admin security?!

[Guest]

What is the best way to secure the admin area? Anyone can get into it.

[tonyk]

.htaccess is probably the most common way to secure a directory, check out this link:

 

http://faq.clever.net/htaccess.htm

[Guest]

thank you

[GD]

This wouldn't hurt either, if you have your own SSL Certificate: 8)

 

Location: admin/includes/configure.php // I like to work within my admin sections in full SSL protection. (Notice: DIR_FS_DOCUMENT_ROOT)

 

--------------------------

 

/*

$Id: configure.php,v 1.13 2002/07/20 09:08:31 project3000 Exp $

 

osCommerce, Open Source E-Commerce Solutions

http://www.oscommerce.com

 

Copyright © 2002 osCommerce

 

Released under the GNU General Public License

*/

 

// define our webserver variables

// FS = Filesystem (physical)

// WS = Webserver (virtual)

define('HTTP_SERVER', 'https://www.yourdomain.com'); // eg, http://localhost or - https://localhost should not be NULL for productive servers

define('HTTPS_SERVER', 'https://www.yourdomain.com');

define('HTTP_CATALOG_SERVER', 'https://www.yourdomain.com');

define('HTTPS_CATALOG_SERVER', 'https://www.yourdomain.com');

define('ENABLE_SSL_CATALOG', 'true'); // secure webserver for catalog module

define('ENABLE_SSL', 'true'); // secure webserver for catalog

define('DIR_FS_DOCUMENT_ROOT', 'https://www.yourdomain.com'); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)

 

---------------------------

 

REMEMBER: to change, www.yourdomain.com to YOUR domain address!

 

//////////////////

 

Good luck, and remember backup first, then try the code above.

 

Part of other post here: http://www.oscommerce.com/forums/viewtopic.php...er=asc&start=10

 

GD :D

----------------------------

"If your going to own a VW, then your going to have to become a VW mechanic."

----------------------------

[DailyLunatic]

OK, I guess I'm dumber than I thought. This tutorial lists a few 'basic' skills I am unfamiliar with.

 

.htaccess is probably the most common way to secure a directory, check out this link:  

http://faq.clever.net/htaccess.htm

 

1 What is telnet?

2 What is a 'virtual' domain, as opposed to just a plain ordinary domain?

3 I assume notepad would work as a text editor, but am confused why it was not listed when others (ie. joe, pico) I have never heard of are.

 

I assumed you created the file and then FTP'd it to the dir.

 

Sorry to be so dense, but there seems to be a communication gap somewhere and I'd rather ask a bunch of really dumb questions than miss a seemingly trivial, but vital point.

 

Sterling

92.5% Pure

[xnoodleboyx]

.htaccess is probably the most common way to secure a directory, check out this link:

http://faq.clever.net/htaccess.htm

 

i followed that tutorial, i get a 500 error when i try to go to the directory i secured

[Guest]

create a file called .htaccess with notepad

 

Do what they said in the faq about what to include in the file.

 

upload it to the directory you want protected.

 

Done.

 

pico is just a unix text editor when you have shell access to the server.

[Guest]

To expand, create three files...

 

.htaccess (This is the one that goes in your protected directory)

 

AuthUserFile /absolute/path/to/.htpasswd

AuthGroupFile /absolute/path/to/.htgroup

AuthName "Protected"

AuthType Basic

<Limit GET>

require group  admin

</Limit>

 

Next, upload two files to somewhere preferably *below* your web root.

 

.htgroup

 

admin: admin_user

 

.htpasswd

 

admin_user: your_password

 

That way you can create different groups and different users with different passwords.

[DailyLunatic]

create a file called .htaccess with notepad

 

Easy enough.

 

Do what they said in the faq about what to include in the file.

 

Not a prob.

 

upload it to the directory you want protected.  

 

Done.

 

...er... Easier said than done. How? I tried to FTP .htaccess files in the past using WS FTP LE. It does not see the .htaccess file. I asked on another forum how to configure WSFTPLE to see the file and was told

 

enter -la or -a in the remote file mask box on the startup tab. files that start with a period are hidden on most unix systems. (i just ran into this the other day

 

I tried using that information to configure WS FTP LE, but found no 'File Mask Box', and no 'Startup Tab'. Anybody out there have any help on this issue?

