Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
Making your Admincp More secure!
iNRoC
Join Date: Jul 2008
Posts: 151

Clifton, New Jersey
by iNRoC iNRoC is offline 28 Nov 2008

Hi guys, over my relatively short time as an administrator of a few forums, I've learned a few "tricks" that will throw off some of the more "Noobish" people who have a desire to hack your forum. I figured I would go ahead and post them

Trick # 1:Rename your admincp folder

This is actually a surprisingly little known feature of vbulletin. Rename the admincp on your hosting space to anything else, the more random, the better. Open up your config.php inside the /includes/ folder, and find the line containing


Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

and change the variable stored there to the name of your directories new name. Basically, this will make it so anyone who doesn't know the exact location of your admincp, cant find it.

Trick #2: The Dummy Admin Panel

This one goes well with trick #1. Goto your admin panel's login screen,and go to your browsers File-> Save As page, and save the .php file to your HD. Now, open edit out the personal data in that admincp (look around the form data for "hidden" fields), and upload it to a directory on your server. Basically, the idea here is to make a non-functional admincp login page, to fool people into thinking they have the right URL when they really don't.

Trick #3: The IP Deny .htaccess

Now, this trick involve knowing all of your admin's IP addresses. If your administrators do not have "rotating" IP's, then you can use a simple .htaccess file to allow only you and your administrators IP ranges to access the admin panel. Quite an efficient way of safeguarding your admin panel

Trick #4: A Passworded .htaccess

If your admin's do have dynamic IP addresses, there is another .htaccess solution you can use, though this one is a little less secure. Simply create a .htaccess that requires a username and password, this give double password protection on the panel, making it harder to get it. The downside is, if someone gives out the password, its useless :/

Trick #5: The Multi Hash

Now this is one you'll have to figure out on your own, its a little bit tricky to pull off, and PHP/SQL knowledge is required. The current login system for all the users for vbulletin is a MD5 hash, which is encrypted in your sql database itself. Now, to login, the system takes your input, encrypts it, and compares it to the result in the database. When hackers use scripts/exploits to try and pull a password from your database, it comes out as a hash, which they then have to run a dictionary attack against(It takes forever to brute force a MD5 password) Now, a few webmasters have found ways to "multi-hash" the login script, so that it would be something like this user input ->hash ->hash -> hash -Compare result to db. This effectively hinders any hacker from getting your hash and decrypting it, as a dictionary attack would not work on it.

Trick #6 (Though not a trick at all): Picking your staff

Above all, probably the most important thing to ever remember. Don't be generous with giving Moderator/ Admin/ Cpanel/ FTP access. Unless the user is someone you can trust, and has at least a little experience, theres no reason to let anybody in any control panel.

Posted by an administrator by my site. Org post: http://onehitwebdev.com/forum/showthread.php?t=44
Views: 18088
Reply With Quote
Comments
  #2  
Old 30 Nov 2008, 20:16
Triky's Avatar
Triky Triky is offline
 
Join Date: Mar 2007
Location: [Italy]
Trick #5: The Multi Hash
Can you please post some links to let us understand how do we do this?
__________________
I'm italian, I am learning english.. so, please, if you see any errors in my grammar or spelling, let me know via PM. Danke!
Reply With Quote
  #3  
Old 01 Dec 2008, 04:15
codershark codershark is offline
 
Join Date: Feb 2008
Yes can you write more about "Multi Hash" ? How, I can do that ?
Reply With Quote
  #4  
Old 06 Dec 2008, 15:39
iNRoC iNRoC is offline
 
Join Date: Jul 2008
Real name: Kyle DeMattia
Originally Posted by codershark View Post
Yes can you write more about "Multi Hash" ? How, I can do that ?
Multi-Hash is not easy at all. It involves knowledge and training in SQL.
Reply With Quote
  #5  
Old 06 Dec 2008, 16:52
Lynne's Avatar
Lynne Lynne is offline
 
