Soda Tasting, an online show for those who love soda

Bookmark and Share

Secure the Admin Panel

Secure the Admin Panel

Postby Thoul » March 31st 2004, 2:49 pm

The phpBB 2.0.x admin panel is a vital part of managing your forum, so it is very important to keep it as secure as possible. In this topic, we will present some techniques you can use to increase the security measures used to prevent other people from accessing your forum's admin panel. The most important aspect of security is to always keep your forum up to date with security fixes and updates announced at phpBB.com and phpBBHacks.com. The techniques in this tutorial are based on phpBB 2.0.8a.

Restrict the Admin Panel to One User
By default, any users that have an admin user level can access the admin panel. This means that any board admin can edit any users (including other admins), ranks, forums, groups, and so forth. To restrict the admin panel to only one user (this user should, of course, be you), replace the contents of your admin/pagestart.php with the code below. This will redirect other users back to the forum index if they try to access the admin panel.

Code: Select all
<?php
/***************************************************************************
 *                               pagestart.php
 *                            -------------------
 *   begin                : Thursday, Aug 2, 2001
 *   copyright            : (C) 2001 The phpBB Group
 *   email                : support@phpbb.com
 *
 *   $Id: pagestart.php,v 1.1.2.7 2004/03/24 14:43:31 psotfx Exp $
 *
 *
 ***************************************************************************/

/***************************************************************************
 *
 *   This program is free software; you can redistribute it and/or modify
 *   it under the terms of the GNU General Public License as published by
 *   the Free Software Foundation; either version 2 of the License, or
 *   (at your option) any later version.
 *
 ***************************************************************************/

/*
	This file has been modified from the original phpBB 2.0.8a pagestart.php to
	increase security. For more details, see the "Secure the Admin Panel" tutorial
	in the phpBBHacks.com Tutorials section.
*/

if (!defined('IN_PHPBB'))
{
	die("Hacking attempt");
}

define('IN_ADMIN', true);

// Restrict the admin panel to the user with this user_id
define('ADMIN_RESTRICT_ID', 2);
// Include files
include($phpbb_root_path . 'common.'.$phpEx);

//
// Start session management
//
$userdata = session_pagestart($user_ip, PAGE_INDEX);
init_userprefs($userdata);
//
// End session management
//

if (!$userdata['session_logged_in'])
{
	redirect(append_sid("login.$phpEx?redirect=admin/index.$phpEx", true));
}
else if ($userdata['user_level'] != ADMIN)
{
	message_die(GENERAL_MESSAGE, $lang['Not_admin']);
}

if ($HTTP_GET_VARS['sid'] != $userdata['session_id'] || intval($userdata['user_id']) != intval(ADMIN_RESTRICT_ID) )
{
	redirect("index.$phpEx?sid=" . $userdata['session_id']);
}

if (empty($no_page_header))
{
	// Not including the pageheader can be neccesarry if META tags are
	// needed in the calling script.
	include('./page_header_admin.'.$phpEx);
}

?>


Please note these lines in the above file.
Code: Select all
// Restrict the admin panel to the user with this user_id
define('ADMIN_RESTRICT_ID', 2);


In most cases, the first board admin is created with a user_id value of 2. In some cases, the user_id is different, or you may use another account as the main administrator. In these cases, you should change the "2" here to the user_id of the main administrator's account. If you don't know the user_id of this account, view the forum profile for the account. The URL of that page should end with u=xxxx, where xxxx is some number. That number is the user_id of that account.


Require a second password
If your forum is installed on an Apache server, you can easily add a requirement for a second password to enter your admin panel. The first step to doing this is to create a new file called phpinfo.php, and place the following code inside it.

Code: Select all
<?php phpinfo(INFO_VARIABLES); ?>


Place this file into your forum's admin directory, and then open it in your browser like a normal web page. You should be shown a lot of predefined PHP variables available to the script. Look for a line labeled _SERVER["SCRIPT_FILENAME"]. The value on this line shows the absolute pathname of the phpinfo.php file, which may be something like path/to/yourforum/admin/phpinfo.php. Note that I've highlighted part of that in red - this is the important part, the absolute path to your forum's admin directory. You'll need this path, without the phpinfo.php on the end, in a moment. Make a note of your absolute path as reported by phpinfo.php, and then delete the phpinfo.php file from your server.

Now you need to create two more new files which will be placed in your forum's admin directory. They are plain text files called .htaccess and .htpasswd. Place the following contents into the .htaccess file. Notice that absolute_path is highlighted. You should replace this with the absolute path you determined above.

Sample .htaccess file wrote:AuthName "Restricted Area"
AuthGroupFile /dev/null
AuthType Basic
AuthUserFile absolute_path/.htpasswd
require valid-user


Now you need to create the contents of the .htpasswd file, which will store the second password required to enter your admin panel. The password needs to be encrypted in a special format, and you can find many password generators through Google. You should place a username and password in the .htpasswd file on one line, separated by a colon. A sample line with the username "admin" and an encrypted version of the password "password" is shown below. If you wish to add extra username and password combinations, you can do so by adding them on separate lines in the same manner.

Sample .htpasswd file wrote:admin:lNr8Nzvt0ztp2


Upload the .htaccess and .htpasswd files to your forum's admin directory. Anytime someone attempts to access the admin directory hereafter, they will be prompted for a username and password. Only the username and password in the .htpasswd file will be accepted.
User avatar
Thoul
Admin/Webmaster
 
Posts: 18551
Joined: July 30th 2002, 11:30 am
Location: USA

Return to phpBB 2: Fixes and Code Changes

Who is online

Users browsing this forum: No registered users and 0 guests