| Author |
Message |
TechnoBum
Nuke Soldier
Joined: Feb 18, 2003
Posts: 14
|
 Posted:
Tue May 27, 2003 8:18 pm |
  |
This is the second time I come across a forum discussion about renaming the "admin.php" file so that only admin can have access to the login page.
Personally I think this is an excellent idea, but unfortunately it's quite the job to do it right.
One of the posts I read, the fella went thru just about every .php files, short of the lang files, in order to change every instance where the admin.php file is called. Now that's an awful lot of files!
I am writing this post for two reasons:
1 - does anyone here know if there is an EASIER way to hide the admin login page ? and,
2 - what would be the possibilities of having an admin option in the config panel similar to the "Edit admin" or "Edit users", that would be "Edit admin.php" where the admin would have the option to rename that file to any other name s/he wishes ?
Maybe a coder genius could create an add-on module that could do that.
Maybe such a module already exist ? |
|
|
   |
|
ArtificialIntel
Joined: Jan 31, 2004
Posts: -88
|
| Posted:
Wed May 28, 2003 1:25 am |
|
what's the point? Unless you have an admin username and password, you can't access the admin section, even if the login screen is there, so where's the advantage?
If somebody wanted to hack ur site, they'd be using a file sniffer and would find it anyway.
AI |
|
|
|
|
el_flynn
Nuke Soldier
Joined: Apr 23, 2003
Posts: 17
Location: Third rock from the sun
|
| Posted:
Wed May 28, 2003 1:25 am |
|
What about hiding the admin branch of the code in a separate web directory, and securing that directory through various means (.htaccess, IP/hostname restrictions via the web server itself, etc).
That other directory could contain only the admin-specific directories, and the publicly accessible directory could have its admin-related directories removed. The admin-only directory could be made to point to the same DB etc.
Even better solution: if you're hosting your own site, make the admin directory only internally accessible.
Has anyone tried this approach? |
|
|
|
|
ArtificialIntel
Joined: Jan 31, 2004
Posts: -88
|
| Posted:
Wed May 28, 2003 1:39 am |
|
moving the admin.php out of the root directory is a bad move cause it still requires re-coding a lot - just as much as renaming it would. You'd have to change all the mainfile calls, all the config calls, all the theme calls etc.
Putting an access deny all and allow from ***.***.***.*** is a good idea though (repacing ***s for the IPs of anybody who should have access) - doesn't work if admins have dynamic IPs like i seem to have now though.
AI |
|
|
|
|
TechnoBum
Nuke Soldier
Joined: Feb 18, 2003
Posts: 14
|
| Posted:
Wed May 28, 2003 7:27 am |
|
These are great ideas being tossed around here.
I'm gonna do a little experimenting here an see what gives.
Keep the great ideas coming guys  |
|
|
|
|
el_flynn
Nuke Soldier
Joined: Apr 23, 2003
Posts: 17
Location: Third rock from the sun
|
| Posted:
Wed May 28, 2003 12:52 pm |
|
AI, i tried it out and duplicated the code tree into another virtual directory on my local machine. Things seem to be working ok; so far i can do the following on the admin "branch":
post new stories
edit existing ones
post comments
create new forums
optimize the DB
i'm assuming that since i can do all these most of the functions would be working.
On the "public" branch, i renamed the "admin" folder and admin.php file to admin2 and admin2.php respectively (forgot to mention this in the original post) . things also appeared normal -- i can view the changes made and the new stories i posted via the admin branch.
so taking that one step further, i can now lock down the admin branch with whatever IP restrictions, access files etc methods that the web server has.
maybe you could even kick it up a notch by:
putting the admin branch somewhere accessible only via your intranet
putting the admin branch on a totally separate machine on the network (which needs to still have access to the nuke db of course)
and many other network security tactics that i don't even know about
anyone out there willing to try this on their production box? |
Last edited by el_flynn on Wed May 28, 2003 12:56 pm; edited 1 time in total |
|
|
|
ArtificialIntel
Joined: Jan 31, 2004
Posts: -88
|
| Posted:
Wed May 28, 2003 12:56 pm |
|
no, the admin branch should be in the same directory tree as the site. (as in somewhere off the site root dir) for web server reasons.
You can lock down just the admin.php by using a <file ^admin.php> tag in the .htaccess file
AI |
|
|
|
|
el_flynn
Nuke Soldier
Joined: Apr 23, 2003
Posts: 17
Location: Third rock from the sun
|
| Posted:
Wed May 28, 2003 12:59 pm |
|
I replied to AI's post, but then realized I just put my foot in my mouth. haha.
Hey -- maybe that quote can be another option in the bbcode for people who type faster than they can think... |
|
|
|
|
Tank863
Lieutenant
Joined: Feb 21, 2003
Posts: 195
Location: Philadelphia
|
| Posted:
Thu May 29, 2003 11:14 am |
|
I use the .htacces file to block out all other IP addy's from accessing the admin.php
it works.. when I try to access the admin from work... i'm blocked out.. so I know that anyone else that attempts will be blocked out...
I hope that my assumption is correct....
Tank863 |
|
|
  |
|
|
|
