| Author |
Message |
ishadami
New Member
Joined: Aug 05, 2005
Posts: 5
|
 Posted:
Sun Aug 28, 2005 1:22 pm |
|
hi i am new at nuke as can be understood from topic 
i am using 7,6 and 3,1 patch
sentinel 2,3,2
protector 1,5b2
floodgate 0,9 for security
and cnbya 4,4,2
coppermine 1,3,1a
i wonder whether there occurs any problem for security if i delete admin.php or redirect to mypage.php when i am not using
thanks |
| |
|
 
|
|
ladysilver
Hangin' Around
Joined: May 03, 2004
Posts: 49
Location: Cyberspace
|
| Posted:
Sun Aug 28, 2005 2:23 pm |
|
You have some options, such as renaming "admin.php" something else. The problem with redirect is that "admin.php" can sometimes still be pulled up. For instances, typing [ Only registered users can see links on this board! Get registered or login! ] might redirect to index.php, but [ Only registered users can see links on this board! Get registered or login! ] or [ Only registered users can see links on this board! Get registered or login! ] may still reveal your admin file. I use 7.6 with added security and in the past have had no problem with just removing the admin file when I wasn't using it. |
| |
|
 |
|
ishadami
|
| Posted:
Sun Aug 28, 2005 2:35 pm |
|
thanks
and what about deleting ? no problem seems i know but ;
will sentinel go on protecting ? its the real matter |
| |
|
|
|
|
ladysilver
|
| Posted:
Sun Aug 28, 2005 2:41 pm |
|
I've not run into any problem with Sentinel continuing to protect the site without admin.php. In fact, I use a dummy "admin.php" which redirects to a restricted page. I've had people try to run attacks on the restricted page without getting past Sentinel. Lol, of course, if they stayed on "admin.php" something would happen anyway... |
| |
|
|
|
|
VinDSL
Life Cycles Becoming CPU Cycles
Joined: Jul 11, 2004
Posts: 614
Location: Arizona (USA) Admin: NukeCops.com Admin: Disipal Designs Admin: Lenon.com
|
| Posted:
Sun Aug 28, 2005 3:36 pm |
|
| ishadami wrote: | | ...and what about deleting ? |
If you're gonna go this route, you might as well delete 'auth.php' too...  |
_________________
.:: "The further in you go, the bigger it gets!" ::.
.:: VinDSL's Lenon.com | The Disipal Site ::. |
|
|
|
|
ladysilver
|
| Posted:
Sun Aug 28, 2005 6:56 pm |
|
Ouch! Good point! I had forgotten about that.
I'd suggest:
1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table).
2. If you're comfortable playing a bit with php, create a fake "admin.php" and protect it with redirects, ect... This will give the kiddies something to play with since you're trying so hard to protect it it *must* be the real admin file.
3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:
Code:
User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: admin.php
Disallow: /admin/
Disallow: /images/
Disallow: /includes/
Disallow: /themes/
Disallow: /blocks/
Disallow: /modules/
Disallow: /language/
|
Try:
Code:
User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: /a
Disallow: /ad/
Disallow: /im/
Disallow: /in/
Disallow: /bl/
Disallow: /mo/
Disallow: /la/
|
It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.
4. If you suffer from NP (Nuke Paranoia) like me, you can also add some kind of additional tracking to your pages. I use a php-based tracking program that digs for info like IPs hiding behind proxies and such. I use it wherever I want to monitor who is accessing a page, sort of like a highlighter where I need to flag something quickly instead of searching log files.
Lol, welcome to the world of securiing Nuke. |
| |
|
|
|
|
ishadami
|
| Posted:
Mon Aug 29, 2005 3:04 am |
|
thanks a lot
best regards
i am deleting it , i think i am paranoiac although i havent been hacked ;
i cant consider what measusers i will take if i would be hacked |
| |
|
|
|
|
64bitguy
The Mouse Is Extension Of Arm
Joined: Mar 06, 2004
Posts: 1164
|
| Posted:
Mon Aug 29, 2005 12:35 pm |
|
| ladysilver wrote: | 3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:
Code:
User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: admin.php
Disallow: /admin/
Disallow: /images/
Disallow: /includes/
Disallow: /themes/
Disallow: /blocks/
Disallow: /modules/
Disallow: /language/
|
Try:
Code:
User-agent: Mediapartners-Google*
Disallow:
User-agent: *
Disallow: /a
Disallow: /ad/
Disallow: /im/
Disallow: /in/
Disallow: /bl/
Disallow: /mo/
Disallow: /la/
|
It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.
|
I wouldn't do that for the primary reason that "articles" begins with the letter "a" and thus it's not a great idea. By doing this you are blocking any file or directory that begins with the letter a.
As for /ad/ and the other abbreviated directories, that coding methodology would simply keep robots out of those specific (improperly defined) directories and thus would do nothing as those directories do not exist in nuke.
While there is a fair amount of paranoia about protecting the administration files, the best thing you can do is enable a second level of authentication for access to those files such as NukeSentinel's CGI Authentication scheme. You can also locate those password files at a level above your public_html making them inaccessible to anyone via the web and thus securing those id/passwords AS WELL AS the files that they protect from the prying eyes of hackers and everyone else for that matter.
Doing this will protect your administrative functions, regardless of who the hacker is. If you can't get to the admin.php, it doesn't matter what that file is named, or how it is called.
You don't need to even have NukeSentinel to do this, you can do it all manually in your .htaccess file.
In this example, lets say you are on a shared host and they have a directory structure that looks like this:
/home/ = Default defined root of the server
/home/account-name/ = Default defined root of the customer
/home/account-name/public_html = Default defined location where you upload your nuke files, etc....
By having something like the below in your .htaccess file (which would be located in the directory /home/customer101/public_html/):
Code:<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted - Authentication Required!"
AuthType Basic
AuthUserFile /home/customer101/.htpasswords/.htpasswd
</Files>
|
You would be protecting your admin.php by having seperate 'salt encrypted' ID(s) and password(s) located OUTSIDE of the publicly available webspace in the file .htpasswd in the directory /home/customer101/.htpasswords/
This would protect your admin.php file and any other files or directories that you want to restrict to authenticated only users.
The robots.txt is just a tool to keep the bots out of those files looking for data. It is okay to be specific about what you are removing from scanning because if you protect your administration files with authentication, it doens't matter WHO knows what the names of those files are.
Just a heads-up.
Steph |
_________________
Steph Benoit
100% Section 508 and W3C HTML5 and CSS Compliant (Truly) Code, because I love compliance. |
|
|
|
|
jaceman
New Member
Joined: Oct 02, 2005
Posts: 8
|
| Posted:
Sun Oct 02, 2005 11:28 am |
|
| ladysilver wrote: | | 1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table). |
Glad I stumbeld upon this thread, because I'm a newbie who just installed my first PHP-Nuke system (7. and I believe that is exactly what is happening to me.
I renamed admin.php to "MYnewSECRETname.php" (obviously that's not the filename, but you get the idea) and changed config.php to point to 'MYnewSECRETname" and I can log into my administration panel if I manually type in [ Only registered users can see links on this board! Get registered or login! ] but any time I click on a module to modify it; they still point to "mydomain.com/admin.php?whatever...."
Apparently modifying config.php didn't do the trick fully -- what files do I need to modify to get that "security tweak" working?
Thanks in advance. |
| |
|
|
|
jaceman
|
| Posted:
Sun Oct 02, 2005 11:53 am |
|
Turns out the I am a newbie, but not a COMPLETE dummy. I found that some links worked and some didn't (since I installed some modules directly following the 7.8 nuke it occurred to me it was probably the addons I installed that weren't linked properly.
So I went into my /admin folder and changed the /case /links and /modules files for those modules remving references to admin.php and pointing them to SECRETname.php and all is good!
Cheers! |
| |
|
|
|
|
Guardian2003
Site Admin
Joined: Aug 28, 2003
Posts: 6799
Location: Ha Noi, Viet Nam
|
| Posted:
Sun Oct 02, 2005 7:48 pm |
|
So if you view the source code of those pages it doesnt reveal the link to your renamed admin file? |
| |
|
|
|
jaceman
|
| Posted:
Sun Oct 02, 2005 8:44 pm |
|
It didn't... but it did after I was finished making my repairs. |
| |
|
|
|
|
|
|
![[Valid RSS]](https://www.ravenphpscripts.com/images/valid-rss.png "Validate my RSS feed"){kind=small}
