freakingme Posted July 8, 2005 Posted July 8, 2005 Hi, I'd like to secure the admin panel using a password. Anybody that can tell me how? Regards, Peter Clarck
freakingme Posted July 8, 2005 Author Posted July 8, 2005 Hi, I'd like to secure the admin panel using a password. Anybody that can tell me how? Regards, Peter Clarck <{POST_SNAPBACK}> Since not-so-long, I've got a webhostingbuzz account, with cpanel support. I just thought of the fact that cpanel easily creates .htaccess password files, so I used that function. It works great AND SECURE, here! Peter
georgew Posted July 8, 2005 Posted July 8, 2005 Since not-so-long, I've got a webhostingbuzz account, with cpanel support. I just thought of the fact that cpanel easily creates .htaccess password files, so I used that function. It works great AND SECURE, here! Peter <{POST_SNAPBACK}> But how secure is it? Aren't .htaccess protected directories only weakly protected? Isn't it possible to do a brute-force crack against .htaccess protected systems? This is an e-commerce system, it needs better security than this. So what is the /real/ way to secure the admin directory, and still have it be accessible? Is there an apache mod to shut-down brute force password hacking?
♥swolsten Posted July 8, 2005 Posted July 8, 2005 But how secure is it? Aren't .htaccess protected directories only weakly protected? Isn't it possible to do a brute-force crack against .htaccess protected systems? This is an e-commerce system, it needs better security than this. So what is the /real/ way to secure the admin directory, and still have it be accessible? Is there an apache mod to shut-down brute force password hacking? <{POST_SNAPBACK}> The first thing you should do (and not may do) is rename the admin folder to something else, if people do not know what it is called then they will not be able to brute force it. You should still password protect even though its renamed. I use .htpasswd on my system, I change the username/password every X (not telling how many :P) days to make it a bit harder to hack. You can always create admin and password protect it just to make hackers think it still exists and waste their time :D Dont forget to Search. Your problem has already been fixed before.<br> Please visit Manchester-Fireworks.com.
freakingme Posted July 8, 2005 Author Posted July 8, 2005 But how secure is it? Aren't .htaccess protected directories only weakly protected? Isn't it possible to do a brute-force crack against .htaccess protected systems? This is an e-commerce system, it needs better security than this. So what is the /real/ way to secure the admin directory, and still have it be accessible? Is there an apache mod to shut-down brute force password hacking? <{POST_SNAPBACK}> How you should do that? Not so hard, write your own login system. Make one php-file which checks if the user is logged in. Put in that file something like: <?php if($session->loggedin <> true) { die("Login first plz"); } ?> And in every backend file, you put: session_start(); require("check_loggedin.php"); Of course brute-force is also possible at that login system, but what you could do, is adding a hard-to-read validation-image on the login screen which visitors have to copy (the text that is in it) after they filled 3 times a wrong username+password combination in. And after 10 tries, you ban their IP for 24 hours. It's quite a lot of work, but it'll work. I'm going to make this the coming few days, if you're interested, please contact me. Peter p.s. I knew this on before hand already, but because it's a hell of a job, I hoped someone knew a easier way.
georgew Posted July 8, 2005 Posted July 8, 2005 Of course swolsten is right, the /best/ security against the .htaccess issue is to hide it well. I like to move the directory out of the web space, and only move it back when I'm using it. I use an obscure name, and I password protect it... But that is a hack... There should be a better way... How you should do that? Not so hard, write your own login system. Good idea! I only have one problem with it... why are you doing it? Shouldn't that be built into osCommerce? It's like they built a complete store, but left the manager's desk in the back alley, with an unsecured hallway leading into the store... with a little sign "build brick wall here, put lock on door when done". In my opinion, every PHP application that leaves an insecure manager page in place, is simply unfinished software... just like a building missing a wall. I have seen plenty of backend login systems in php apps to show as examples, like Mambo for instance, so it can be done. The system has a login module for returning customers, surely the admin area is even more deserving of a login module... and it should have multiple layers of security. It should have limited access for shipping clerks, and full access for the manager, etc... Make one php-file which checks if the user is logged in. Put in that file something like: <?php if($session->loggedin <> true) { die("Login first plz"); } ?> And in every backend file, you put: session_start(); require("check_loggedin.php"); Of course brute-force is also possible at that login system, but what you could do, is adding a hard-to-read validation-image on the login screen which visitors have to copy (the text that is in it) after they filled 3 times a wrong username+password combination in. And after 10 tries, you ban their IP for 24 hours. It's quite a lot of work, but it'll work. I'm going to make this the coming few days, if you're interested, please contact me. Peter p.s. I knew this on before hand already, but because it's a hell of a job, I hoped someone knew a easier way. <{POST_SNAPBACK}> Stopping brute force is easy. Use an expotential backoff timer. Eventually you will run out of php execution time, and the attack will be stopped untill the timer resets. Each login has a delay, with the delay increasing expotentially. Within 5 to 10 attempts the delay is too long for php to execute, stopping the attack dead. If there are no login attempts for a period of time (like 5 minutes) you reset the timer. Another security method is the lock-out... After x failed login attempts, lock-down the system untill it is stopped and restarted, or untill an admin deletes a .lockout file, or something. Those are two ideas easily integrated into a php login module. The multiple layers of security is another issue... But again, great idea... it should be built in...
