If I understand correctly, by submitting admin.php to a brute force attack the password can be found. This isn't a XOOPS issue then, because passwords aren't stored in the database verbatim, but encrypted. What's in the db is an MD5 hash value of the user's password. This is why an admin can never retrieve a user password, only reset it.
The solution isn't hiding admin.php (and user.php, because the same goes for the regular login page), but for administrators to choose a difficult password, that is less likely to be 'discovered' using a brute force attack.

So IMO the ISP's actions are a bit rash, but understandable. Maybe we can build in an extra security (something like 3 password entries per minute, or something similar, making it less vulnerable to a brute force attack).

Herko

Herko Coomans wrote
Quote:

IMO, XOOPS could implement the following two solutions to better secure the system

1. As Herko mentioned the bility to disable user accounts after a certain number of failed logins should be seriously considered.

2. move admin.php into a separate directory and password-protected.


Meanwhile, anyone that has problems with admin.php could do two things:

1. Use a better admin password so it can not be easily cracked. Mind you, any password could be cracked, just a matter of time.

2. Add an extra protection to your system module directory - password protected it. Better solution is to deny anyone other yourself based on the IP number. So even someone were to crack your admin, he/she could not do much harm to your system. This only applies to Apache.

I'm not sure if we want to add several extra layers of protection to the XOOPS system. I agree that we can add one, but the .htaccess password protected files and folders is a bit too much: every time you access an admin file, you need to enter the password. Restricting access to a single IP address is even worde IMO, it defeats the purpose of having a web-enabled CMS. The whole point is that you can admin your site from anywhere, anytime.

Passwords aren't the safest protection solutions possible, but adding a biometric or certificate protection layer to XOOPS only makes it harder to administrate your site. XOOPS already has the ability to use SSL logins, that should add another layer of security alone.

Let's not overrate this. XOOPS has no security leak, the password system in itself has this by default. Any password protected site can be attacked by brute force. I do agree that making login attempts could be restricted, and we're going to look into this. But I made that point earlier

Herko

If it hasn't been mentioned, wouldn't the PHP directive 'register_globals Off' keep much of the attacks down? You could still get a DoS.

I have to agree with Herko that any password protected site will be the subject of brute force attacks, and that is not unique to XOOPS by a long way.

There are a number of things the individual site admin can do to ensure increased security:

1) Change your password on a regular basis.

2) Use passwords which are harder to crack. By this I mean ideally over 12 characters, with a combination of letters in different cases and numbers. Definately avoid names, dates and dictionary words in any language.

3) Keep the number of users with admin priviledges as low as practically possible.

On that note however, there are some things IMHO that may be possible to incorprate into the XOOPS system:

1) After say, 3 concurrent failed login attempts, the admin account is suspended, the password reset and a new password automatically generated and sent to the admin by email.

2) Incorporate the option of site admins having two identities. One is the public username, or pseudonym, that is displayed when the admin is online or makes posts etc. The other is the admin login name that is NEVER displayed on public areas of the site. This way, brute force attacks would have to match a username and password, neither of which they know. With the current system, everyone knows the login of the site admin, so it's only the password that has to be cracked.

Again, just an opinion or two...

Regards,
Gareth

Very well said guys. I fully agree with Herko, that XOOPS is pretty secure on its own, meaning that (as has already been written) it stores the admin passwords in the database as an MD5 hash. Now, it is really difficult for someone to break into a well-secured server, so I will again agree that in most cases (if not all), it is the ISP's fault. After all, we all know how many hosting providers out there do not have the slightest clue about security.

Anyway, 'admin.php' could go into a different directory which, depending on the user of course, could be password-protected. Of course that would make administering one's site a royal PITA, but for some people that would suffice.

Hi there :o)

yes all what you say is good.
But I wanna show you a thing :

Fine you put a very fast loggin on you admin.php it s not the problem. The problem are: Everyone can find or know : the admin of a site use admin.php for loggin. So everyone goes attack to admin.php

The probleme is, we have many users on one server : 60 user who using XOOPS = 60 admin.php = 60 attacks vs admin.php

The problem is not the password , the probleme is the attack vs admin.php x 60 who makes go down server.

100Mbps vs a server arround 10 hours: I said outch ...


That is the probleme

( so sorry my english is verry bad )


kiss from france

Angie, I agree with you but I have some questions to ask as well.

1. Do you really have that many users on a single webserver that are being attacked simultaneously? That is crazy! What is this? An orchestrated attack against XOOPS users on a particular server?!

2. What kind of OS do you use on your webservers? If it is a *NIX flavor OS, then I may be able to look at the issue deeper.

3. Doesn't the same apply to other Nuke scripts as well? Doesn't PostNuke for example use an admin.php file in the root folder as well?

4. What is your connection and what kind of network are you "sitting on"? Can you give me more details on that?

I don't mean to put you off or anything, but your answered has triggered a lot of questions on my part. For example, the remote hosting server that hosts my site, also hosts 2145 other websites. I would say that a great deal of them also use a PHP CMS don't you?

Cheers,
Panos

:o)

I m sitting on a fuckin BACKBONE , all servers in Linux
I do not know all détails of attack but I can tell you , if my boss shoot down all admin.php is not for fun.

You know if a many lot of crazy humains on the internet and I have seen many things who make: in my head.

So my boss has restored all admin.php but he said it s many important to come on call at your users : Security is important.
He tell me that, whanever you want you can contact him at his private mail ( I got it ask me if you want ) and he give all information for make better and all information who can help you on your developping.

( Oh my god my english is !!! verry bad )

kiss from france

Quote:

Ok ok, I didn't mean to get you upset or anything Now, since you're "sitting" on a Backbone, there shouldn't really be a problem. The attack was probably a futile attempt to either gain the admin password (not possible), or erase it and probably gain access to an account so that they could change/delete/modify users or if they were 'kind' enough, they would only put in an 'index.html' file just to deface the front page.

I know Angie. I have seen many crazy things myself as well If your boss could contact us athttp://promote-opensource.org my members and I would be happy to offer all the help we possibly can based on our experience with Linux and other *NIX-like OSes.

Oh, and don't worry about your English. English is not my native language either, as isn't for a lot of us here. We both live in Europe so I know exactly what you mean.

Many greets and kisses from Italy too!