Admin Security: Improve the ACP Login Method

[Rheddy]

One of the things that has always bothered me about the IPS software is the admin login feature. For administrators, when you log into your forum account, to post messages or whatnot on your forums, you use a password to log into your forum account. If someone were to gain access to your password, theoritically, they could use that same password to access your admin control panel and cause unwanted destruction on your forum installation.

I'm wondering if IPS has any plans for IPS 4.0 to offer a separate password login method for the ACP because I think it's short-sighted that the IPS software still uses the same accoount password for the forum login and the admin control panel login. There should be a different password for the ACP and that the two shouldn't use the same password.

[Christian M.]

i thin ktheyre doing like a double secure password or something.... liek salt and md5

[Rheddy]

I wasn't referring to a double password, but having it setup where the password that you need for the ACP should have a different password. While I have my admin account setup with a username that is different than my login username, it's a small piece of security that I'm comfortable with. I've just been uneasy over the fact that the ACP uses the same password as your forum password. I just think that the ACP password login should be different than the forum password.

Hopefully, we can see greater security from IPS where it concerns the ACP login method.

[Saiga]

There should be a different password for the ACP and that the two shouldn't use the same password.

Please don't.

[opentype]

I've just been uneasy over the fact that the ACP uses the same password as your forum password.

Then use a .htaccess protection for the admin folder. I saved this password in my browser so I am not bothered by it, but should anyone get my regular admin forum login data, they would still not be able to access the ACP.

[Axel Wers]

1. Your login password should be strong, like f8D-q1M@oA9!

2. Rename your admin directory (how to, you find in ACP)

3. Protect your renamed admin directory by .htaccess file (how to, you find in ACP)

4. To improve security you can edit .htaccess file in this way:

order deny,allow
allow from xx.xx
deny from all

Instead of xx.xx you write your IP range. That means only user with those IP's can get .htaccess login form. If it's out, user get 403 server error message.

5. In IP Suite could be possibility to use admin special password. I agree.

[unknownax]

1. Your login password should be strong, like f8D-q1M@oA9!

2. Rename your admin directory (how to, you find in ACP)

3. Protect your renamed admin directory by .htaccess file (how to, you find in ACP)

4. To improve security you can edit .htaccess file in this way:

order deny,allow
allow from xx.xx
deny from all

Instead of xx.xx you write your IP range. That means only user with those IP's can get .htaccess login form. If it's out, user get 403 server error message.

5. In IP Suite could be possibility to use admin special password. I agree.

Smart guy, and if you really want to protect yourself you should carry out these steps.

[Saiga]

1. Your login password should be strong, like f8D-q1M@oA9!

Not necessarily.

Take that as you will.

[Makoto]

It's best to prevent unauthorized users from accessing your ACP login page to begin with.

Start by renaming your admin directory if you haven't already. Seriously, if you're concerned about security, you shouldn't be using a publicly accessible /admin page. Rename it to something unique and something common vulnerability scanners won't be able to find.

You can also only allow connections to your admin directory from your IP address or IP subnet through your web server, as described above.

But if you really want two different passwords, you should just use web authentication/htpasswd protection.

Your next best alternative would be to have a separate Administrator account that you only use for logging into the ACP.

[bfarber]

Forcing you to use a different password for the ACP has minimal security benefits in my mind. You achieve the same thing by using .htaccess authorization realistically, and this is handled already.

We have expressed interest in exploring two-factor authentication in the future, which I would expect security-conscious admins would make use of, at least for the ACP.

[Makoto]

We have expressed interest in exploring two-factor authentication in the future, which I would expect security-conscious admins would make use of, at least for the ACP.

I wouldn't.

My ACP is already far more secure using the above steps. Two-factor authentication isn't needed or even wanted for me when it involves integrating into a third party.

Properly securing your server yourself is preferable to relying on a third party two-factor authentication service to keep you safe.

You could opt for both if you wanted, but.. really. I don't think it's necessary. It could be a useful addition for the front-end though, I'm not denying that.

[Ali Majrashi]

you can always use admin user that can access the admin page and hide him from public and create another general admin that can access all public side except admin

[Makoto]

you can always use admin user that can access the admin page and hide him from public and create another general admin that can access all public side except admin

That was one of my above suggestions :tongue:

Your next best alternative would be to have a separate Administrator account that you only use for logging into the ACP.

I've seen a few people who do actually do that.

[Axel Wers]

Not necessarily.

It's recommended. You are free to use password what you want. For example 111 or 123.

[Charles]

Forcing a separate password for the AdminCP accomplishes only one thing: giving you a false sense of security.

Your arguement is that someone could get an admin's password. If that's true why couldn't they get both passwords?

Also let's not forget that even without AdminCP access someone logged in with an admin/moderator account can do a lot on the front end too because they have permission to do so.

A better approach is via suggestions given in this topic or using the two factor authentication mods available in the Marketplace.

[Rheddy]

Brandon, anything that improved the security for the admin control panel login would be much appreciated. :thumbsup:

[Mark]

I wouldn't.

My ACP is already far more secure using the above steps. Two-factor authentication isn't needed or even wanted for me when it involves integrating into a third party.

Properly securing your server yourself is preferable to relying on a third party two-factor authentication service to keep you safe.

You could opt for both if you wanted, but.. really. I don't think it's necessary. It could be a useful addition for the front-end though, I'm not denying that.

>

[Enkidu]

Then use a .htaccess protection for the admin folder. I saved this password in my browser so I am not bothered by it, but should anyone get my regular admin forum login data, they would still not be able to access the ACP.

wrong! .htaccess can be bypassed very easily. You should also hide your ACP folder location. But one again a hacker can generate a php error and get the path to your ACP.

[opentype]

wrong! .htaccess can be bypassed very easily.

Not in general. It depends on how the .htaccess protections is specified.

[Kyle F]

http://community.invisionpower.com/files/file/3530-sos32-admin-cp-security-password/

[Makoto]

>

I understand that, but I also recommended doing more than just renaming the admin folder :tongue:

That's what I was trying to highlight.

When only your local IP address can make connections to the ACP, there's no way anyone else should ever be able to make an authentication attempt to start with. Renaming your admin directory is security through obscurity I guess, but configuring your web server to only accept connections from within your network isn't. This isn't feasible option for everyone though (highly dynamic IP's, needing to access your ACP from public networks when traveling, etc.), and in those situations two-factor authentication can shine.

(Though you could also simply only allow connections from localhost and tunnel your connections over SSH)

But you're right, I'm not trying to discredit two-factor authentication.

[bfarber]

wrong! .htaccess can be bypassed very easily. You should also hide your ACP folder location. But one again a hacker can generate a php error and get the path to your ACP.

I'm not sure how .htaccess can be "bypassed" but setting that aside (perhaps it can, I wouldn't call myself an Apache expert)...PHP strongly recommends that disable display_errors on a production server and instead log them to an error log file. If you do that, generating a PHP error does not "get the path to your ACP". If this is a concern in your environment, I would start with the basics.

http://www.php.net/manual/en/errorfunc.configuration.php#ini.display-errors

Note:

This is a feature to support your development and should never be used on production systems (e.g. systems connected to the internet).

[Makoto]

I'm not sure how .htaccess can be "bypassed" either if your server is properly configured.

I have seen exploits posted that are designed to intentionally generate errors for IP.Board for this purpose, but as bfarber said, you shouldn't have this enabled on production servers to start with.

open_basedir and disable_functions are also worth looking into.

[Enkidu]

during the times of 3.2, we used to do website/index.php/admin to bypass the .htaccess password at the admin folder. but haven't tried it since.