Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

admin security


Guest

Recommended Posts

Ok, right now to get to the admin portion of my site, you have to go to www.mysite.com/catalog/admin. Then you have to enter a username and passowrd.

 

Is this enough? I've seen posts saying to move the admin folder to the root. If I do that, what other files do I need to change and how? I can't find any documentation on what php files or others I need to change.

 

Of course, if the password protect is enough, I won't worry about moving...

 

Thanks!

Link to comment
Share on other sites

if you have a tough username and a tough password, of minimum 8 characters with the $^, 12, AD, ad, characters involved that is pretty much sufficient

Link to comment
Share on other sites

John,

 

In addition to a tough user name/password, go ahead and change the name of the admin directory to something bizarre (helps deter script kiddies from dictionary attacks and wasting your sites bandwidth). Also, incase you have not done it yet, force your admin tool to only talk via https (this assumes you have https) and be sure to only connect to it via https.

 

If you decide to make either of the above changes, you will need to update the admin/includes/configure.php [obviously if you change the name of the directory from ?admin? to something like ?jd902ajr3ofaHF?, then the file will reside in jd902ajr3ofaHF/includes/configure.php.]

 

-Bill

Link to comment
Share on other sites

I think there is a simple mod for adding password protection to the admin portion of your site. But I wouldn't rely on this for your security control. The best way is to follow the suggestion above; changing the admin directory to another obscure name, then make sure you have your configure.php file updated for this.

 

 

If you are using the Apache web server (like many here I'm sure) then read the docs from Apache about utilizing the htpasswd command and inserting the correct attributes into a .htaccess file. You can also do some wonderfull things in your Apache configuration file. Typically called httpd.conf, in that file you can set your .htaccess settings and place the Deny All ruling in for accessing a specific directory (your admin directory perhaps) to everyone by default EXCEPT for your administrator. The administrator can then be required to have a specific IP address and/or MAC address depending on how you would like to handle it and how paranoid you are about your site's integrity.

 

Again, follow the recommendations listed above for using strong passwords and user id's.

Link to comment
Share on other sites

In addition to a tough user name/password, go ahead and change the name of the admin directory to something bizarre (helps deter script kiddies from dictionary attacks and wasting your sites bandwidth). Also, incase you have not done it yet, force your admin tool to only talk via https (this assumes you have https) and be sure to only connect to it via https.

 

I haven't got https set up yet but i'm going to get that set up obviously before I go public with the site.

 

If you decide to make either of the above changes, you will need to update the admin/includes/configure.php [obviously if you change the name of the directory from ?admin? to something like ?jd902ajr3ofaHF?, then the file will reside in jd902ajr3ofaHF/includes/configure.php.]

 

I'm not sure I understand what to do as far as updating this....what changes do I have to make to the configure.php file?

Link to comment
Share on other sites

Your Question:

what changes do I have to make to the configure.php file?

 

My Answer:

(Assumptions: using scenario detailed in this thread)

Look for the lines in the admin configure.php file that have define('DIR_WS_ADMIN') and define('DIR_FS_ADMIN'). Change them to match your new directory like so:

define('DIR_WS_ADMIN', '/jd902ajr3ofaHF/'); // absolute path required

define('DIR_FS_ADMIN', '/[your file server directory path]/jd902ajr3ofaHF/'); // absolute pate required

where [your file server directory path] is the path you would use to navigate to the admin directory if you were at the command prompt. That value, if we are sticking with the assumption that you are just changing the directory name and not moving it, is the same value that you have defined in the configure.php for the DIR_FS_CATALOG variable. So, if your admin configure.php had define('DIR_FS_CATALOG', '/var/www/html') then you would make your DIR_FS_ADMIN read like define('DIR_FS_ADMIN', '/var/www/html/jd902ajr3ofaHF/')

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...