Protecting IPD

Discussion in 'Site Security & Legal Issues' started by GoldenSQL - Tom, Nov 29, 2005.

  1. GoldenSQL - Tom

    GoldenSQL - Tom Enthusiast

    112
    31
    +0
    Protecting IPB

    Hey,

    I have been hearing alot about .htaccess and I heard that you can password protect a certain file.

    Well I am using IPB 2.1.3 and I was wondering, if I could use .htaccess to put a username/password to protect a file. I would like to add an extra layer of security on my admin.php file by adding yet another username and password just to access the admincp login page.

    I would also like to be able to set it up so that only certain IP's can access the admin.php file.

    If you could help me set this up that would be great!
     
    Last edited: Nov 29, 2005
    1
  2. Zachery

    Zachery Moo

    2,588
    660
    +7
    I don't think you can protect just a file...
     
  3. simsim

    simsim means seasme

    148
    26
    +0
    Since you want to add an extra layer of security, just password-protect the whole directory which contains the admin.php file.

    I don't know of the structure of the IPB files, but in vBulletin there are three main directories which an admin would like to protect: admincp, modcp & includes directories.

    Any way, I think the following link is useful to you:
    http://www.webhostgear.com/63.html

    simsim
     
  4. Zachery

    Zachery Moo

    2,588
    660
    +7
    The admin file is in the same directory. vB uses files with OOP, IPB uses EXTREME OOP and everything is centered around the index.php and included by a varible after the ?

    index.php?act=showthread etc
     
  5. GoldenSQL - Tom

    GoldenSQL - Tom Enthusiast

    112
    31
    +0
    IPB doesn't have the admin.php file in a folder, so I can't protect the directory it's in thats why I wanted to use .htaccess to protect that file with a password and a username.
     
  6. Zachery

    Zachery Moo

    2,588
    660
    +7
    Don't believe its possible, you might be able to use a HTTP_AUTH method via hacking.
     
  7. KeithMcL

    KeithMcL Freelance Web Designer

    5,728
    790
    +2
    What about adding an additional if statement to the admin file itself?
     
  8. simsim

    simsim means seasme

    148
    26
    +0
  9. lvt

    lvt Enthusiast

    234
    53
    +1
    If you use .htaccess how can your members see the board while the admin.php file is in the IPB root directory ?

    You should rename this admin.php file to whatever you want, you can even rename the config file to have your board more "securised".

    P/S: if you rename these files you will also need to modify some lines of code in the source.
     
  10. Wayne Luke

    Wayne Luke Tazmanian

    5,794
    0
    +35
  11. PalePhoenix

    PalePhoenix Prince of Dorkness

    11,988
    650
    +29
    Is there any value to altering CHMOD (octals)? My FTP client lets me just right-click to alter various file properties, tho I wouldn't be messing with .htaccess. Is there a particular reason you're looking for added security measures?
     
  12. Wayne Luke

    Wayne Luke Tazmanian

    5,794
    0
    +35
    .htaccess and CHMOD serve two very different but still security related functions.

    .htaccess allows you to control who can access files via a web browser and nothing else. It can be used to deny people access to your entire site by IP address, it can prevent hotlinking of images, it can redirect people to other pages on your site or allow for a custom HTTP Error page. It can do a lot of things. Security is one of them but very minor. Basically .htaccess is a specific configuration file for Apache. It isn't a server thing and it won't prevent users on the server from accessing files directly. This is why you can deny access to an includes directory but the PHP scripts can still access them. They run under a different user than what the web browser has access to. .htaccess protects at the HTTP Daemon level.

    CHMOD sets permissions on which users on the server can access your files. You can deny access to your admin.php by setting its permissions to 700 but then you won't be able to access it via a web browser either. The webserver wouldn't be able to read them for parsing. To view the page, you would have to login via SFTP or SSH and reset the permissions, use the file and then reset the permissions again. Such a pain that .htaccess allows you to get around. CHMOD is good for denying other users on a shared server from accessing or deleting your files, say a worm looking for a vulnerable script. It is good to prevent hackers gaining access through insecure protocols like telnet or FTP from deleting all your files. It protects at the filesystem level.

    To run a secure site, both are needed in varying degrees.
     
  13. PalePhoenix

    PalePhoenix Prince of Dorkness

    11,988
    650
    +29
    Thank you, Wayne, that does unfuzz a bit for me. I thought .htaccess was an Apache thing, and/or a Windows thing. We have Linux. I cannot claim to know a whole lot about all this server-side stuff, but I knew enough to go with that particular OS. Anything you suggest I keep in mind as traffic increases?
     
  14. Wayne Luke

    Wayne Luke Tazmanian

    5,794
    0
    +35
    .htaccess is strictly an Apache thing. If you do not use it, you have to find out what the equivalent is for your webserver. IIS uses NTAUTH.
     
  15. GoldenSQL - Tom

    GoldenSQL - Tom Enthusiast

    112
    31
    +0
Verification:
Draft saved Draft deleted