Secure your oc-admin

[aprendiz]

Hi! I was triying to secure a little the oc-admin directory.

My idea are some how this:

Code: [Select]

if(!isset($_GET["word"])){
    header("Location: ../");
}

If you enter to domain.com/oc-admin/index.php?word=sometext you can enter, else, you back to root directory

I hope that I am explain this well

PD: Sorry my english :S

[_CONEJO]

Hi aprendiz,

That's not a good idea. Since you will need to modify ALL of the links and options in the admin panel to have this new param.

For example, all the links in the admin menu lack of it, also, the login form,.. so you will be able to get the login page, but not to be able to perform login.

I think the admin is secure enough, of course, if some security flaw or improvement appear will fix/add it, but we're using the standard method for it.


Thanks

[mytilene]

hi,
You can secure by configuring .htaccess, .htpassword in your admin folder.
It'll implement extra layer of security

[aprendiz]

Thanks for the answers

I dont think that osclass isn't secure. But my idea is than nobody can view the admin loguin, and avoid, brute force attacks, etc.. For sure I can edit the .htaccess and add my IP but we are more than 1 admin, and all have dinamyc ips.

I try found some for this, if I found some, I will wrote here

[Legion]

guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

[_CONEJO]

guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some  IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.

Thanks

[aprendiz]

Another valid option for me, is activate captcha on login form. With Captcha I am sleep good hahaha

[_CONEJO]

Hi aprendiz,

Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.

Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.

[aprendiz]

Hi aprendiz,

Captcha will only works on brute force attacks, but again, given that a bot will take 1 second to load the page and try login, and given a password of length 8 (not too long, not too short) it will take 6923519 years (yeah, almost 7 MILLIONS years) to break into your admin panel. So... the attacker should be very dumb to try brute force on that.

Of course, you could add captcha there, but it will only annoy you and not any attacker. Captcha is used to avoid bots and spammer to register/comment/publish/... but not bruteforce.

It's true  Well.. I am a little worried, but I'm more trusted now Thanks for all replys guys ando sorry for my bad english

[krishields3]

There is this strange thing that happens though... and aprendiz has a valid point.

If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.

[_CONEJO]

There is this strange thing that happens though... and aprendiz has a valid point.

If a non-logged in user accidentally finds the oc-admin login page, then clicks on the "back to mysite.com" link at the top and tries to login from the main site, if user exists and password is correct, osclass takes that user back to the oc-admin login page rather than the main page. A user has to clear their browser history/cache to fix it. So, it would actually be a good idea for an average user to not be able to accidentally see the oc-admin login page in the first place.

Again, in that case, stick to .htaccess and .htpasswd solution

[krishields3]

Some ISP's, such as mine, issue dynamic public IP's and users from different locations can be issued my public IP from yesterday.  It's currently not really a problem for me... but, it could be something that I will be looking into in the future as the number of users grows and thus the probability of that happening also grows...

[xinony]

add this code to \oc-admin\login.php line 156 (default: ....)

 default:
            if(!isset($_GET['word']) || $_GET['word'] != 'sometext')
            {
                 $this->redirectTo( osc_base_url() );
            }
                              
             osc_run_hook( 'init_admin' ) ;
             Session::newInstance()->_setReferer(osc_get_http_referer());
             $this->doView( 'gui/login.php' );

use this: 

http://domain.com/oc-admin/index.php?page=login&word=sometext

 
for login.

[shamim_biplob]

goto oc-includes/osclass/helpers/hDefines.php
change following code
line 61

Code: [Select]

        $path .= "oc-admin/";to

Code: [Select]

        $path .= "ANYTHING/";
And line 81

Code: [Select]

        return(osc_base_path() . "oc-admin/");to

Code: [Select]

        return(osc_base_path() . "ANYTHING/");
And change oc-admin folder name to ANYTHING

All three ANYTHING should be same.

then login to admin http://domain.tld/ANYTHING

nobody will know what is ANYTHING except you. and every url will be correct. Nothing more need to be changed.

[Pigeon]

guys tell me easiest method to secure i am the only admin for mysite i dont have dynamic ip

Osclass admin is already pretty secure, no need to secure it more, but if you want to do it anyway, go for the .htaccess / .htpasswd method, that will allow you to required a directory password at server level (so two password for entering the admin) and also block or whitelist some  IP's (only your IP could connect to it). Be careful with the last option (ip block/allow), since due to the shortage of IPv4, some ISP will assing the same "public IP" to several of their customers.

Thanks

my friend, is it possible not to edit (.htaccess) for password, and instead in Cpanel, right-click on (oc-admin) Folder and set password for it???