| View previous topic :: View next topic |
| Author |
Message |
phpjunkie
-
Joined: 15 Aug 2008
Posts: 12
|
 Posted: Mon Dec 08, 2008 5:22 am Post subject: Can I get assistance with Access Control |
 |
|
I am using Drupal as my website software and I want to lock the admin section of the site out. I have seen many websites hacked. I've even seen vBulletin hacked. vBulletin was easy to stop the hackers/crackers from gaining access to the admin by adding the admincp folder to Access Control. It is obvious that I have found that the best way to protect the admin of any site is to add Access Control restrictions.
I have Clean URL enabled in Drupal and I have tried this several ways. I have tried adding /admin in the Virtual Path. I have also tried /index.php?q=admin in the Virtual Path as well. The thing is is Drupal uses a query string to access the admin section of the site. Nether are working so here I am asking for assistance on how I should set this up. |
|
| Back to top |
  |
 |
pkSML
-
Joined: 29 May 2006
Posts: 952
Location: Michigan, USA
|
| Posted: Wed Dec 10, 2008 2:37 am Post subject: |
|
|
I'm not a Drupal user, but here is a possible scenario:
Completely block access at server level to /index.php?q=admin
You could do a URL rewrite where a 403 Forbidden status code is thrown.
Your job is to find out all methods of access to the control panel. If /admin is the only other way, then /admin must already be a URL rewrite rule. (Unless you use a 404 error redirection for pseudo-URL rewriting)
If /admin is a URL rewrite rule, then only give access to a certain IP address (being either the server itself or your LAN). If it's a 404 redirect, then you could hardcode IP address restrictions into the script itself.
-Stephen
_________________
Stephen
Need a LitlURL?
http://CodeBin.yi.org |
|
| Back to top |
 |
|
phpjunkie
-
Joined: 15 Aug 2008
Posts: 12
|
| Posted: Sat Dec 13, 2008 8:19 am Post subject: |
|
|
Yeah, /admin isn't the real path. It is a internal url rewrite to /index.php?q=admin. /index.php by it's self works just fine. it fails to work when i add the query string. i've also read the the help file on pattern format for the virtual path and I've tried escaping the question mark (regex) and that doesn't work ether so I'm not even sure if regex even works with the virtual path field.
Regardless of all that what I do like even more is I completely dropping Drupal. They claim to have SEO, well, SEF URL's but none of it is SEF. I've found the same thing with Mambo, and Joomla. Drupal uses url rewrite to which is the same in mambo and Joomla to create friendly urls. All they do is get rid of the query strings and the urls aren't search engine friendly at all.
the only thing search engine friendly about this link is the domain it's self.
| Code: | | http://www.localhost.com/node/4/ |
The rest of it gives no indication of the content on the page.
I've moved to MODx that actually uses friendly urls. This is what MODx generates for the link to the blog
| Code: | | http://www.localhost.com/blog.html |
blog.html actually gives some indication of what is on the next page your about to visit. This is how friendly urls are suppose to work and it is exactly what MODx does. Man, the frustration to find software for anything!
By the way, to bash a little, I don't recommend drupal, mambo or joomla for anyone or anything.
Thank you TRUSTAbyss for your contribution of AWS:MRT. It has saved me some time. |
|
| Back to top |
|
|
pkSML
-
Joined: 29 May 2006
Posts: 952
Location: Michigan, USA
|
| Posted: Sat Dec 13, 2008 2:26 pm Post subject: |
|
|
| phpjunkie wrote: | | Yeah, /admin isn't the real path. It is a internal url rewrite to /index.php?q=admin. /index.php by it's self works just fine. it fails to work when i add the query string. i've also read the the help file on pattern format for the virtual path and I've tried escaping the question mark (regex) and that doesn't work ether so I'm not even sure if regex even works with the virtual path field. |
Just for future reference, you don't have to try to escape anything. That's what the conditions box is for in URL rewriting.
Regex for rule: ^/index.php
Condition 1
Variable: QUERY_STRING
Operator: Matches with
Regex: q=admin
This way, /index.php?q=admin will be matched and you can do anything with it that you need.
_________________
Stephen
Need a LitlURL?
http://CodeBin.yi.org |
|
| Back to top |
|
|
phpjunkie
-
Joined: 15 Aug 2008
Posts: 12
|
| Posted: Sat Dec 13, 2008 8:03 pm Post subject: |
|
|
Um, I'm sure that I did mention that I dropped Drupal.
By the way, url rewrite is not the solution. The solution is server authenticated access control. This is very simple to figure out. If you can't apply authenticated access control over the admin control panel then the website is poorly designed.
If you apply access control over a folder without breaking the website it is a good website. |
|
| Back to top |
|
|
Toasty
-
Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL
|
| Posted: Tue Dec 16, 2008 1:26 am Post subject: |
|
|
^If you troll the members of this site (either publicly, or through messages) you're going to have a hard time getting answers to your questions.
Perhaps a little professionalism is in order?
_________________
Audit the secure configuration of your server headers! |
|
| Back to top |
|
|
TRUSTAbyss
-
Joined: 29 Oct 2003
Posts: 3752
Location: USA, GA
|
| Posted: Tue Dec 16, 2008 4:32 am Post subject: |
|
|
| phpjunkie wrote: | | Thank you TRUSTAbyss for your contribution of AWS:MRT. It has saved me some time. |
You're welcome! ;-)
By the way, version 1.0 (stable) is going to be released soon. |
|
| Back to top |
|
|
phpjunkie
-
Joined: 15 Aug 2008
Posts: 12
|
| Posted: Tue Dec 16, 2008 5:55 am Post subject: |
|
|
| Sweet, I like the sound of that! |
|
| Back to top |
|
|
|
