Advertisement:

Author Topic: Secure your oc-admin  (Read 7102 times)

aprendiz

  • Newbie
  • *
  • Posts: 7
Secure your oc-admin
« on: November 18, 2012, 02:03:50 am »
Hi! I was triying to secure a little the oc-admin directory.

My idea are some how this:
Code: [Select]
if(!isset($_GET["word"])){
    header("Location: ../");
}

If you enter to domain.com/oc-admin/index.php?word=sometext you can enter, else, you back to root directory

I hope that I am explain this well :)

PD: Sorry my english :S
« Last Edit: November 18, 2012, 02:06:39 am by aprendiz »

_CONEJO

  • Administrator
  • Hero Member
  • *****
  • Posts: 4689
Re: Secure your oc-admin
« Reply #1 on: November 19, 2012, 11:20:11 am »
Hi aprendiz,

That's not a good idea. Since you will need to modify ALL of the links and options in the admin panel to have this new param.

For example, all the links in the admin menu lack of it, also, the login form,.. so you will be able to get the login page, but not to be able to perform login.

I think the admin is secure enough, of course, if some security flaw or improvement appear will fix/add it, but we're using the standard method for it.


Thanks

mytilene

  • Newbie
  • *
  • Posts: 4
Re: Secure your oc-admin
« Reply #2 on: November 19, 2012, 11:27:35 am »
hi,
You can secure by configuring .htaccess, .htpassword in your admin folder.
It'll implement extra layer of security

aprendiz

  • Newbie
  • *
  • Posts: 7
Re: Secure your oc-admin
« Reply #3 on: November 19, 2012, 11:56:00 am »
Thanks for the answers :)

I dont think that osclass isn't secure. But my idea is than nobody can view the admin loguin, and avoid, brute force attacks, etc.. For sure I can edit the .htaccess and add my IP but we are more than 1 admin, and all have dinamyc ips.

I try found some for this, if I found some, I will wrote here :)

Legion

  • Hero Member
  • *****
  • Posts: 622
  • I am founder of top20remedies.com buyeradvise.com
Re: Secure your oc-admin
« Reply #4 on: November 19, 2012, 01:30:35 pm »
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

_CONEJO

  • Administrator
  • Hero Member
  • *****
  • Posts: 4689
Re: Secure your oc-admin
« Reply #5 on: November 19, 2012, 01:33:43 pm »
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some  IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.

Thanks

aprendiz

  • Newbie
  • *
  • Posts: 7
Re: Secure your oc-admin
« Reply #6 on: November 19, 2012, 01:54:46 pm »
Another valid option for me, is activate captcha on login form. With Captcha I am sleep good hahaha

_CONEJO

  • Administrator
  • Hero Member
  • *****
  • Posts: 4689
Re: Secure your oc-admin
« Reply #7 on: November 19, 2012, 02:05:00 pm »
Hi aprendiz,

Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.

Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.

aprendiz

  • Newbie
  • *
  • Posts: 7
Re: Secure your oc-admin
« Reply #8 on: November 19, 2012, 08:58:48 pm »
Hi aprendiz,

Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.

Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.

It's true  :D Well.. I am a little worried, but I'm more trusted now :) Thanks for all replys guys ando sorry for my bad english

krishields3

  • Newbie
  • *
  • Posts: 37
Re: Secure your oc-admin
« Reply #9 on: November 20, 2012, 05:31:05 am »
There is this strange thing that happens though... and aprendiz has a valid point.

If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.
« Last Edit: November 20, 2012, 05:44:56 am by krishields3 »

_CONEJO

  • Administrator
  • Hero Member
  • *****
  • Posts: 4689
Re: Secure your oc-admin
« Reply #10 on: November 20, 2012, 10:47:46 am »
There is this strange thing that happens though... and aprendiz has a valid point.

If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.

Again, in that case, stick to .htaccess and .htpasswd solution

krishields3

  • Newbie
  • *
  • Posts: 37
Re: Secure your oc-admin
« Reply #11 on: November 20, 2012, 12:54:32 pm »
Some ISP's, such as mine, issue dynamic public IP's and users from different locations can be issued my public IP from yesterday.  It's currently not really a problem for me... but, it could be something that I will be looking into in the future as the number of users grows and thus the probability of that happening also grows...

xinony

  • Newbie
  • *
  • Posts: 17
Re: Secure your oc-admin
« Reply #12 on: January 15, 2013, 03:36:45 pm »
add this code to \oc-admin\login.php line 156 (default: ....)

Quote

 default:
            if(!isset($_GET['word']) || $_GET['word'] != 'sometext')
            {
                 $this->redirectTo( osc_base_url() );
            }

                              
             osc_run_hook( 'init_admin' ) ;
             Session::newInstance()->_setReferer(osc_get_http_referer());
             $this->doView( 'gui/login.php' );


use this: 
Quote
http://domain.com/oc-admin/index.php?page=login&word=sometext
 
for login.

shamim_biplob

  • Full Member
  • ***
  • Posts: 169
Re: Secure your oc-admin
« Reply #13 on: September 09, 2013, 11:25:29 am »
goto oc-includes/osclass/helpers/hDefines.php
change following code
line 61
Code: [Select]
        $path .= "oc-admin/";to
Code: [Select]
        $path .= "ANYTHING/";
And line 81
Code: [Select]
        return(osc_base_path() . "oc-admin/");to
Code: [Select]
        return(osc_base_path() . "ANYTHING/");
And change oc-admin folder name to ANYTHING

All three ANYTHING should be same.

then login to admin http://domain.tld/ANYTHING

nobody will know what is ANYTHING except you. and every url will be correct. Nothing more need to be changed.

Pigeon

  • Sr. Member
  • ****
  • Posts: 498
Re: Secure your oc-admin
« Reply #14 on: April 03, 2014, 02:48:54 pm »
guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some  IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.

Thanks
my friend, is it possible not to edit (.htaccess) for password, and instead in Cpanel, right-click on (oc-admin) Folder and set password for it???