xoops forums

Angie

Just popping in
Posted on: 2003/11/27 19:05
Angie
Angie (Show more)
Just popping in
Posts: 5
Since: 2003/11/27
#1

Security feat XOOPS

Hi,

I'm a french Girl who working by a french Hosting Service.
I have a problem: Always we have brut force attacks against the admin.php pages in your Xoops.

I have a idea or a question: If is possibel or can your not make modifications on name of the administration page ??

I think: I cant not make choose the Administrator the name of this page ?
I install XOOPS and the systeme ask me the question : Name for your admin.php ??
or
I install XOOPS and the systeme generate a name and give me this name on loggin first time who I was admin ???

You can do this ?
We have been obligated to banned all admin.php :o( and now all our user cant not administrated heir xoop site ...

Thanks for helping

( sorry for my bad english )


Kiss and Greet from French

Angie

skalpa

Quite a regular
Posted on: 2003/11/27 19:11
skalpa
skalpa (Show more)
Quite a regular
Posts: 300
Since: 2003/4/16
#2

Re: Security feat XOOPS

Actually it wouldn't be easy.
But I'll consider this and will check that with you more deeply (check your inbox soon).

Skalpa.>

Angie

Just popping in
Posted on: 2003/11/27 19:26
Angie
Angie (Show more)
Just popping in
Posts: 5
Since: 2003/11/27
#3

Re: Security feat XOOPS

:o)

Fine !
Thank you verry much !!

( I dont know but after your message I have a irrestible desire to say: I have never said it's been easy ... I always offring the true ( dixit Morpheus @ Matrix ) :op Quote:

skalpa wrote:
Actually it wouldn't be easy.
But I'll consider this and will check that with you more deeply (check your inbox soon).

Skalpa.>
Posted on: 2003/11/27 20:28
DonXoop
DonXoop (Show more)
Posts: 1171
Since: 2003/11/27
#4

Re: Security feat XOOPS

Bonjour,

Just curious, are these attacks specificaly after XoopS itself or just admin.php in general and all virtual servers?

I just got started in XoopS and found a module designed to guard against DoS attacks. Maybe this will help?

An idea for dev, maybe additional ACLs for admin.php like IP? Oh wait, you can do that in Apache confs. You can allow/deny at the server level, virtual server, directory level etc. You'll then only have to deal with valid users that need admin but there is a way. Say that admin.php is blocked at the server as tight as practical (at the server level) and then only allowed to even request critical files if already authenticated and ACL allowed (XoopS level).

Per4orm

Documentation Writer
Posted on: 2003/11/27 20:47
Per4orm
Per4orm (Show more)
Documentation Writer
Posts: 145
Since: 2003/11/14
#5

Re: Security feat XOOPS

There is another option, if I may be so bold, that could be considered for the next major release:

Have all the admin files, including admin.php, within a subdirectory of the main installation. Then to access the administrators area you have to access admindirectory/index.php

This has the added advantage that the admin directory could then also be protected by a .htaccess file if required, doubling the security level.

Regards,
Gareth