Support

Admin Tools

#9748 Password Protected Admin and Secret Admin URL

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Monday, 31 January 2011 03:20 CST

Sunday, 30 January 2011 22:48 CST

user23854
Hi,

I implemented URL admin parameter access so my admin could only be accessed using "mysite.com/administration?param" (example), then I also enabled password protected admin.

Now when I access mysite.com/administration (note no parameter), it also asks for the password.

I'm assuming the right implementation is that it only asks the password for mysite.com/administration?param, not mysite.com/administration.

Is this a bug? If not, how do I fix it?

Sunday, 30 January 2011 23:18 CST

slaes
fyi, it will still ask your pw under /administrator as that is where the folder with the htaccess fil is located. even if you enter it correctly if will only go back to you home page, not joomla admin page. this is just the way htaccess works, certainly no bug. what you should do is setup is csf wirewall on your server, blacklisting ip's which fail htaccess, that way if someone tries to brute force just /administrator (which wont get them anywhere anyway, they will be blacklisted on all site). for those guys who run dedicated boxes, csf firwall is the absolute SH%t, its awesome and free, works great with apache etc.

Hey Nicholas, any chance to auto blacklist brute attempts on next release? This would be a great feature for guys on shared and vps hosts.

Monday, 31 January 2011 01:52 CST

nicholas
One step ahead of you (barely, but still!) I've already implemented that feature in the latest developer's release ;) The idea is that you tell Admin Tools that if an IP produces X security exceptions (breach attempts) in Y amount of time, block that IP for Z amount of time. For example, if an IP produces 3 security exceptions in 1 minute we can safely assume it's a spammer, so block his miserable soul for a day.

Moreover, the new dev release's WAF integrates the Bad Behaviour filter which uses smart scanning to dodge spammers and throw them to a 403 page. On top of that, Bad Behaviour supports Project Honeypot. Just register to PH and use your key in Admin Tools configuration. On every request made to Joomla!, WAF will check the IP with PH. If it's a known spammer, email harvester or hacker it will block him. The performance penalty is really minimal (after a few hours of usage it adds less than a couple of milliseconds in the page load time) and the gains are really great.

I think you'll also like the extra security features I added on the dev release, with more to come in the very near future :)

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Monday, 31 January 2011 02:46 CST

user23854
So there is no way to implement it so that it only asks the password when user accesses the /administrator? param, like this akeeba site for example.

When you type in www.akeebabackup.com/administrator, it doesn't ask for the password.

Also, how far should we implement these security features in admin tool?
Is it implementing secret admin URL is enough? or should we implement admin protected password as well? Also, how about htaccess?

It seems that after implementing htaccess my zoo category image don't display any images. Anybody knows how to fix it.

Any advice would be appreciated.
Edited by user23854 on 2011-01-31 02:53 CST

Monday, 31 January 2011 03:20 CST

nicholas
On this site I am not using password protection of the administrator directory (yet). The way htpasswd files work is this. Once you try to access anything (any file, even a CSS file) from the administrator directory, it will prompt for a password. You can't selectively ask for a password, as Apache is not aware of whether a Joomla! user is logged in or not in the back-end.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!