PoC2 Posted November 12 Posted November 12 The page said to come here. 🙂 So will this be an automatic change on upgrade or will I need to do something with my current AdminCP location beforehand? Out of interest, why has this facility been changed for V5? Many thanks.
Jim M Posted November 12 Posted November 12 We would recommend removing the constant and ensuring the admin folder is uploaded. Other than that, no modification is needed. 1 hour ago, PoC2 said: Out of interest, why has this facility been changed for V5? Security through obscurity isn't the best method of security. Now with such advancements with Multi-Factor Authentication, it's not really necessary and is just bulk in our codebase.
PoC2 Posted November 12 Author Posted November 12 10 minutes ago, Jim M said: Security through obscurity isn't the best method of security. It's still a very good additional one. Nature uses it A LOT.
Randy Calvert Posted November 12 Posted November 12 (edited) 2 hours ago, PoC2 said: It's still a very good additional one. Nature uses it A LOT. You can also use a firewall or htaccess to limit access via IP address. Simply renaming it does not help stop any kind of real attack. Web scanning tools can find renamed folders relatively easily in today's world. If you really want to protect the ACP more, use 2FA and a firewall to limit access. Edited November 12 by Randy Calvert
Jim M Posted November 12 Posted November 12 21 minutes ago, PoC2 said: Already have those as well. Would not be concerned then with this change as you already deploy more secure methods than this could offer.
Daddy Posted November 13 Posted November 13 11 hours ago, Jim M said: Security through obscurity isn't the best method of security. Now with such advancements with Multi-Factor Authentication, it's not really necessary and is just bulk in our codebase. If this is the case, why did Invision change their admincp location from default?
riko Posted November 13 Posted November 13 "We would recommend removing the constant and ensuring the admin folder is uploaded." I remember somewhere to have hidden the admin folder at some point, somehow. My question would be how and where do I undo this (Also when?) and where exactly is this remove setting for this "constant"?
Marc Posted November 13 Posted November 13 2 hours ago, riko said: "We would recommend removing the constant and ensuring the admin folder is uploaded." I remember somewhere to have hidden the admin folder at some point, somehow. My question would be how and where do I undo this (Also when?) and where exactly is this remove setting for this "constant"? Its set in your constants.php file 4 hours ago, Daddy said: If this is the case, why did Invision change their admincp location from default? While I appreciate the attempt, you're actually incorrect. Just because you cant access it, doesnt mean its not present Jim M 1
Daddy Posted November 13 Posted November 13 13 hours ago, Marc said: While I appreciate the attempt, you're actually incorrect. Just because you cant access it, doesnt mean its not present I mistook the default for admincp instead of just admin. My mistake on that one. But regardless of the point, security through obscurity is a fantastic layer of security and one that should not be removed. Sure, you can block the page in your firewall or Cloudflare rules, but there's no easy way to make this dynamic. Anytime you add or remove a user with ACP access, you now have to whitelist their IP, many of which are dynamic and change every other day. It’s simple enough to keep and is especially useful for adding an extra layer of security to your suite. If you truly think obscurity isn’t a secure measure, let me introduce you to steganography! (Directed at Jim)
Randy Calvert Posted November 14 Posted November 14 21 hours ago, Daddy said: If this is the case, why did Invision change their admincp location from default? They’re using a firewall to restrict access to the resource. This is MUCH more secure than simply renaming the folder.