 

Thanks a lot for the help, btw. I'm not frusterated with you, just the steep learning curve. PHP, Unix, Linux, SQL, OSC, New Store, Etc., all in one swallow gives you indigestion. Hope you understand. Two weeks and I still don't even have .htaccess defined yet. (hair pulling)

 

 

Sterling

92.5% Pure

[DailyLunatic]

Not sure what you are meaning here:

Next, upload two files to somewhere preferably *below* your web root.

How do you get below the root?

 

Sterling

92.5% Pure

[DailyLunatic]

Never mind I now see what you mean by below the web root.

 

Thanks

Sterling

92.5% Pure

[Guest]

Your web server is what is hiding your .ht*** files. After you upload them, you won't see them in your files list unless you log in as root (only if you have shell access).

 

However, most FTP clients have an option called "manual get"

 

Go over to where your server files are located. Click, then right-click and it brings up your options (I use cuteftp, but ws_ftp is similar). Click on "manual get" and type in the file name you think is there. It will then download .htaccess or whatever yuo typed in down to your pc to view it.

[Guest]

I am new to this as well but could you not go to your admin page and choose file manager under tools and upload it from there?

[Guest]

Should'nt this pop up a user login box or something?

 

.htaccess

AuthUserFile /www/.htpasswd 

AuthGroupFile /www/.htgroup 

AuthName "Sazzy Partie's Admin Auth!" 

AuthType Basic 

<Limit GET> 

require group  admin 

</Limit>

 

.htgroup

admin: root

 

.htpasswd

root: my.password

 

D:/www/htdocs is web root, so I put the .htgroup & .htpasswd just outside of it. This is what I'm getting:

 

Forbidden

You don't have permission to access /admin/ on this server.

 

Thank you!

[Guest]

yay!! I figured it out!!!

 

I'm on Apache 1.3.27

Win2k Server

 

The code:

 

My WORKING .htacces code:

 

edit in your httpd.conf file:

 

<Directory />

   Options FollowSymLinks

   AllowOverride All

</Directory>

 

AllowOverride All

 

    #

   #.htaccess - For admin dir

  <Directory "D:/www/htdocs/admin/">

       AllowOverride FileInfo AuthConfig Limit 

       Options MultiViews Indexes SymLinksIfOwnerMatch 

    <limit GET POST OPTIONS PROPFIND> 

       Order allow,deny 

       Allow from all 

    </limit> 

    <limitexcept GET POST OPTIONS PROPFIND> 

       Order deny,allow 

       Deny from all 

     </limitexcept> 

  </Directory>

 

.htaccess file:

AuthType basic

AuthName "Access only for Developers"

AuthUserFile D:/www/.htpasswd

AuthGroupFile D:/www/.htgroup

<Limit GET>

Require group my-users

</Limit>

 

.htgroup file:

my-users: admin

 

.htpasswd file:

admin:your_password

[Jscheffler]

The best way is this :

 

download this little Php at http://thewebsite.de/internet/downloads/schutz.zip

 

Load the PHP-programm to the folder you want to protect.

start the php-programm

 

that's all

[somethingelse]

i have been known to be completely dense when it comes to this sort of thing... however...

 

i have now tried all the suggested methods and none will work... i get the nice little popup box asking for my username & password, and that's as far as i get... enter the required info 3 times til i get the forbidden page, and nuthin'

 

i apparently don't have shell access... do i need to make changes to the httpd.conf?

 

argh.

[ActiveTuning]

Here's a contribution which creates an administration system for the admin area. It allows you to create users and give them limited access and what not.

 

http://www.oscommerce.com/downloads.php/co...ions,124/type,3

 

I just installed it yesterday, it works very good, and puts an encrypted password into the database.

[Guest]

omethingelse; Did you encript the password using the Apache tool, if thats your webserver?

[methodprobiz]

Here's a contribution which creates an administration system for the admin area.  It allows you to create users and give them limited access and what not.

http://www.oscommerce.com/downloads.php/co...ions,124/type,3

I just installed it yesterday, it works very good, and puts an encrypted password into the database.

<{POST_SNAPBACK}>

 

That link seems broken to me (404 error) :unsure:

 

I would love to get my hands on a Contribution like that. Search of Contrib's yielding no results. Does anyone have a copy for this or maybe it wouldn't work with current version? hmm.. any info regarding this (multi-users having limited access w/encrypted pw) would be most appreciated.