CodingForums.com

CodingForums.com (http://www.codingforums.com/index.php)
-   PHP (http://www.codingforums.com/forumdisplay.php?f=6)
-   -   Best admin panel security for CMS? (http://www.codingforums.com/showthread.php?t=201886)

johnnnn 08-09-2010 01:49 AM
Best admin panel security for CMS?
 
I'm currently making a check list of ALL possible security checks I can use for writing my own custom CMS. As far as the control panel/admin panel goes, I've been speculating the following to provide the best security I can (bear in mind, a 100% secure system is a virtual impossibility.)

Here's what I thought of thus far:
  1. .htpasswd (outside of /public_html)
  2. Block access to any files starting with .ht via htaccess
  3. Database based login
  4. Password protect the admin directory
  5. "Sanitize" any user input, run checks, etc.
  6. General consideration, place any config files outside of /public_html/, no sensitive data in .inc.php files
  7. Record errors/warnings

What do you think?

Fou-Lu 08-09-2010 05:56 AM
Looks pretty good to me.
The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.

johnnnn 08-09-2010 01:30 PM
Quote:
Originally Posted by Fou-Lu (Post 981359)
Looks pretty good to me.
The two on there that most people 'forget' about are the recording of errors (specifically auditing ones like failing to login), and the moving of anything unpublished outside of the public_html (or whatever your published directory is).
One thing to note, I don't think .htaccess would have any affect outside of a published directory though. This shouldn't really be a problem, Apache itself has a directive to deny reading on .ht* files, and I believe it is configured by default.
Yeah, that just came to mind about the .htaccess not working outside of the root directory. I could simply just place the .htaccess in the /admin folder since Apache can deny reading files that begin with .ht. Thanks for the advice! Much appreciated.

sitNsmile 08-10-2010 08:53 AM
I have built 2 types of CMS admins before, my first one, was

a user/pass which you would have 3 tries until it blocks your ip
and the 2nd is what I currently use. where you have to enter a passcode (of course using teh random md5) after that, it also needs to be accepted by the main ip (ip address acts as your user, new ip.. have to relog) so it wont allow anyone to actually try to attempt a login, because it has to be approved by an existing ip. I build that on my iphone as well, so if my boss is out of town, he can txt me to approve his new ip..etc works out pretty well so far.

(before the cms, we would just lock the directory to only our office ip, but that restricts too much)


All times are GMT +1. The time now is 06:24 PM.

Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.