.htaccess Protection

Started by Ronald, February 06, 2017, 06:56:00 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Ronald

Any know about .htaccess Protection. I see in smf http://custom.simplemachines.org/mods/index.php?action=search;basic_search=.htaccess+  they have some mods.

I was also on one of the Admin. forums and they were chatting about protecting your .htaccess

I know nithing about this whats so ever.. Would be interested if someone vould kindly explain this.. :groan:


Maxx

Here ya Go Bro!

You could even password protect, directories/Files

I would also recommend and index.php or .htm ( most all smf folders have this index already)
in all folders or directories that are private!


This link will tell you and answer many of your questions!

http://www.htaccess-guide.com/

regards,
Maxx

Ronald

Quote from: Maxx on February 06, 2017, 09:26:40 PM
Here ya Go Bro!

You could even password protect, directories/Files

I would also recommend and index.php or .htm ( most all smf folders have this index already)
in all folders or directories that are private!


This link will tell you and answer many of your questions!

http://www.htaccess-guide.com/

regards,
Maxx

Thanks Maxx, I bookmarked the page, will read it tomorrow.

I this a thing that is normally done to directories and forums

Ron..

Maxx

I myself feel it should be done on Apache servers, to prevent mainly the spider from crawling your private files. like admin, images and protected directories, like downloads and stuff like that! Its also prevents hackers from entering and changing things in you stuff ( in most cases) :)

Skhilled

Yes, if you do not have an index.php, index.htm, or index.html in any directory anyone can type in that directory in a browser and see your files!

Ronald

Quote from: Skhilled on February 07, 2017, 07:49:12 AM
Yes, if you do not have an index.php, index.htm, or index.html in any directory anyone can type in that directory in a browser and see your files!

But I do have a index.php file, I also have a Site Lock, but not in use, I also have Two Factor Authentication also not in use.. There are some items in my cpanel but I don't have a clue what or how to use them..

I was hacked back some years ago. I always believed in passwords and security..


Skhilled

Yes, but do you have one in every folder? For instance, if you do not have one in /xxxxx.com/images and someone types that in a browser they can see the files in that folder. If they cannot see the folder or files it makes it a lot harder for hackers. They'd have to guess what's there.

If they know of an exploit and know what file to hack they have to find it or be able to see it. .htaccess can help block that and can also even password protect folders and more. It can be a bit complicated depending on what you wish to do. But if you are having problems with a particular IP address or a certain country you can easily block them with it.

Ronald

Everything I look at I see an index.php file..For some reason I still don't feel the cpanel and the files are safe..

Skhilled

cpanel is only as safe as the security your hosting provides and how strong your password is. If you password is strong and you do not freely give it away then you are ok on your end. It up to the hosting and any security holes that may be in the software of your forum. If an exploit is found then upgrade your software at once! Same goes for any programs on your computer, tablets, cell phone, etc.

The files are safe as long as the software and server are properly secured. Basically, I only use .htaccess if I have problems with troublemakers or certain countries trying to hack and I do not have any users from there. I'll block them for a few weeks or so and open it to see how it goes. Hackers will back off after awhile if they are using certain IP addresses. If it is a country that seems to be doing it them do the same for them.

As long as you have a index.xxx file in each folder, have a strong password, etc. then you should be fine. The only other thing to worry about is other admins using weak passwords. This is the main way a lot of major sites get hacked...through an admin account. If they get in with an admin account they can have access to most of all of your forum. Make sure your admins are using a strong password.

I "usually" create a secondary admin membergroup on my forum with lesser permissions so if the other accounts are hacked they will not gain access to sensitive areas like the server info in the admin, etc.

Ronald

QuoteI "usually" create a secondary admin membergroup on my forum with lesser permissions so if the other accounts are hacked they will not gain access to sensitive areas like the server info in the admin, etc.

What do you call this group and what permissions does it have..

My trouble is when my staff see any new Admin. they jump all over me..When I gave you Owner permission's I thought the end of the world had come..

I can't even mention looking for any Moderators..

Skhilled

I guess what I should have said is that you should be the only admin with full access and all other admins would be called "Assistant Admin" or something similar. They would not have full  permissions like to the server settings (can gain access to your server) or package manager/themes (can wreak havok and mess things up). You should not have a lot of admins...only staff and mods other than one or two other admins that can actually do something like editing files, installing mods, etc. They should not be just given that title freely. It should be earned with the exception of asking for help from an outside like myself. I don't even need to be an admin. I can be a temp admin and given those permissions when needed. It doesn't matter to me.

This will also set a hierarchy for the users and staff to follow should problems arise. They would contact a moderator first, then a staff member, and then an admin, if need be...like as if you are running a company.

Maybe have one admin that takes care of the server other than you in case you are not around and something needs to be done. And one to oversee moderation of the staff and users or a tech admin to help with themes, etc. All else should be Staff or something similar with no access to the admin boards and very limited access to the admin section. They should not have access to membergroups, that should be for admins only.

They jumped all over you cause you allowed them to have too much power. Hardly any of them can do anything like editing themes, do anything on the server, etc. and should not have that title unless they were someone who you two got together and started the site together, maybe.

With as many admins/staff as you have already you don't need moderators. The others should be the moderators as part of their duties, especially if they can't really do much else. Ranting is not the job of an admin, they should be able to do something useful! If they are not trying to learn how to do anything useful then why are they on staff?

Maxx

If you are the owner of the site, then you have the final word.. If they do not except that they should not be a staffer like Steve mentioned. Try always to let them know ahead of time on changes, but if it's some thing you feel are needed right off then do it and let them know. If they get pissed, that would be on them. In most cases I would let them know it is some your trying out.

The Internet changes very fast and you'll always need to try things out to see if they will work for you.

You may want to do and sticky post in the staff section, letting them know who is the boss and what you except of them, and what you will not except!

I agree with all the stuff dealing with their permissions and Steve stated!

regards,
Maxx

Ronald

I am the only Admni. (Owner). What I did was made these members Administrators after the conversion. Not realizing smf doesn't have the same permissions that IPB has. IPB probably has 4 time more permissions for Staff..

I found out that SMF Admin have default permissions, and you can not make any changes. Because I made a new group called Owner and no default permissions..

After the two Admin. deleted themselves I went a changed the Admin. Group to Owner, and made a new Admin. Group and made permissions for it..

SMF doesn't seem to have very good permissions for the groups

Skhilled

Ah! That makes sense. Smf has good permissions, just different default permissions. Other boards like IPB and phpBB have more detailed permissions but are usually more difficult to learn. For SMF you need to create new groups and specifically give them the permissions you wish for them to have. You should change the default names, etc. and only change the permission settings and profiles.

You do not have to use the default membergroups or profiles. You should have created the "Owner" group and given it all permissions. Then create the other groups and give them the permission you want. So, if you decide to convert to another forum or anything else it should work as expected. The conversion software expects the default membergroups to remain the same. If it sees they have changed it confuses it and will get unexpected results.

Ronald

But yes, the Admin. is by default and if you make a Owner group you do not have default any longer..

My whole problem was making myself a group and leaving the Staff in the default, default can do everything, owner group is limited..

I need the Owner to be default group and Admin. to be secondary.

You have to many smiley icons on top, very distracted.