Marc Posted November 14 Posted November 14 9 hours ago, Daddy said: I mistook the default for admincp instead of just admin. My mistake on that one. But regardless of the point, security through obscurity is a fantastic layer of security and one that should not be removed. Sure, you can block the page in your firewall or Cloudflare rules, but there's no easy way to make this dynamic. Anytime you add or remove a user with ACP access, you now have to whitelist their IP, many of which are dynamic and change every other day. Which is why we advise on 2 factor authentication. Although, I have to be honest, if you have that many coming and going admin, you have more issues with security than hiding a folder 9 hours ago, Daddy said: If you truly think obscurity isn’t a secure measure, let me introduce you to steganography! (Directed at Jim) Stenagraphy - Noun - the practice of concealing messages or information within other nonsecret text or data. I'm not actually sure the defininition of Stenagraphy states it is a secure measure. However, lets skip past that part and assume it absolutely is. What my colleague stated was "Security through obscurity isn't the best method of security." This is not in any way the same sentence as "security isnt a secure measure". Its probably not wise to misquote people, as it can cause confusion for others, and lead them believe we have said things that we actually haven't. What Jim said there is correct. Its not the best method of security. No matter whether or not you want to have security by obscurity or not, it doesn't make it the best method. Listen, we get it. You would prefer to have this option. However this has now already been removed in version 5, and we advise on 2 factor authentication. Jim M 1
Management Matt Posted November 14 Management Posted November 14 Invision Community 5 is a fresh start on many things, and we wanted to remove a lot of old features with roots back into the early 2000s. Security through obscurity was pretty much all we had back then, but now there are better tools including firewalls, 2FA and VPN/IP address restriction. I'd always recommend 2FA for all admin accounts. Just hiding the admin folder is a weak way to secure it. It means that if you accidentally paste the link, or it appears as a referrer in access logs or someone figures out the folder name then you've lost that element of security. It's a bit like locking the door and placing the key under the plant pot. I know all these changes can be overwhelming which is why we're making every effort to communicate them to you and give you as much runway as possible to migrate over. Gary, Marc and Jim M 3
Daddy Posted November 14 Posted November 14 1 hour ago, Marc said: Which is why we advise on 2 factor authentication. Although, I have to be honest, if you have that many coming and going admin, you have more issues with security than hiding a folder Stenagraphy - Noun - the practice of concealing messages or information within other nonsecret text or data. I'm not actually sure the defininition of Stenagraphy states it is a secure measure. However, lets skip past that part and assume it absolutely is. What my colleague stated was "Security through obscurity isn't the best method of security." This is not in any way the same sentence as "security isnt a secure measure". Its probably not wise to misquote people, as it can cause confusion for others, and lead them believe we have said things that we actually haven't. What Jim said there is correct. Its not the best method of security. No matter whether or not you want to have security by obscurity or not, it doesn't make it the best method. Listen, we get it. You would prefer to have this option. However this has now already been removed in version 5, and we advise on 2 factor authentication. I'm not trying to beat anyone up over this, but I don't see how the coming and going of those with admin access is relevant to security. Not everyone with ACP access has full access. We utilize the in-depth permission system to give team members certain scopes to work with. But even with a small team that rarely changes, their IP will change quite often, which means using a firewall to block access will be impossible without some type of custom integration. 2FA does solve the problem, but I (and I'm sure others) would prefer not to have the page accessible to anyone. Given IPS is a well-known software, the default location is easily accessible and is a very common path that many other CMS's use. It would make me feel better being able to set a unique name so people can't stumble upon it, even if it's secure. Was there any particular reason this feature had to go? I agree it didn't make much sense in regards to security, but it didn't hurt? I feel like the usefulness of this was underestimated when this was decided upon. The lack of a deprecation warning until now seems a bit odd as well. Surely this is going to be overlooked up until IPS5.
Stefan Johansson_72643 Posted November 15 Posted November 15 On 11/12/2024 at 6:12 PM, Jim M said: We would recommend removing the constant and ensuring the admin folder is uploaded. Other than that, no modification is needed. Security through obscurity isn't the best method of security. Now with such advancements with Multi-Factor Authentication, it's not really necessary and is just bulk in our codebase. I have also have an alternate path for the admin folder... How do I revert this change? Can I just rename the admin folder to "admin"? I was browsing the config settings in the dashboard and could not find a path..
Square Wheels Posted November 15 Posted November 15 10 minutes ago, Stefan Johansson_72643 said: I have also have an alternate path for the admin folder... How do I revert this change? Can I just rename the admin folder to "admin"? I was browsing the config settings in the dashboard and could not find a path.. It's also listed in constants.php.
