Invision Community 4: SEO, prepare for v5 and dormant account notifications Matt November 11, 2024Nov 11
Posted January 10, 20214 yr I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password. I was wondering if anyone has any ideas for some extra good security measures when it comes to that (extra auth or something). thanks
January 10, 20214 yr Enable 2FA. Use different accounts - one with no Admin privileges for the front-end, one for the ACP - with different passwords. Edited January 10, 20214 yr by Nathan Explosion
January 10, 20214 yr Author 2 minutes ago, Nathan Explosion said: Enable 2FA. Use different accounts - one with no Admin privileges for the front-end, one for the ACP - with different passwords. Is there any extra authentication settings? Like you authentication to your account/admin panel using google auth or something like that?
January 10, 20214 yr 5 minutes ago, Nathan Explosion said: Enable 2FA. 2 minutes ago, 6ichem said: Like you authentication to your account/admin panel using google auth or something like that Log in to your ACP - type 2fa in to the search bar, click the result. Edited January 10, 20214 yr by Nathan Explosion
January 10, 20214 yr Author 2 minutes ago, Nathan Explosion said: I mean extra authentication here instead of just username/pwd:
January 10, 20214 yr No. "I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password." So don't use the same account for front-end and back-end. Or protect your account by ADDING A SECOND FACTOR OF AUTHENTICATION as mentioned.
January 10, 20214 yr Author 1 minute ago, Nathan Explosion said: No. "I've noticed that the same password you use on your account is used on adminCP which means someone can get full admin access to the site just by finding out your user password." So don't use the same account for front-end and back-end. Or protect your account by ADDING A SECOND FACTOR OF AUTHENTICATION as mentioned. Yup I've done those steps already, gonna change the admin login directory as well instead of domain.com/admin
January 10, 20214 yr Some additional steps could be limiting access via your web server to certain known IP addresses or ranges and implement http authentication. 2FA for certain as a minimum.
January 11, 20214 yr Also another good measure would be to hide the ACP link from your theme and name the acp folder a random string.
January 11, 20214 yr Moving your admin directory, htaccess and removing the link from your theme are archaic and proven to be meh in this day and age. Google Auth 2FA is enough to secure your account. The person would actually need access to your google auth account, password and backup password to even begin to login to your ACP. Hiding an ACP is at best a "deterrent" and never a real solution. Additionally, the ACP link is ONLY given to those that have an administrative level account (so they have an account that can access the ACP. I'll be honest, if 2FA isn't enough for you, then you are really going outside of the box. Who is in your personal data far enough that you are worried that 2FA isn't enough? It sounds like you're going through extreme measures to solve an already solved problem.
January 11, 20214 yr I'd totally recommend moving the default ACP directory. Security through obscurity is not a wonderful thing to rely on, but in concert with two factor authentication, separate administrative logins, and limiting IP ranges, setting HTTP authentication in addition, etc. you have multiple layers across multiple products to help protect things. Security is all about layering protections, and it's a good question to raise and discuss. Some other solutions, like Magento as an example, randomize the path to the administrative area. What you don't want to happen is for an exploit for IPB to be identified, and then some automated script hits the known URL for the administrative login (or to leave a path that makes trying to guess your login over time by automated things and easy task). You can do things like mark connections that try to access the default path to your ACP as suspect and block further access through your firewall solution as another example. Nothing should be trying to login there except for those people that you've provisioned, so anything that hits it can be safely blocked from accessing anything further.