georgew Posted July 8, 2005 Posted July 8, 2005 Here is what I'm going to do.... I have to install webmin to manage something else for the customer, so I'm putting up a custom command that will temporarily expose the admin page. The command will ask for a new secret name, explaining that it is only good for 8 hours. The script moves the directory into place, naming it with the secret name. The script then creates an "at job" for 8 hours into the future, and that job moves the secretnamed directory back into the properly named holding location outside of the web path. A cron job comes along that scans for an admin directory, and if it sees one twice with the same name for more than 8 hours, it cleans it up and sends a warning email to the admin that security is failing somehow. The same security cron job also scans for unexpected changes in the system, using tripwire.
Guest Posted July 9, 2005 Posted July 9, 2005 Hi all, I'm new here. I got osCommerce installed on my site, and was surprised to see no security for the admin directory. If I rename it,, to something like "office",, then the pages don't integrate well. Each time I navigate to a new page it's looking for "admin" in the URL.. so I have to change it manually with every new page. That's a drag,,, So my temporary answer is to just give it a goofy name until I want to actually "admin" the thing again and rename it to "admin".. But what's the best answer for a guy who's only got a limited knowledge of server side mechanics, and php? Will the Catalog function without the Admin directory in place? Thanks,, Ron
AlanR Posted July 9, 2005 Posted July 9, 2005 If I rename it,, to something like "office",, then the pages don't integrate well. Each time I navigate to a new page it's looking for "admin" in the URL.. so I have to change it manually with every new page. That's a drag. <{POST_SNAPBACK}> You need to edit the admin/includes/configure.php file with your new folder name. But as others have pointed out it's a good idea to move it out of the catalog folder altogether. It's only in catalog in the first place to make the auto installer simpler. Local: Mac OS X 10.5.8 - Apache 2.2/php 5.3.0/MySQL 5.4.10 • Web Servers: Linux Tools: BBEdit, Coda, Versions (Subversion), Sequel Pro (db management)
Guest Posted July 9, 2005 Posted July 9, 2005 You need to edit the admin/includes/configure.php file with your new folder name. But as others have pointed out it's a good idea to move it out of the catalog folder altogether. It's only in catalog in the first place to make the auto installer simpler. <{POST_SNAPBACK}> Thanks,, that worked,, Do I edit the same file if I want to change the name of the general catalog? I intend to use a different name in the logo,, so I'd like to URL to match. Just changing the "catalog" directory name doesn't work by itself,, there's other files I need to edit as well. I'd like it to read something like,, www.mydomain.net/store Thanks, Ron PS,, also,, how do I disable other language options.. I just want the site to display in English.