Jim M Posted November 15 Posted November 15 12 minutes ago, Stefan Johansson_72643 said: I have also have an alternate path for the admin folder... How do I revert this change? Can I just rename the admin folder to "admin"? I was browsing the config settings in the dashboard and could not find a path.. On 11/12/2024 at 12:12 PM, Jim M said: We would recommend removing the constant and ensuring the admin folder is uploaded. Other than that, no modification is needed. The constant is in the constants.php file on your server. Once you remove that constant, you can simply rename the admin folder or re-upload from the Client Area. Stefan Johansson_72643 1
Marafa Posted November 15 Posted November 15 On 11/12/2024 at 8:06 PM, PoC2 said: So will this be an automatic change on upgrade or will I need to do something with my current AdminCP location beforehand? Same Question here
Jim M Posted November 15 Posted November 15 30 minutes ago, Marafa said: Same Question here 4 hours ago, Jim M said: The constant is in the constants.php file on your server. Once you remove that constant, you can simply rename the admin folder or re-upload from the Client Area. Marafa 1
riko Posted Sunday at 09:10 AM Posted Sunday at 09:10 AM Hmm, the question was if it's automated, not where it is and how to change it. But I think I can safely say it's not automated. @marafa , @Stefan Johansson_72643 My thought about this is, if you rely on it, only change it back just before you are going to upgrade to v5. @Jim MI understand that being in possesion of all the in and outs of this software makes certain questions seem rather obvious. But myself not being of the technical branch, fiddeling around with code or other severly sensitive items Invision Community forum software wise, makes me always very nervous. Afraid I f* up, I rather touch nothing until I'm absolutely sure I won't fork up my forum. And even then I'm hessitant. It's something I notice with your help guides. They often start at "H" and end on "P" and everything before or after that is, I guess, assumed obvious. But for me I'm left with even more questions than I started with. It leaves large parts of this software for me unused as the help guides, don't tell the whole story from A to Z, but merly touch upon things.
KT Walrus Posted Sunday at 01:24 PM Posted Sunday at 01:24 PM (edited) I would prefer if I could place the admin panel on its own subdomain. Much better for security when using Cloudflare One and deploying Zero Trust for the admin domain. https://www.cloudflare.com/case-studies/cloudflare-one/ Edited Sunday at 01:34 PM by KT Walrus
Jim M Posted Sunday at 02:12 PM Posted Sunday at 02:12 PM 4 hours ago, riko said: @Jim MI understand that being in possesion of all the in and outs of this software makes certain questions seem rather obvious. But myself not being of the technical branch, fiddeling around with code or other severly sensitive items Invision Community forum software wise, makes me always very nervous. Afraid I f* up, I rather touch nothing until I'm absolutely sure I won't fork up my forum. And even then I'm hessitant. Would recommend using our Cloud and not worrying about making configuration changes if making changes makes you that nervous 🙂 . Self-hosted is really self-managed when it comes to things like this. Making file edits and renaming a folder isn't specific to our software so we assume, if you are self-hosting, you understand these basic changes and how to revert them should something go wrong. A Feedback topic also really isn't the best place for in-depth information, we recommend referring to the guide for any in-depth information and then opening a support topic for any follow up questions regarding the software: 4 hours ago, riko said: It's something I notice with your help guides. They often start at "H" and end on "P" and everything before or after that is, I guess, assumed obvious. But for me I'm left with even more questions than I started with. It leaves large parts of this software for me unused as the help guides, don't tell the whole story from A to Z, but merly touch upon things. If you have suggestions or feedback on the help guides, we recommend you opening up a new topic to do so. Keep in mind that especially guides that interact with hosting elements, we're not here to guide on the hosting-side but rather just the software.
JohnCourt Posted Tuesday at 01:02 PM Posted Tuesday at 01:02 PM I'd like to get back to the default folder in prep for v5, so if I am understanding correctly, rename my adminxxxx folder back to "admin" and completely remove the custom name from constants.php? Thank you
Jim M Posted Tuesday at 01:34 PM Posted Tuesday at 01:34 PM 31 minutes ago, JohnCourt said: I'd like to get back to the default folder in prep for v5, so if I am understanding correctly, rename my adminxxxx folder back to "admin" and completely remove the custom name from constants.php? Thank you That is correct 🙂
JohnCourt Posted Tuesday at 01:54 PM Posted Tuesday at 01:54 PM 19 minutes ago, Jim M said: That is correct 🙂 Jim, do I need to replace the name in constants with the default name? Or just eliminate that line altogether?
Recommended Posts