Register Members List Search Today's Posts Mark Forums Read

Reply
 
Thread Tools
  #1  
Old 30 Jul 2016, 12:39
kerrghann's Avatar
kerrghann kerrghann is offline
 
Join Date: Jul 2012
Real name: Markis
Post Better AdminCP/ModCP Security Scripts

So, to start, I'm not exactly sure where to put this. It's something I've worked out for me and my assistant. I'm obsessed with security, to a degree, and I utilize .htaccess and .htpasswd to a high degree on my site.

Generally speaking, I use it to lock down the admincp and modcp (things that an attacker, who managed to high-jack an account, could do serious damage with).

So, this set of PHP files is essentially a dual/redundant password system. I've requested from my staff that they use a password that is DIFFERENT from their forum password to access the admin and moderator control panels.

So basically here we create a custom vbulletin page. I used Lynne's guide that I found here

transcendence.php (forum root)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You'll then want to create your own template for it. I'm including mine as I've done quite a bit of work with it (to include the form that you submit with and allowing only certain usergroups to access it). Dave answered a question I had in regards to vbulletin syntax and linked me to this great list that I also feel like sharing!

The easiest way to edit all your templates is to go into debug mode (I have a password set for mine in my vbulletin config file). This allows you to edit the master style and add it to all of your styles at the same time. I'm sure there is an easier way as well and I also must warn you to not mess around with it too much. I accidentally deleted my postbit_legacy and have yet to find a way to get it back...haha... Good thing I don't use legacy...

Anyways, now the template!

transcendence (template)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I made it so only my staff could actually see and use the form on this page by adding in this piece of code:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Just an added precaution.

The form has an action="hash.php"

This is the script I made to hash the password submitted by this form to the APR1 md5 format. It then appends this hashed password automagically to your .htpasswd file (which should be outside of your public_html folder, I do mine one up from it (../.htpasswd))

This sounds dangerous right? If someone managed to get an admin/mod account...they could find this page and then simply give themselves a new admincp login, correct? That's why this form ALSO adds a # in front of the line, making it a comment meaning it can't be used until a server administrator opens up the .htpasswd file and removes the comment at the beginning!

This sounds like a bit of work, however, I promise you it's a lot less work then requesting that a staff member hash their password, give you the hashed password, you go into your .htaccess file and add it, and do this for all your staff members. It's easier to give them a link to the transcendence.php page and uncomment it once they finish.

The hash.php file goes a step further and also sends you an email whenever someone submits the form. It includes their username, their password, their email, and their IP address.

Now here is the hash.php script, it should be in your forum root with transcendence.php

hash.php (forum root)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Rather then set all the variables in the hash.php file, I've made it so that it parses and config.ini.php file. You can edit most of the variables through it.

Here is the config.ini.php file, it should be in your includes folder. Make sure you call it config.ini.php, the php at the end is important as .ini files can be opened and read as plaintext.

config.ini.php (./forumRoot/includes)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Now any directory you want to password protect with .htaccess will require this in the directory:

.htaccess (per directory you want to protect)

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

You'll also want to decide where you wish to store your .htpasswd file, as stated, I keep mine 1 directory up from my forum. However, my forum is located at www.mywebsitehere.com, if your forum is located at something along the lines of www.mywebsitehere.com/forum/ you'll want to place your .htpasswd file at least 2 directories up (../../.htpasswd). It's important to keep it outside of your public_html/www folders.

That's pretty much it.


Things I'd like to do in the future


Form Verification
I'd like to add form validation in the template, however my javascript seems like it doesn't want to execute. I had this in the head section of my transcendence template:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Check against current vBulletin password Hash
I'd like to write a script that compares the password they requested to their current vbulletin hash. This would, essentially, require me to hash the password they submit twice. First it would hash it in the format of that vBulletin 4 uses, then compare it to the one in the database. If it matches, it throws an error and refuses to let them use that password. If it doesn't match, it continues and rehashes their submitted password in the APR1 format. If anyone would like to help me with this, I'd really appreciate it!
Completed!

Well, I do hope this helped someone and I also really hope I put this in the correct place. I felt like contributing something that I found useful and helpful for managing my forum. Please let me know if I committed any sins against grammar/punctuation or if anything in my code is seriously flawed or dangerous.

Much appreciated!
__________________
A Place to create; a place to innovate~

Last edited by kerrghann; 01 Aug 2016 at 09:07.
Reply With Quote
  #2  
Old 01 Aug 2016, 09:00
kerrghann's Avatar
kerrghann kerrghann is offline
 
Join Date: Jul 2012
Real name: Markis
Alright, so I've updated this. Basically I looked up the vBulletin 4 hashing algorithm:


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

And I have my script hash the password that is inputted in the vBulletin format. Then it compares it against the database to see if the hashes match. If they match, it returns an error, telling them they can't have the same password. If they don't match, it then hashes their password in the APR1 format and saves it to the .htpasswd file.

The changes I've made are for hash.php and config.ini.php
__________________
A Place to create; a place to innovate~
Reply With Quote
  #3  
Old 03 Aug 2016, 16:32
webmastersun's Avatar
webmastersun webmastersun is offline
 
Join Date: Oct 2013
I think it was not a good idea to make AdminCP/ModCP more security like this. Let vB team handle security on their vB cms than you do it with edited codes
__________________
The best webmaster forum & internet marketing forum for webmasters and internet marketers.
Reply With Quote
  #4  
Old 03 Aug 2016, 16:35
Dave Dave is offline
 
Join Date: Jun 2010
Real name: Dave
I would personally just stick to an IP restriction or implement phone two factor authentication.
__________________
https://technidev.com - security, development, exploits, vBulletin
dave[at]technidev[dot]com

Contact me for custom vBulletin 3/4 work & server/website management.
Reply With Quote
  #5  
Old 03 Aug 2016, 18:22
kerrghann's Avatar
kerrghann kerrghann is offline
 
Join Date: Jul 2012
Real name: Markis
Originally Posted by webmastersun View Post
I think it was not a good idea to make AdminCP/ModCP more security like this. Let vB team handle security on their vB cms than you do it with edited codes
None of the codes are essentially editted. This is an addition to the security that already exists. It essentially uses .htaccess and .htpasswd restrictions (which can be added in addition to the current security measures). It's essentially it's own 2 factor authentication. It requires your staff to come up with a completely separate password to access the admin panel.

I added this because I think the hashing method that vBulletin uses is a bit too weak and this method allows you to add a bit more security to your admincp and modcp without actually going in and changing the hashing algorithm.

Originally Posted by Dave View Post
I would personally just stick to an IP restriction or implement phone two factor authentication.
I personally restrict access to my staff's accounts by the country they reside in. My Canadian staff can only log into their accounts with a canadian ip address, my english staff can only connet with an english based ip address etc. It's a bit of a hassle when they go out of country for a bit, however, but it's workable.

As far as IP restriction goes, however, unless you have a static IP address, yours is bound to change. In addition, IP addresses are fairly easy to spoof. I do like the two factor phone authentication, though.

Thank you both for the input.
__________________
A Place to create; a place to innovate~
Reply With Quote
Reply


Tags
htaccess, htpasswd, kerrghann, php, security


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 21:39.

Layout Options | Width: Wide Color: