or Only registered users can see links on this board! Get registered or login! may still reveal your admin file. I use 7.6 with added security and in the past have had no problem with just removing the admin file when I wasn't using it.
 
View user's profile Send private message Visit poster's website ICQ Number
ishadami
PostPosted: Sun Aug 28, 2005 2:35 pm Reply with quote

thanks
and what about deleting ? no problem seems i know but ;
will sentinel go on protecting ? its the real matter
 
ladysilver
PostPosted: Sun Aug 28, 2005 2:41 pm Reply with quote

I've not run into any problem with Sentinel continuing to protect the site without admin.php. In fact, I use a dummy "admin.php" which redirects to a restricted page. I've had people try to run attacks on the restricted page without getting past Sentinel. Lol, of course, if they stayed on "admin.php" something would happen anyway... Smile
 
VinDSL
Life Cycles Becoming CPU Cycles


Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com

PostPosted: Sun Aug 28, 2005 3:36 pm Reply with quote

ishadami wrote:
...and what about deleting ?

If you're gonna go this route, you might as well delete 'auth.php' too... Wink

_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: Only registered users can see links on this board! Get registered or login! | Only registered users can see links on this board! Get registered or login! ::. 
View user's profile Send private message Visit poster's website ICQ Number
ladysilver
PostPosted: Sun Aug 28, 2005 6:56 pm Reply with quote

Ouch! Good point! I had forgotten about that. Smile

I'd suggest:

1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table).

2. If you're comfortable playing a bit with php, create a fake "admin.php" and protect it with redirects, ect... This will give the kiddies something to play with since you're trying so hard to protect it it *must* be the real admin file. Smile

3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:

Code:


User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: admin.php
Disallow: /admin/
Disallow: /images/
Disallow: /includes/
Disallow: /themes/
Disallow: /blocks/
Disallow: /modules/
Disallow: /language/


Try:
Code:


User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: /a
Disallow: /ad/
Disallow: /im/
Disallow: /in/
Disallow: /bl/
Disallow: /mo/
Disallow: /la/


It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.

4. If you suffer from NP (Nuke Paranoia) like me, you can also add some kind of additional tracking to your pages. I use a php-based tracking program that digs for info like IPs hiding behind proxies and such. I use it wherever I want to monitor who is accessing a page, sort of like a highlighter where I need to flag something quickly instead of searching log files.

Lol, welcome to the world of securiing Nuke. Smile
 
ishadami
PostPosted: Mon Aug 29, 2005 3:04 am Reply with quote

thanks a lot
best regards
i am deleting it , i think i am paranoiac although i havent been hacked ;
i cant consider what measusers i will take Smile if i would be hacked
 
64bitguy
The Mouse Is Extension Of Arm


Joined: Mar 06, 2004
Posts: 1159
Location: Sanbornton, NH USA

PostPosted: Mon Aug 29, 2005 12:35 pm Reply with quote

ladysilver wrote:
3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:

Code:


User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: admin.php
Disallow: /admin/
Disallow: /images/
Disallow: /includes/
Disallow: /themes/
Disallow: /blocks/
Disallow: /modules/
Disallow: /language/


Try:
Code:


User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: /a
Disallow: /ad/
Disallow: /im/
Disallow: /in/
Disallow: /bl/
Disallow: /mo/
Disallow: /la/


It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.



I wouldn't do that for the primary reason that "articles" begins with the letter "a" and thus it's not a great idea. By doing this you are blocking any file or directory that begins with the letter a.

As for /ad/ and the other abbreviated directories, that coding methodology would simply keep robots out of those specific (improperly defined) directories and thus would do nothing as those directories do not exist in nuke.

While there is a fair amount of paranoia about protecting the administration files, the best thing you can do is enable a second level of authentication for access to those files such as NukeSentinel's CGI Authentication scheme. You can also locate those password files at a level above your public_html making them inaccessible to anyone via the web and thus securing those id/passwords AS WELL AS the files that they protect from the prying eyes of hackers and everyone else for that matter.

Doing this will protect your administrative functions, regardless of who the hacker is. If you can't get to the admin.php, it doesn't matter what that file is named, or how it is called.

You don't need to even have NukeSentinel to do this, you can do it all manually in your .htaccess file.

In this example, lets say you are on a shared host and they have a directory structure that looks like this:

/home/ = Default defined root of the server
/home/account-name/ = Default defined root of the customer
/home/account-name/public_html = Default defined location where you upload your nuke files, etc....

By having something like the below in your .htaccess file (which would be located in the directory /home/customer101/public_html/):
Code:
<Files admin.php> 

   <Limit GET POST PUT>
      require valid-user
   </Limit>
   AuthName "Restricted - Authentication Required!"
   AuthType Basic
   AuthUserFile /home/customer101/.htpasswords/.htpasswd
</Files>


You would be protecting your admin.php by having seperate 'salt encrypted' ID(s) and password(s) located OUTSIDE of the publicly available webspace in the file .htpasswd in the directory /home/customer101/.htpasswords/

This would protect your admin.php file and any other files or directories that you want to restrict to authenticated only users.

The robots.txt is just a tool to keep the bots out of those files looking for data. It is okay to be specific about what you are removing from scanning because if you protect your administration files with authentication, it doens't matter WHO knows what the names of those files are.

Just a heads-up.
Steph

_________________
Steph Benoit Only registered users can see links on this board! Get registered or login!
1CMS, 100% Section 508 and W3C XHTML/CSS Compliant (Truly) 
View user's profile Send private message Visit poster's website
jaceman
New Member
New Member


Joined: Oct 02, 2005
Posts: 8

PostPosted: Sun Oct 02, 2005 11:28 am Reply with quote

ladysilver wrote:
1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table).


Glad I stumbeld upon this thread, because I'm a newbie who just installed my first PHP-Nuke system (7.Cool and I believe that is exactly what is happening to me.

I renamed admin.php to "MYnewSECRETname.php" (obviously that's not the filename, but you get the idea) and changed config.php to point to 'MYnewSECRETname" and I can log into my administration panel if I manually type in Only registered users can see links on this board! Get registered or login! but any time I click on a module to modify it; they still point to "mydomain.com/admin.php?whatever...."

Apparently modifying config.php didn't do the trick fully -- what files do I need to modify to get that "security tweak" working?

Thanks in advance.
 
View user's profile Send private message Visit poster's website Yahoo Messenger
jaceman
PostPosted: Sun Oct 02, 2005 11:53 am Reply with quote

Turns out the I am a newbie, but not a COMPLETE dummy. I found that some links worked and some didn't (since I installed some modules directly following the 7.8 nuke it occurred to me it was probably the addons I installed that weren't linked properly.

So I went into my /admin folder and changed the /case /links and /modules files for those modules remving references to admin.php and pointing them to SECRETname.php and all is good!

Cheers!
 
Guardian2003
Site Admin


Joined: Aug 28, 2003
Posts: 6793
Location: Ha Noi, Viet Nam

PostPosted: Sun Oct 02, 2005 7:48 pm Reply with quote

So if you view the source code of those pages it doesnt reveal the link to your renamed admin file?
 
View user's profile Send private message Send e-mail
jaceman
PostPosted: Sun Oct 02, 2005 8:44 pm Reply with quote

It didn't... but it did after I was finished making my repairs.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> Security - PHP Nuke

View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©