Jump to content

Adm Control Pannel log in


Guest kissybissy

Recommended Posts

Someone tried to hack my forum from Honk Kong, guessing the password to the control pannel. They tried 15 times in a period of three days.

It would be interesting to include in the new version some kind of protection to avoid the hackers to access the log in page of a forum and try to guess the password?

It would improve the security as many forums, cause even though it's difficult to hack a forum just guessing the password, it's not impossible.

Link to comment
Share on other sites

IP.Board does have a good level of protection for the Admin directory currently. You have the ability to change the name of the admin directory (making it very hard for people to find) and you are also able to add htaccess protection to the directory. This means you must enter a totally separate username and password before you even see the regular login page!

That's enough security in my opinion!

Link to comment
Share on other sites

If you go into your ACP, click on the Admin tab, and then look for "Rename the 'admin' directory" in one of the colored boxes and click on the Learn More button, they've included a walkthrough of how to change your ACP directory.

Additionally, if you want to add further security, look for "IPB ACP .htaccess Protection" and again click the Learn More button, they have a form that you can use to fill out and set up the .htaccess protection automatically.

Link to comment
Share on other sites

protection against someone putting in the password and logging in is a bit pointless as that would defeat the purpose of the entire thing. However these is a blocking feature where that if someone persistently puts in the wrong pass the account is banned for however long you specify.

Link to comment
Share on other sites

Someone tried to hack my forum from Honk Kong, guessing the password to the control pannel. They tried 15 times in a period of three days.



It would be interesting to include in the new version some kind of protection to avoid the hackers to access the log in page of a forum and try to guess the password?



It would improve the security as many forums, cause even though it's difficult to hack a forum just guessing the password, it's not impossible.



I'm afraid what you are suggesting is impossible. The software can't stop people from attempting to login - else no one would be able to. You already have a multitude of options:

--Rename ACP
--Remove link to ACP (only worthwhile if you rename the folder to begin with)
--Brute force locking
--Use a stronger password. If someone is even able to guess your password, it's too weak, period, and there's nothing the software can do to fix that
--Use the .htaccess protection feature built in

I'm sorry, but I honestly can't think of any way to accomplish what you are asking. ;)

I do not believe this to be true for the ACP.



You would be incorrect then. :) Brute-force locking works for both public and backend.
Link to comment
Share on other sites

How about making it like wrong password X tryes gets banned for X min or X days, a then a scripts will send some info to the admin email with some IP etc...
In that way the admin can thoose to ban the IP by all time or not, if it's the admin him self, he or she may go in the mysql an make a new password :D

I know that PHPNuke Evolution have a mod, there you can add you admin an moderators IP so that you don't get banned your self...

Thats just an idea.

Link to comment
Share on other sites

I'm afraid what you are suggesting is impossible. The software can't stop people from attempting to login - else no one would be able to. You already have a multitude of options:



--Rename ACP


--Remove link to ACP (only worthwhile if you rename the folder to begin with)


--Brute force locking


--Use the .htaccess protection feature built in



I'm sorry, but I honestly can't think of any way to accomplish what you are asking. ;)



I didn't think of preventing someone from trying to log in. I thought about enhancing the protection to make it harder for the hackers to be successful, when trying to log in.

Yes, I was told about these features, but they are not default. How about making possible a different username and password for the ACP, by default? We use the same username and password for the forum and for the ACP.
Link to comment
Share on other sites

I thought about something easy, cause at first the username and password for the forum and ACP would be the same. But if there was a way to change the username and password for the ACP in the ACP it would be very useful. Something like changing your username and password the way it is now. I don't know if I'm clear enough. Sometimes it's difficult to express what I have in mind.

Link to comment
Share on other sites

That seems a bit unnecessary in my opinion, although you could just make another (admin) account for management purposes and just use a normal user account if that's your intention.

Really though, just renaming the directory (and making the one small change in init.php) is more than enough to prevent such attempts from occurring (and is easier to deal with than forcing a completely different username/password login for ACP). Having the installer randomly generating a directory name for the ACP directory could be a useful feature though (although that could possibly create its own issues with updates and such).

Link to comment
Share on other sites

I had the same problem today, and yesterday. 18 failed attempts so far, and it actually locked me out of my ACP. Besides waiting, is there any way to avoid this problem? I had to ask someone else with ACP access to unlock my account, not exactly funny.

Link to comment
Share on other sites

Thanks, I took a look, but that's far from my knowledge to perform the task. Maybe I should ask for help.




well.. are you sure you have the right job - administering a web forum...?

to be honest, this is just crazy, if you dont even know how to rename a directory or to do som point'n'click-configuration inside IP.B. :huh:
Link to comment
Share on other sites

How about making it like wrong password X tryes gets banned for X min or X days, a then a scripts will send some info to the admin email with some IP etc...


In that way the admin can thoose to ban the IP by all time or not, if it's the admin him self, he or she may go in the mysql an make a new password :D



[i]I know that PHPNuke Evolution have a mod, there you can add you admin an moderators IP so that you don't get banned your self...[/i]



Thats just an idea.



That is the brute-force locking which is already available by default in IPB. The only difference is it doesn't email anyone, it simply blocks your account.

I thought about something easy, cause at first the username and password for the forum and ACP would be the same. But if there was a way to change the username and password for the ACP in the ACP it would be very useful. Something like changing your username and password the way it is now. I don't know if I'm clear enough. Sometimes it's difficult to express what I have in mind.




That seems a bit unnecessary in my opinion, although you could just make another (admin) account for management purposes and just use a normal user account if that's your intention.



Really though, just renaming the directory (and making the one small change in init.php) is more than enough to prevent such attempts from occurring (and is easier to deal with than forcing a completely different username/password login for ACP). Having the installer randomly generating a directory name for the ACP directory could be a useful feature though (although that could possibly create its own issues with updates and such).



Exactly - no one is actually forcing you to use the same front end and admin account. You can create a new account for the ACP, only grant it ACP access and no one else, and you have the same result.

The software can't know who is a hacker and who isn't...it's just not possible. We can guess, but guessing never turns out well..

I had the same problem today, and yesterday. 18 failed attempts so far, and it actually locked me out of my ACP. Besides waiting, is there any way to avoid this problem? I had to ask someone else with ACP access to unlock my account, not exactly funny.



You can turn the feature off if you wish. However, the brute-locking is tied to IP Address, so if it locked you out, and you didn't make the 18 attempts, that would indicate those 18 attempts were from your IP address (or IPB saw your IP address when those attempts were made)
Link to comment
Share on other sites

I thought about something easy, cause at first the username and password for the forum and ACP would be the same. But if there was a way to change the username and password for the ACP in the ACP it would be very useful. Something like changing your username and password the way it is now. I don't know if I'm clear enough. Sometimes it's difficult to express what I have in mind.


You have two options here, aside from a separate account altogether:
1 - the .htaccess protection. It does the exact same thing, and you have to log in with your forum username/password too!
2 - Display names. Make your display name whatever you want, and your login name different, almost like a secondary password.

Really, as Brandon has said, there's no way a php script can tell who's executing it. Sure you can grab an IP address, but that doesn't say anything about the person sitting at the computer.

well.. are you sure you have the right job - administering a web forum...?



to be honest, this is just crazy, if you dont even know how to rename a directory or to do som point'n'click-configuration inside IP.B. :huh:


You don't need to be a genius to run a forum. It helps, but it's not required.
Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...