delete admin.php ?? :D

New Member Joined: Aug 05, 2005 Posts: 5

hi i am new at nuke as can be understood from topic Smile

i am using 7,6 and 3,1 patch
sentinel 2,3,2
protector 1,5b2
floodgate 0,9 for security
and cnbya 4,4,2
coppermine 1,3,1a
i wonder whether there occurs any problem for security if i delete admin.php or redirect to mypage.php when i am not using
thanks

Posted: Sun Aug 28, 2005 2:23 pm

You have some options, such as renaming "admin.php" something else. The problem with redirect is that "admin.php" can sometimes still be pulled up. For instances, typing http://www.yourdomain.com/admin.php might redirect to index.php, but http://www.yourdomain.com//admin.php or http://www.yourdomain.com/admin.php/search may still reveal your admin file. I use 7.6 with added security and in the past have had no problem with just removing the admin file when I wasn't using it.

Posted: Sun Aug 28, 2005 2:35 pm

thanks
and what about deleting ? no problem seems i know but ;
will sentinel go on protecting ? its the real matter

Posted: Sun Aug 28, 2005 2:41 pm

I've not run into any problem with Sentinel continuing to protect the site without admin.php. In fact, I use a dummy "admin.php" which redirects to a restricted page. I've had people try to run attacks on the restricted page without getting past Sentinel. Lol, of course, if they stayed on "admin.php" something would happen anyway... Smile

registered · Posted: Sun Aug 28, 2005 3:36 pm

ishadami wrote:

...and what about deleting ?

If you're gonna go this route, you might as well delete 'auth.php' too... Wink

Posted: Sun Aug 28, 2005 6:56 pm

Ouch! Good point! I had forgotten about that. Smile

I'd suggest:

1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table).

2. If you're comfortable playing a bit with php, create a fake "admin.php" and protect it with redirects, ect... This will give the kiddies something to play with since you're trying so hard to protect it it *must* be the real admin file. Smile

3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:

Code:




User-agent: Mediapartners-Google*


Disallow: 


User-agent: *


Disallow: admin.php


Disallow: /admin/


Disallow: /images/


Disallow: /includes/


Disallow: /themes/


Disallow: /blocks/


Disallow: /modules/


Disallow: /language/

Try:

Code:




User-agent: Mediapartners-Google*


Disallow: 


User-agent: *


Disallow: /a 


Disallow: /ad/


Disallow: /im/


Disallow: /in/


Disallow: /bl/


Disallow: /mo/


Disallow: /la/

It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.

4. If you suffer from NP (Nuke Paranoia) like me, you can also add some kind of additional tracking to your pages. I use a php-based tracking program that digs for info like IPs hiding behind proxies and such. I use it wherever I want to monitor who is accessing a page, sort of like a highlighter where I need to flag something quickly instead of searching log files.

Lol, welcome to the world of securiing Nuke. Smile

Posted: Mon Aug 29, 2005 3:04 am

thanks a lot
best regards
i am deleting it , i think i am paranoiac although i havent been hacked ;
i cant consider what measusers i will take Smile

if i would be hacked

Posted: Mon Aug 29, 2005 12:35 pm

ladysilver wrote:

3. The default robots.txt that comes with PHP-Nuke discloses a bit too much. Instead of:

Code:




User-agent: Mediapartners-Google*


Disallow: 


User-agent: *


Disallow: admin.php


Disallow: /admin/


Disallow: /images/


Disallow: /includes/


Disallow: /themes/


Disallow: /blocks/


Disallow: /modules/


Disallow: /language/

Try:

Code:




User-agent: Mediapartners-Google*


Disallow: 


User-agent: *


Disallow: /a 


Disallow: /ad/


Disallow: /im/


Disallow: /in/


Disallow: /bl/


Disallow: /mo/


Disallow: /la/

It will make it a bit harder for snoopers to determine your renamed admin.php while still allowing search engines to index your site.

I wouldn't do that for the primary reason that "articles" begins with the letter "a" and thus it's not a great idea. By doing this you are blocking any file or directory that begins with the letter a.

As for /ad/ and the other abbreviated directories, that coding methodology would simply keep robots out of those specific (improperly defined) directories and thus would do nothing as those directories do not exist in nuke.

While there is a fair amount of paranoia about protecting the administration files, the best thing you can do is enable a second level of authentication for access to those files such as NukeSentinel's CGI Authentication scheme. You can also locate those password files at a level above your public_html making them inaccessible to anyone via the web and thus securing those id/passwords AS WELL AS the files that they protect from the prying eyes of hackers and everyone else for that matter.

Doing this will protect your administrative functions, regardless of who the hacker is. If you can't get to the admin.php, it doesn't matter what that file is named, or how it is called.

You don't need to even have NukeSentinel to do this, you can do it all manually in your .htaccess file.

In this example, lets say you are on a shared host and they have a directory structure that looks like this:

/home/ = Default defined root of the server
/home/account-name/ = Default defined root of the customer
/home/account-name/public_html = Default defined location where you upload your nuke files, etc....

By having something like the below in your .htaccess file (which would be located in the directory /home/customer101/public_html/):

Code:

<Files admin.php> 


   <Limit GET POST PUT> 


      require valid-user 


   </Limit> 


   AuthName "Restricted - Authentication Required!" 


   AuthType Basic 


   AuthUserFile /home/customer101/.htpasswords/.htpasswd


</Files>

You would be protecting your admin.php by having seperate 'salt encrypted' ID(s) and password(s) located OUTSIDE of the publicly available webspace in the file .htpasswd in the directory /home/customer101/.htpasswords/

This would protect your admin.php file and any other files or directories that you want to restrict to authenticated only users.

The robots.txt is just a tool to keep the bots out of those files looking for data. It is okay to be specific about what you are removing from scanning because if you protect your administration files with authentication, it doens't matter WHO knows what the names of those files are.

Just a heads-up.
Steph

New Member Joined: Oct 02, 2005 Posts: 8

ladysilver wrote:

1. Rename admin.php to something hard to guess. You will also have to go into the database and change the nuke_blocks Administration entry to whatever your admin file is named (otherwise everytime you click on anything in the Administration block it will send you to "admin.php" since that filename is coded in the table).

Glad I stumbeld upon this thread, because I'm a newbie who just installed my first PHP-Nuke system (7. Cool

and I believe that is exactly what is happening to me.

I renamed admin.php to "MYnewSECRETname.php" (obviously that's not the filename, but you get the idea) and changed config.php to point to 'MYnewSECRETname" and I can log into my administration panel if I manually type in www.MYdomain.com/MYnewSECRETname.php but any time I click on a module to modify it; they still point to "mydomain.com/admin.php?whatever...."

Apparently modifying config.php didn't do the trick fully -- what files do I need to modify to get that "security tweak" working?

Thanks in advance.

Posted: Sun Oct 02, 2005 11:53 am

Turns out the I am a newbie, but not a COMPLETE dummy. I found that some links worked and some didn't (since I installed some modules directly following the 7.8 nuke it occurred to me it was probably the addons I installed that weren't linked properly.

So I went into my /admin folder and changed the /case /links and /modules files for those modules remving references to admin.php and pointing them to SECRETname.php and all is good!

Cheers!

Posted: Sun Oct 02, 2005 7:48 pm

So if you view the source code of those pages it doesnt reveal the link to your renamed admin file?

Posted: Sun Oct 02, 2005 8:44 pm

It didn't... but it did after I was finished making my repairs.