Asking if this is a good security approach

New Member Joined: Nov 23, 2004 Posts: 1

I have a small family site with pictures and news of the family. I get about 3 hits a day. I dont worry too much about security, because I manually back everything up once a week, and a loss of 1 week would probably be insignificant.

I host this site myself out of my house, but my ISP blocks port 80, so its on a different port. With all the potential security issues, I am asking if the following approach would be effective in my case.

If I simply delete the admin.php file from the active site, will this effectively block most, if not all hack attempts? Actually, what I would probably do is create two sites, which contain the same files and access the same database. These would run off different ports, with the one everyone is directed lacking the admin file. Thus, only by guessing the correct port could you actually access the site with the admin file. This would let me administer the site from work, etc. Sortof a backdoor access point. Perhaps a port scanner could figure that out, but at least its one extra step.

Alternatively, I could just as easily put the admin in a domain on port 80, and thus you could only get to it via my LAN. That wouldn't be too bad.

So, in summary, does removing the admin.php file, or altervatively the entire admin directory, effectively block hack attempts.

Thanks,

Posted: Tue Nov 23, 2004 10:29 pm

Really Nuke-Sentinel does a pretty good job when the http auth is enabled. All of the recent admin exploits that I know of have been trapped by it. The worst have been exploits of third party modules that had allowed either file uploads or write access to local files.

But yes removing the entire admin directory would eliminate a lot of potential issues. If you haven't checked out the latest of chatservs patches you should there is some alternative code in the admin.php that would enable you to limit access to your own IP this greatly reduces the risk of intrusion. Again if your using apache you could use htaccess something like
<Files admin.php>
order deny,allow
deny from all
allow from localhost
</Files>
or fancier
<Files ~ "\admin.php$">
order deny,allow
deny from all
allow from localhost
</Files>
Something like that should be as effective as removing the file and a lot more convenient. This would go in the htaccess of the webroot where admin.php lives normally. And then in the /admin/ directory there should already be one with deny from all in it.