homewetbar Posted September 6, 2005 Posted September 6, 2005 Of course swolsten is right, the /best/ security against the .htaccess issue is to hide it well. I like to move the directory out of the web space, and only move it back when I'm using it. I use an obscure name, and I password protect it... But that is a hack... There should be a better way... Good idea! I only have one problem with it... why are you doing it? Shouldn't that be built into osCommerce? It's like they built a complete store, but left the manager's desk in the back alley, with an unsecured hallway leading into the store... with a little sign "build brick wall here, put lock on door when done". In my opinion, every PHP application that leaves an insecure manager page in place, is simply unfinished software... just like a building missing a wall. I have seen plenty of backend login systems in php apps to show as examples, like Mambo for instance, so it can be done. The system has a login module for returning customers, surely the admin area is even more deserving of a login module... and it should have multiple layers of security. It should have limited access for shipping clerks, and full access for the manager, etc... Stopping brute force is easy. Use an expotential backoff timer. Eventually you will run out of php execution time, and the attack will be stopped untill the timer resets. Each login has a delay, with the delay increasing expotentially. Within 5 to 10 attempts the delay is too long for php to execute, stopping the attack dead. If there are no login attempts for a period of time (like 5 minutes) you reset the timer. Another security method is the lock-out... After x failed login attempts, lock-down the system untill it is stopped and restarted, or untill an admin deletes a .lockout file, or something. Those are two ideas easily integrated into a php login module. The multiple layers of security is another issue... But again, great idea... it should be built in... <{POST_SNAPBACK}> How would you write a code to stop a brute force attack, you said it is easy but did not explain how... If you could give some sample code that would be great! Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347
homewetbar Posted September 7, 2005 Posted September 7, 2005 Its taking me awhile but I think I've come up with a pretty good solution. FIRST install the admin access levels contrib if you haven't already. http://www.oscommerce.com/community/contributions,1359 And heres the mod to this contrib I have been working on borrowing some code here and there and then writing the rest myself. As always BACKUP! BACKUP! BACKUP! WHAT IT DOES: It disables an email address after 5 login tries for 5 minutes and emails the administrator the offenders IP Address. After 5 minutes you can log right back in automagically! WHY: To stop brut force attacks, its not perfect but the next step after basic password protection. It helps keep a hacker from using 100s or 1000s of requests to guess your password.... HOW TO DO IT? Here is the SQL to create the neccessary table: DROP TABLE IF EXISTS admin_lock; CREATE TABLE `admin_lock` ( `attempt_id` int(11) NOT NULL auto_increment, `attempt_email` varchar(50) default '' UNIQUE, `attempts` int(1) default '0', `last_attempt` int(20) default '0', `first_offense` int(1) default '0', PRIMARY KEY (`attempt_id`) ); Then insert in your admin/login.php AFTER $password = tep_db_prepare_input($HTTP_POST_VARS['password']); // Checking to see if login attempt > 4 if so time out for 5 minutes then reset login attempts. //----------------Configuration---------------- $mail_report = '[email protected]'; // address to mail report to $show_msg = 'Your IP Address was logged and the administrator has been notified. Your IP Address is: '; //--------------------------------------------- $check_lockout_query = tep_db_query("select attempt_id, first_offense, attempt_email, attempts, last_attempt from admin_lock where attempt_email = '" . strtolower($email_address) . "' "); $check_lockout = tep_db_fetch_array($check_lockout_query); $attempts = $check_lockout['attempts'] + 1; if ($check_lockout['attempt_id'] == '') { $last_attempt = time(); tep_db_query("insert into admin_lock (attempt_email, attempts, last_attempt) values ('" . strtolower($email_address) ."', '1', '" . $last_attempt."')"); } else if ($attempts < 5) { $last_attempt = time(); tep_db_query("update admin_lock set attempts = '" . $attempts . "', last_attempt = '" . $last_attempt . "', first_offense = 1 where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } else { $locked_time = (time() - $check_lockout['last_attempt']); if ($locked_time < 300) { echo ('<center><font color=red>Your login attempt has timed out, try again in 5 minutes</font> Time since lockout: ' . $locked_time . ' seconds</center>'); $password = ''; if ($check_lockout['first_offense'] == 1) { // get their IP Address if (getenv(HTTP_X_FORWARDED_FOR)){ $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')'; $ip=getenv(REMOTE_ADDR); } else { $ip=getenv(REMOTE_ADDR); } $name = $email_address; // create nice report $msg = "\n" . 'FAILED LOGIN ATTEMPT REPORT' . "\n" . '---------------------------------------' . "\n"; $msg .= 'Remote Address: ' . $ip . $fwd . "\n"; $msg .= 'Referer : ' . $_SERVER["HTTP_REFERER"] . "\n"; $msg .= 'Requested : ' . $_SERVER["REQUEST_URI"] . "\n"; $msg .= 'Used user name: ' . $email_address . "\n"; mail($mail_report, 'FAILED ADMIN LOGIN ATTEMPT', $msg); echo '<center><b>' . $show_msg . $ip . '</b></center>'; tep_db_query("update admin_lock set first_offense = 0 where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } } else { $last_attempt = time(); tep_db_query("update admin_lock set attempts = 0, last_attempt = '" . $last_attempt . "' where attempt_id = '" . $check_lockout['attempt_id'] . "'"); } } Then just configure your email address and you're done! :thumbsup: Most Valuable OsCommerce Contributions: Also Purchased (AP) Preselection (cuts this resource hogging query down to nothing) -- Contribution 3294 FedEx Automated Labels -- Contribution 2244 RMA Returns system -- Contribution 1136 Sort Products By Dropdown -- Contribution 4312 Ultimate SEO URLs -- Contribution 2823 Credit Class & Gift Voucher -- Contribution 282 Cross-Sell -- Contribution 5347
New 
Recommended Posts
Archived
This topic is now archived and is closed to further replies.