Join Date: Sep 2004
Real name: Lynne
Nice article! It's so easy to take some steps to make this area of your board more secure, yet many admins don't bother.
__________________
Former vBulletin.org Staff Member

Try a search before posting for help. Many users won't, and don't, help if the question has been answered several times before.
W3Schools -
Online vBulletin Manual
If I post some CSS and don't say where it goes, put it in the additional.css template.
I will NOT help via PM (you will be directed to post in the forums for help.)
Reply With Quote
  #6  
Old 06 Dec 2008, 21:51
iNRoC iNRoC is offline
 
Join Date: Jul 2008
Real name: Kyle DeMattia
Originally Posted by Lynne View Post
Nice article! It's so easy to take some steps to make this area of your board more secure, yet many admins don't bother.
It's actually an important step in security. If you don't edit the config.php file, it makes it even more secure because then if someone hacks an admin account, theyll have a harder time finding the admincp.
Reply With Quote
  #7  
Old 07 Dec 2008, 16:25
jca2112's Avatar
jca2112 jca2112 is offline
 
Join Date: Sep 2007
Question Fake Admin Login page?

Originally Posted by iNRoC View Post
Trick #2: The Dummy Admin Panel
The Dummy Admin Panel seems like a really good idea.

Has anyone made a mod/hack/script along these lines?

For example, a Fake Admin Login page that writes the IP addresses of login attempts to a file and/or email sent to the admin? That would make it easy to be alerted to login attempts and make it easy to ban users/IPs/etc. that go snooping for the Admin Panel.

Unfortunately that very same idea is essentially an exploit -- it could be used to do harm to the real vBulletin admin. Redirecting legitimate login attempts to the Fake Admin Login page in order to capture REAL username and passwords.

Is there something like this available that also couldn't be used to do evil things?
Reply With Quote
  #8  
Old 09 Dec 2008, 17:51
iNRoC iNRoC is offline
 
Join Date: Jul 2008
Real name: Kyle DeMattia
Ill make you a page for it soon.
Reply With Quote
  #9  
Old 09 Dec 2008, 21:56
CarlitoBrigante's Avatar
CarlitoBrigante CarlitoBrigante is offline
 
Join Date: Nov 2002
All good ideas, even though the multi-hash thing is the less important of the bunch, in my opinion, especially if you use some password that is very difficult to guess, containing numbers and special chars.

Also, In our experience (we have been PHP coders for nearly 10 years and we work often in vbulletin.org Paid forums), 95% of the hacked vBulletin sites were hacked through other means completely unrelated to vBulletin. You need to go through all the following - believe me, it is very likely an hacker is using any of the methods below, so any changes to vB would prove worthless.

- Make sure that ALL your server's password are VERY difficult to find out. A safe password would be something like "djhdd832gd92@". Check carefully for FTP accounts you have forgotten about - sometimes clients gave out FTP accounts to techs and forgot to remove them.
- Yeah, FTP is also not very secure, so if you can switch to another system like SCP,SFTP or simply to using an encrypted channel with FTP, do it. Anyhow, in a lot of cases this is difficult or impossible to do (especially on shared servers).
- Change MySQL passwords to something very difficult to guess (this is fundamental on shared servers; I have seen too many 'mickeymouse' and 'test' passwords for MySQL databases!)
- Make 200% sure that direct root login to your server is disabled. Create a wheel account used to login to the server via SSH (possibly, not called admin). Never use telnet (is there still somebody using it these days?)
- Obvious, but remember to install always a Firewall (important!) in your server.
- Make sure your server's software is updated. There are gazillions of security holes left open if you do not do so.
- Install a Brute Force Detection system for FTP or shell logins.
- Change periodically all your admin passwords in vBulletin.
- Install /tmp folder in your server on a separate partition, and make it unexec (not that useful, but can stop a bunch of attacks).
- Make sure that you are not using old add-ons with security holes. Check the add-on page on vbulletin.org to see if there are updates. vBulletin.org will also send you notifications via e-mail when a product is updated. Enter a valid and often used e-mail in your vBulletin.org account!
- Check all your files in vBulletin for suspicious versions. There is an option in vBulletin to do this in the ACP. And if you have been hacked, re-upload your vBulletin files, always!
- Make sure that there are not weird scripts into your writable directories.
- If possible at all, avoid writable directories in paths accessible via a web browser. This is often not supported by some hacks or add-ons, even though some popular products (like photoplog) work perfectly also if you specify a path outside the public web directory (using ../ in your path, in the case of photoplog).
- This will be invaluable but is often not implemented because it takes some server resources and because it can be a pain to admin. But if you have a regulard administrator, on Linux, use products like SELinux, grsecurity, AppArmor to protect your server from bad guys. Hardened kernels are also good to have!

There are loads of other things to check, and having but server security is the first thing to take care of. All the tips above are great and should be followed, but consider them the final part of your security improvements. Security is always a multi-layered thing; each layer alone is completely worthless. Anything in this world, not only computers, is as secure and strong as its weakest part
__________________
Yes, that's only a nickname! - MagnetiCat.com - Professional development and administration, disaster recovery (also in desperate situations), PHP and Mobile App development.

Last edited by CarlitoBrigante; 09 Dec 2008 at 22:03.
Reply With Quote
  #10  
Old 09 Dec 2008, 22:39
Milad's Avatar
Milad Milad is offline
 
Join Date: May 2005
Real name: Milad
vBulletin encrypts the password twice. md5 ( salt + md5 (password))
Reply With Quote
  #11  
Old 09 Dec 2008, 23:50
iNRoC iNRoC is offline
 
Join Date: Jul 2008
Real name: Kyle DeMattia
Thanks Carlito for adding to this thread. I should have included all of that..
Reply With Quote
  #12  
Old 21 Dec 2008, 22:19
haxcommunity haxcommunity is offline
 
Join Date: Jun 2008
Thanks for posting a guide I made everywhere >_<
Real Professional Man
Reply With Quote
  #13  
Old 24 Dec 2008, 00:04
iNRoC iNRoC is offline
 
Join Date: Jul 2008
Real name: Kyle DeMattia
I credited you though lol
Reply With Quote
  #14  
Old 24 Dec 2008, 16:15
TheLastSuperman's Avatar
TheLastSuperman TheLastSuperman is offline
 
Join Date: Sep 2008
Real name: Michael Miller Jr
Talking

Originally Posted by haxcommunity View Post
Thanks for posting a guide I made everywhere >_<
Real Professional Man
Originally Posted by iNRoC View Post
I credited you though lol
The point is, both of you helped me so thanks!

S-MAN
__________________
Daddy Does Dios and Figs!
https://www.linkedin.com/in/thelastsuperman

Search - Use the search feature to find similar issues/answers.
Information - Include screenshots, copy/pasted error codes, url etc.
Fixed - Please return to your thread/post and let us know how it was fixed!
Thanks - For participating! Click the "Like" on a post if someone helped you!
Reply With Quote
  #15  
Old 09 Feb 2009, 07:46
ehabfouad22 ehabfouad22 is offline
 
Join Date: Oct 2007
Originally Posted by iNRoC View Post
Trick #2: The Dummy Admin Panel

This one goes well with trick #1. Goto your admin panel's login screen,and go to your browsers File-> Save As page, and save the .php file to your HD. Now, open edit out the personal data in that admincp (look around the form data for "hidden" fields), and upload it to a directory on your server. Basically, the idea here is to make a non-functional admincp login page, to fool people into thinking they have the right URL when they really don't.
Hi guys,
Any further details on how to perform that trick? (#2)
After saving the php file as complete webpage, what should be editted and uploaded?
Many thanks!
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 11:52.

Layout Options | Width: Wide Color: