mattice Posted March 21, 2003 Share Posted March 21, 2003 Improving / Reporting Admin Login Currently there are some discussions going on here on the subject of securing osCommerce against hackers. One of the things I replied is it is always a good idea to have a delay on your logins (to disencourage people trying over and over / stress brute force attacks) Elmo asked how this was done so I decided to post it in the TIPS forum, combined with some reporting on failed logins. 1.) How it works- The Basics The first thing you immediately should do after an install is securing the Admin directory with a .htaccess file / password. .htaccess is a technique where the webserver reads the .htaccess BEFORE doing anything else. That .htaccess file can contain lots of what Apache (webserver most commonly used) calls 'Directives' ie. settings. The most commonly used one is password protection, the second one is probably custom ErrorDocuments. We will use both for this tip. I am not going to re-write info that is widely available on the net here, so read this guide (please let me know if the link is no longer current) Step 1: For securing directories: http://www.cgiextremes.com/extras/Tips_Tut...htaccess.html#2 Step 2: For creating custom error pages: http://www.cgiextremes.com/extras/Tips_Tut...htaccess.html#4 2.) The 401 Error Page So you have setup your Admin .htaccess and password. And you have setup your custom error pages in the .htaccess too? Replace whatever 401 page you have with this code: <?php /* 401 HTTP HEADER (Auth Req) custom error page specifically created for osCommerce but will be used for your complete site once installed. (c) 2003 osCommerce - mattice http://www.oscommerce.com/about/team */ //--------------------------------- // C O N F I G U R A T I O N //--------------------------------- $lb = "n"; // linebreak, either "n" (double quote!) or '<br>' $secs = '5'; //time to delay, keep this between 5 and 20 I'd say $email_address = '[email protected]'; // address to mail report to $show_msg = 'Go away. This aint working.'; // message to show to person trying //---------------------------end of config // get the bastards IP if (getenv(HTTP_X_FORWARDED_FOR)){ $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')'; $ip=getenv(REMOTE_ADDR); } else { $ip=getenv(REMOTE_ADDR); } $name = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; // create nice report $msg = $lb . 'FAILED LOGIN ATTEMPT REPORT' . $lb . '---------------------------------------' . $lb; $msg .= 'Remote Address: ' . $ip . $fwd . $lb; $msg .= 'Referer : ' . $_SERVER["HTTP_REFERER"] . $lb; $msg .= 'Requested : ' . $_SERVER["REQUEST_URI"] . "$lb; $msg .= 'Used user name: ' . $_SERVER['PHP_AUTH_USER'] . $lb; $msg .= 'Used password : ' . $_SERVER['PHP_AUTH_PW'] . $lb; mail($email_address, '[Failed Login Attempt]', $msg); // delay a bit to stress brute force attacks sleep($secs); ?> <html> <body> <center><p> <p> <font face="verdana,tahoma,arial" size="5" color="red"><b><?php echo $show_msg; ?></b></font> </center> </body> </html> 3.) Testing Your Setup Make sure you have corrected the config to match your settings. To test your setup simply type the wrong credentials in the login box that pops up whenever you visit a secured directory. By default you have 3 tries and then it will fail, e-mailing you the report and showing your message to the person trying to access the secured dir. Please note the delay will ALSO be there if you have provided the CORRECT credentials There's only one cure for that.. live with it. Regards, Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Farrukh Posted March 22, 2003 Share Posted March 22, 2003 Hiya mattice Thanks for this great tip. It would really be helpfull. I want to ask something that I have used frontpage to secure my admin section. Will this work with it. Coz .htaccess will interfere with it. Link to comment Share on other sites More sharing options...
mattice Posted March 22, 2003 Author Share Posted March 22, 2003 I don't use Frontpage (ask yourself why...:D) and I have no idea on how to implement this with Frontpage. Try to secure the Admin with .htaccess (like described in the guides) and that should work... if it does add the 401 trick, if not go back to the Frontpage method. Regards, Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
Farrukh Posted March 22, 2003 Share Posted March 22, 2003 Hiya mattice, you right about that I should ask myself :D Its just that my host says that I should bug with .htaccess as it can create some problems with there servers. So whenever i want to do something I will have to ask them for acces to .htaccess. so it wastes some time. With frontpage, i can change, update, password protect my site myself. Link to comment Share on other sites More sharing options...
mattice Posted March 22, 2003 Author Share Posted March 22, 2003 If you have FTP / Telnet / SSH access to your site and your provider has their webserver setup to parse .htaccess files you can do it yourself, you don't need to ask them. If they have NOT setup their webserver to parse .htaccess I doubt if this trick is for you. You should ask them on how to setup custom ErrorDocuments (like 404 errors) and use my code for 401 errors. HTH Mattice "Politics is the art of preventing people from taking part in affairs which properly concern them" Link to comment Share on other sites More sharing options...
networkdad Posted April 26, 2003 Share Posted April 26, 2003 Hmm..got this error on 401.php - what's going on here? error: Parse error: parse error, expecting `T_STRING' or `T_VARIABLE' or `T_NUM_STRING' in /home/healthyh/public_html/401.php on line 42 Line 42: $msg .= 'Used user name: ' . $_SERVER['PHP_AUTH_USER'] . $lb; Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 There is an error with the code that mattice posted: It Should Be: <?php /* 401 HTTP HEADER (Auth Req) custom error page specifically created for osCommerce but will be used for your complete site once installed. (c) 2003 osCommerce - mattice http://www.oscommerce.com/about/team */ //--------------------------------- // C O N F I G U R A T I O N //--------------------------------- $lb = "n"; // linebreak, either "n" (double quote!) or '<br>' $secs = '5'; //time to delay, keep this between 5 and 20 I'd say $email_address = '[email protected]'; // address to mail report to $show_msg = 'Go away. This aint working.'; // message to show to person trying //---------------------------end of config // get the bastards IP if (getenv(HTTP_X_FORWARDED_FOR)){ $fwd= ' (' . getenv(HTTP_X_FORWARDED_FOR) . ')'; $ip=getenv(REMOTE_ADDR); } else { $ip=getenv(REMOTE_ADDR); } $name = $_SERVER['PHP_AUTH_USER']; $pass = $_SERVER['PHP_AUTH_PW']; // create nice report $msg = $lb . 'FAILED LOGIN ATTEMPT REPORT' . $lb . '---------------------------------------' . $lb; $msg .= 'Remote Address: ' . $ip . $fwd . $lb; $msg .= 'Referer : ' . $_SERVER["HTTP_REFERER"] . $lb; $msg .= 'Requested : ' . $_SERVER["REQUEST_URI"] . $lb; $msg .= 'Used user name: ' . $_SERVER['PHP_AUTH_USER'] . $lb; $msg .= 'Used password : ' . $_SERVER['PHP_AUTH_PW'] . $lb; mail($email_address, '[Failed Login Attempt]', $msg); // delay a bit to stress brute force attacks sleep($secs); ?> <html> <body> <center><p> <p> <font face="verdana,tahoma,arial" size="5" color="red"><b><?php echo $show_msg; ?></b></font> </center> </body> </html> Warren Link to comment Share on other sites More sharing options...
networkdad Posted April 26, 2003 Share Posted April 26, 2003 Thanks Warren! Works perfect now.. Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 No problem!! Warren Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 HELP!! I have a problem too now! I have checked and checked the config over and over, however, no matter what I do - It dosent redirect to my page! I get: Authorization RequiredThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Can anybody tell me why? Thanks, Warren Link to comment Share on other sites More sharing options...
networkdad Posted April 26, 2003 Share Posted April 26, 2003 HELP!! I have a problem too now! I have checked and checked the config over and over, however, no matter what I do - It dosent redirect to my page! I get: Authorization RequiredThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Can anybody tell me why? Thanks, Warren Are you using .htaccess for your 401 file ? I named my file 401.php and put in .htaccess: ErrorDocument 401 /401.php 401.php is in my root, hence /401.php.. Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 Nevermind - Fixed it!! I HATE HTACCESS!! Right - Im no longer suffering from stress!! Warren Link to comment Share on other sites More sharing options...
M@rcel Posted April 26, 2003 Share Posted April 26, 2003 Nevermind - Fixed it!!I'm having the same problem. What did you do to solve it? Greetings from Marcel |Current version|Documentation|Contributions| Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 I had to put the htaccess in the root and not in a /shop or /catalog sub directory. Also - I have this problem.... If I go to http://www.server.com/madeupfile.htm - I get my custom 404. If I go to http://www.server.com/madeupfile.php - I get a blank screen!! Why? Warren Link to comment Share on other sites More sharing options...
M@rcel Posted April 26, 2003 Share Posted April 26, 2003 When I click either link in your previous post, I get the "custom error page". No problem! I have set the 401-page in all .htaccess files from the root upto the admin directory to no avail. Perhaps the server only reloads the .htaccess files at certain intervals?? Greetings from Marcel |Current version|Documentation|Contributions| Link to comment Share on other sites More sharing options...
Waza04 Posted April 26, 2003 Share Posted April 26, 2003 www.server.com - is not my domain - i used that as an exmaple!! Warren Link to comment Share on other sites More sharing options...
Waza04 Posted April 29, 2003 Share Posted April 29, 2003 OK - All HTACCESS is working now! - However, I still get a blank page on a page that dosent exisit... Warren Link to comment Share on other sites More sharing options...
Druide Posted April 29, 2003 Share Posted April 29, 2003 HELP!! I have a problem too now! I have checked and checked the config over and over, however, no matter what I do - It dosent redirect to my page! I get: Authorization RequiredThis server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required. Can anybody tell me why? Thanks, Warren read this http://www.oscommerce.com/forums/viewtopic.php?t=30722 Robert We all need to learn it once, how hard it may seem when you look at it, also you will master it someday ;) Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.