XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. Q and A 
  4.  / Security?
Register
1
PJoshi
Security?

  • 2004/5/31 9:14

  • PJoshi

  • Just popping in

  • Posts: 4

  • Since: 2004/5/27


Hi,

I have run a nuke php site before and it got hacked twice before I implimented a ip access block to my admin module by using the .htaccess file as below:

-----
Limiting access to admin.php or other files to single/multiple ip addresses:

Chmod 000 admin.php etc.. this is nasty though and requires alot of maintenance.
Add the following directive to the httpd.conf file (where x.x.x.x is your trusted ip address)

Options FollowSymLinks
AllowOverride Limit Authconfig

order deny,allow
deny from all
allow from x.x.x.x x.x.x.n
------

Can I use a similar block in xoops? (eg block access to admin.php to a limited set of ip addresses) and if so which modules / pages should I block?

What other security measures would you suggest?
2
talunceford
Re: Security?

Have you checked out the banning of ip address' to your site from the admin menu->system admin->preferences->general settings

Enter IP addresses that should be banned from the site.
Separate each with a |, case insensitive, regex enabled.

^aaa.bbb.ccc will disallow visitors with an IP that starts with aaa.bbb.ccc
aaa.bbb.ccc$ will disallow visitors with an IP that ends with aaa.bbb.ccc
aaa.bbb.ccc will disallow visitors with an IP that contains aaa.bbb.ccc

This approach seems to accomplish the same thing as what you were wanting to do, with less maintainance. Just a thought....


Hope that this helps,
3
tl
Re: Security?

  • 2004/5/31 12:19

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


Never tried Chmod 000 admin.php

I think .htaccess in modules/system will do the trick. Use a difficult password. Even the password got cracked, .htaccess [allowed by IP(s)] would prevent the cracker from doing anything to your system. The cracker would have to spoof your IP addresses to get into the system admin.




4
Mithrandir
Re: Security?

Not sure, widowmaker.

Instead of blocking individual IP's, the aim is to only allow admin access to certain IP's.

The main problem in this approach is that XOOPS does not have a single file controlling all aspects of admin access so it would mean that there should be a .htaccess file in each module's admin folder - OR that a check should be hacked into the cp_header() function in order to check the IP up against a list of allowed IP's.
5
tl
Re: Security?

  • 2004/5/31 12:41

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


Quote:
The main problem in this approach is that XOOPS does not have a single file controlling all aspects of admin access so it would mean that there should be a .htaccess file in each module's admin folder - OR that a check should be hacked into the cp_header() function in order to check the IP up against a list of allowed IP's.


It would be nice to use cp_header to check against a whitelist.

I think a single .htaccess in modules/system will block all access to the sub-directory (correct me if I am wrong )

I agree that banning IP is not really useful to protect system directory. It is reactive - it would be too late to ban the hacker's IP once he had already got in. Also, the hacker will use different IPs by hacking into other people's computers. It will be like catching a moving target.



6
Mithrandir
Re: Security?

Quote:
I think a single .htaccess in modules/system will block all access to the sub-directory (correct me if I am wrong )

Yes, but there are admin functionality in modules/news/admin and modules/newbb/admin etc.
7
tl
Re: Security?

  • 2004/5/31 13:53

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


I hope the admins for news and newbb will not try to hack the system, so they could be added into the allowed IP list.

An integrated whitelist would be great. Do you think it will be coming into XOOPS in the near future?

8
Mithrandir
Re: Security?

Submit it to the Feature Request Tracker and we'll see
9
Dave_L
Re: Security?

  • 2004/5/31 14:20

  • Dave_L

  • XOOPS is my life!

  • Posts: 2277

  • Since: 2003/11/7


Whitelisting by IP address might not be useful unless all the admins have static IP addresses. For example, I have DSL, but don't have a static IP address.

Currently I use an .htaccess files to password-protect access to admin.php. I plan on adding that protection to all the module admin directories. I wonder if there's a way of using a wildcard specification, so that I don't need a separate directive for each module ...
10
tl
Re: Security?

  • 2004/5/31 14:41

  • tl

  • Friend of XOOPS

  • Posts: 999

  • Since: 2002/6/23


Quote:

Currently I use an .htaccess files to password-protect access to admin.php. I plan on adding that protection to all the module admin directories. I wonder if there's a way of using a wildcard specification, so that I don't need a separate directive for each module ...


How did you protech your admin.php using .htaccess?

Since you don't a static IP, you might want to open up a bit to include a whole sub-set of IPs.

something like
allowed from 12.34.56

With a DSL line, your IP should stay in a range of subset.

(1) 2 »

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

628 user(s) are online (48 user(s) are browsing Support Forums)

Members: 0

Guests: 628

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits