Can I get assistance with Access Control

 
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions
View previous topic :: View next topic  
Author Message
phpjunkie
-


Joined: 15 Aug 2008
Posts: 12

PostPosted: Mon Dec 08, 2008 5:22 am    Post subject: Can I get assistance with Access Control Reply with quote

I am using Drupal as my website software and I want to lock the admin section of the site out. I have seen many websites hacked. I've even seen vBulletin hacked. vBulletin was easy to stop the hackers/crackers from gaining access to the admin by adding the admincp folder to Access Control. It is obvious that I have found that the best way to protect the admin of any site is to add Access Control restrictions.

I have Clean URL enabled in Drupal and I have tried this several ways. I have tried adding /admin in the Virtual Path. I have also tried /index.php?q=admin in the Virtual Path as well. The thing is is Drupal uses a query string to access the admin section of the site. Nether are working so here I am asking for assistance on how I should set this up.
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 916
Location: Michigan, USA

PostPosted: Wed Dec 10, 2008 2:37 am    Post subject: Reply with quote

I'm not a Drupal user, but here is a possible scenario:

Completely block access at server level to /index.php?q=admin
You could do a URL rewrite where a 403 Forbidden status code is thrown.

Your job is to find out all methods of access to the control panel. If /admin is the only other way, then /admin must already be a URL rewrite rule. (Unless you use a 404 error redirection for pseudo-URL rewriting)

If /admin is a URL rewrite rule, then only give access to a certain IP address (being either the server itself or your LAN). If it's a 404 redirect, then you could hardcode IP address restrictions into the script itself.

-Stephen
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
phpjunkie
-


Joined: 15 Aug 2008
Posts: 12

PostPosted: Sat Dec 13, 2008 8:19 am    Post subject: Reply with quote

Yeah, /admin isn't the real path. It is a internal url rewrite to /index.php?q=admin. /index.php by it's self works just fine. it fails to work when i add the query string. i've also read the the help file on pattern format for the virtual path and I've tried escaping the question mark (regex) and that doesn't work ether so I'm not even sure if regex even works with the virtual path field.

Regardless of all that what I do like even more is I completely dropping Drupal. They claim to have SEO, well, SEF URL's but none of it is SEF. I've found the same thing with Mambo, and Joomla. Drupal uses url rewrite to which is the same in mambo and Joomla to create friendly urls. All they do is get rid of the query strings and the urls aren't search engine friendly at all.
the only thing search engine friendly about this link is the domain it's self.
Code:
http://www.localhost.com/node/4/

The rest of it gives no indication of the content on the page.

I've moved to MODx that actually uses friendly urls. This is what MODx generates for the link to the blog
Code:
http://www.localhost.com/blog.html

blog.html actually gives some indication of what is on the next page your about to visit. This is how friendly urls are suppose to work and it is exactly what MODx does. Man, the frustration to find software for anything!

By the way, to bash a little, I don't recommend drupal, mambo or joomla for anyone or anything.


Thank you TRUSTAbyss for your contribution of AWS:MRT. It has saved me some time.
Back to top View user's profile Send private message
pkSML
-


Joined: 29 May 2006
Posts: 916
Location: Michigan, USA

PostPosted: Sat Dec 13, 2008 2:26 pm    Post subject: Reply with quote

phpjunkie wrote:
Yeah, /admin isn't the real path. It is a internal url rewrite to /index.php?q=admin. /index.php by it's self works just fine. it fails to work when i add the query string. i've also read the the help file on pattern format for the virtual path and I've tried escaping the question mark (regex) and that doesn't work ether so I'm not even sure if regex even works with the virtual path field.


Just for future reference, you don't have to try to escape anything. That's what the conditions box is for in URL rewriting.

Regex for rule: ^/index.php
Condition 1
Variable: QUERY_STRING
Operator: Matches with
Regex: q=admin

This way, /index.php?q=admin will be matched and you can do anything with it that you need.
_________________
Stephen
Need a LitlURL?


http://CodeBin.yi.org
Back to top View user's profile Send private message Visit poster's website
phpjunkie
-


Joined: 15 Aug 2008
Posts: 12

PostPosted: Sat Dec 13, 2008 8:03 pm    Post subject: Reply with quote

Um, I'm sure that I did mention that I dropped Drupal.

By the way, url rewrite is not the solution. The solution is server authenticated access control. This is very simple to figure out. If you can't apply authenticated access control over the admin control panel then the website is poorly designed.

If you apply access control over a folder without breaking the website it is a good website.
Back to top View user's profile Send private message
Toasty
-


Joined: 21 Feb 2008
Posts: 298
Location: Chicago, IL

PostPosted: Tue Dec 16, 2008 1:26 am    Post subject: Reply with quote

^If you troll the members of this site (either publicly, or through messages) you're going to have a hard time getting answers to your questions.

Perhaps a little professionalism is in order?
_________________
Audit the secure configuration of your server headers!
Back to top View user's profile Send private message Visit poster's website
TRUSTAbyss
-


Joined: 29 Oct 2003
Posts: 3720
Location: USA, GA

PostPosted: Tue Dec 16, 2008 4:32 am    Post subject: Reply with quote

phpjunkie wrote:
Thank you TRUSTAbyss for your contribution of AWS:MRT. It has saved me some time.


You're welcome! ;-)
By the way, version 1.0 (stable) is going to be released soon.
_________________
Computer Programmer & Networking Specialist

Back to top View user's profile Send private message Visit poster's website MSN Messenger
phpjunkie
-


Joined: 15 Aug 2008
Posts: 12

PostPosted: Tue Dec 16, 2008 5:55 am    Post subject: Reply with quote

Sweet, I like the sound of that!
Back to top View user's profile Send private message
Display posts from previous:   
Post new topic   Reply to topic    Aprelium Forum Index -> General Questions All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB phpBB Group