Jump to content
dev osCommerce
Forum
  • Checkout
  • Login
  • Contact Us
  • Get in touch

osCommerce

The e-commerce.

New Demo
Our Partners

Here's a little trick to protect your admin folder

php_Guy

By php_Guy
in General Support

Recommended Posts

php_Guy

php_Guy

Posted
Posted

Here is something I came up with to protect my admin folder. I thought I'd share it here.

 

Create an .htaccess file in your admin directory with the following:

# Deny access to everyone except for my IP
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

where xx.xx.xx.xx is your IP address

 

If you work from various IPs or if other people need access just add more Allow from lines.

 

If anyone knows of a vulnerability to this script please post it here.

 

Enjoy!

mme

mme

Posted
Posted

This is a good method but some (if not most) have dynamic ip addresses so this wont be that helpful for them as they would have to change the .htaccess each time they get a new IP address.

php_Guy

php_Guy

Posted
  • Author
Posted
This is a good method but some (if not most) have dynamic ip addresses so this wont be that helpful for them as they would have to change the .htaccess each time they get a new IP address.

 

The website will be on a dynamic IP (unless they paid for a dedicated one) but the IP in question would be the one they are using to "dial in" from. The cable modem I'm attached to at home (or is it my router?) has a static IP so allowing that IP will always allow me to get in from home. If I wanted to connect from work, I would have to allow that IP as well.

mme

mme

Posted
Posted
The website will be on a dynamic IP (unless they paid for a dedicated one) but the IP in question would be the one they are using to "dial in" from. The cable modem I'm attached to at home (or is it my router?) has a static IP so allowing that IP will always allow me to get in from home. If I wanted to connect from work, I would have to allow that IP as well.

 

Yes however most people have a dynamic IP (the one they "dial in" from) that changes daily if not more often.

php_Guy

php_Guy

Posted
  • Author
Posted
Yes however most people have a dynamic IP (the one they "dial in" from) that changes daily if not more often.

 

Oh, I did not realize that. Bummer :(

 

I'm so glad mine is static.

Robbogeordie

Robbogeordie

Posted
Posted

If you're on a dynamic IP like me then you may notice that the first 5 or 6 numbers will often be the same. The other numbers will change.

Then you may get a completely different IP ,but again the first 5 or 6 numbers will always be the same. This is how mine works anyway and I have 2 base addresses- it may be different for you.

If you regularly check your IP you will be able to clarify this yourself - may be different for you,but this is how it is for me.

Then just use the above .htaccess code, but use the first 5 or 6 numbers of your IPs .

OK, it's not as secure as if you had a static IP,but some of us don't have that option and this way should exclude 99% of the worlds population.

Works for me anyway.

If you end up blocking yourself simply check your IP and upload a new .htaccess

Guest

Guest

Posted
Posted
Here is something I came up with to protect my admin folder. I thought I'd share it here.

 

Create an .htaccess file in your admin directory with the following:

# Deny access to everyone except for my IP
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

where xx.xx.xx.xx is your IP address

 

If you work from various IPs or if other people need access just add more Allow from lines.

 

If anyone knows of a vulnerability to this script please post it here.

 

Enjoy!

You might want to add a username and password after reading this:

http://www.sans.org/reading_room/whitepapers/threats/959.php

shooter-boy

shooter-boy

Posted
Posted

Yeah it's a good safety measure, but should be used in addition to, not instead of a htaccess or RC1+ admin login.

 

Rob

Rob Bell - Inspired Graphix

Customising osCommerce in Australia, and the world!

View my profile for web and email links.

 

I'm sorry, but i cannot offer Free support via PM etc, and osCommerce forums prohibit me from putting any reference to paid support in my signauture.

However viewing my profile may provide links to my website or something like that which you may find useful.

Guest

Guest

Posted
Posted

Best admin folder protection method you can do is:

 

- rename the folder from "admin" to something else

- password protect the directory from your web hosting control panel/.htpasswd

Guest

Guest

Posted
Posted
Best admin folder protection method you can do is:

 

- rename the folder from "admin" to something else

- password protect the directory from your web hosting control panel/.htpasswd

If you change the name of the admin folder, do you have to change anything in configuration files?

jordan

jordan

Posted
Posted
If you change the name of the admin folder, do you have to change anything in configuration files?

You will need to change the admin/includes/configure.php file so that the new admin folder name is replaced where it mentions the path to admin.

 

Hope this helps

It's a Zoo in Here, Literaly...

  • 1 month later...
mido82

mido82

Posted
Posted
You will need to change the admin/includes/configure.php file so that the new admin folder name is replaced where it mentions the path to admin.

 

Hope this helps

 

hi. i am not very good at this, but i have searched for the place where the path is mentioned, but i cant find it in root/admin/includes/configuration.php

 

and neither in the

 

root/includes/configure.php

 

can you help me find it

 

thank you very much

spooks

spooks

Posted
Posted

you can't find the files???

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

mido82

mido82

Posted
Posted
you can't find the files???

 

i am not which file it is but i have tried these ones

 

root/includes/configure.php

 

root/admin/includes/configuration.php

 

i guess i should be in admin since its the admin option we are editting. but i cant find the place in the file where i should edit the path to the admin folder.

 

 

thank you

Guest

Guest

Posted
Posted
hi. i am not very good at this, but i have searched for the place where the path is mentioned, but i cant find it in root/admin/includes/configuration.php

 

and neither in the

 

root/includes/configure.php

 

can you help me find it

 

thank you very much

root/admin/includes/configure.php

mido82

mido82

Posted
Posted
root/admin/includes/configure.php

 

ok. thank you very much.

 

now where in this file do i change the path?

 

:D

 

if you can help me with this, you will be the greatest. thank you

mido82

mido82

Posted
Posted
ok. thank you very much.

 

now where in this file do i change the path?

 

:D

 

if you can help me with this, you will be the greatest. thank you

 

 

ok i got it now.

 

thank you very much all

helixia

helixia

Posted
Posted

I don't know how to protect admin?

 

In /public_html/admin/includes/configure.php, I see

define('DIR_WS_ADMIN', '/admin/');

define('DIR_FS_ADMIN', '/home/xxx/public_html/admin/');

which one do I change and how?

 

After that, do I need to change /public_html/admin/ to /public_html/newdirectory/ ?

Well, if so, will I need to change all my addon?

  • 2 weeks later...
PhpNurd

PhpNurd

Posted
Posted
Here is something I came up with to protect my admin folder. I thought I'd share it here.

 

Create an .htaccess file in your admin directory with the following:

# Deny access to everyone except for my IP
Order Deny,Allow
Deny from all
Allow from xx.xx.xx.xx

where xx.xx.xx.xx is your IP address

 

If you work from various IPs or if other people need access just add more Allow from lines.

 

If anyone knows of a vulnerability to this script please post it here.

 

Enjoy!

 

 

This is good. Thanks

  • 4 weeks later...
airbrushmaster

airbrushmaster

Posted
Posted
This is good. Thanks

 

 

this as lost me can some tell me in detail what you have to do as wheni went in admin/includes/configure.php there was about 6 things saying admin

Guest

Guest

Posted
Posted
this as lost me can some tell me in detail what you have to do as wheni went in admin/includes/configure.php there was about 6 things saying admin

.htaccess file not configure.php

Archived

This topic is now archived and is closed to further replies.

Go to topic listing
×
×
  • Create New...