Install Guide: Securing the "admin" Folder

[wakerider017 0]

I thought I would share how to secure the "admin" folder by means of changing the folders name.

 

 

1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

 

2. Download configure.php and open it with a text editor

 

3. Next locate the following lines:

 

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

 

 

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

 

NOTE the X's are just place holders.

 

4. In the two lines above replace admin with the new SECRET file name. Like below:

 

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

 

 

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

 

 

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

 

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.

 

 

In this case the file admin would be changed to secret_file_name_here

 

 

 

7. You are done!

[grayfriar2001 0]

Wakerider,

Hey, I went to secure my admin like you said above but could never locate the line "define (DIR_WS or DIR_FS) either one? I am suppose to use the configure.php file in /catalog/admin, right?

 

Thanks in advance,

 

Gray~

[grayfriar2001 0]

(continued from above....)

 

Or is it the one that is in /catalog/admin/includes/configure.php?

 

This file has the following code:

<?php
/*
 $Id: configure.php,v 1.14 2003/02/21 16:55:24 dgw_ Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2002 osCommerce

 Released under the GNU General Public License
*/

// define our webserver variables
// FS = Filesystem (physical)
// WS = Webserver (virtual)
 define('HTTP_SERVER', 'http://phunpillows.com/OSCommerce/'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
 define('HTTP_CATALOG_SERVER', '');
 define('HTTPS_CATALOG_SERVER', 'https://phunpillows.com/OSCommerce/');
 define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
 define('DIR_WS_ADMIN', '/catalog/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
 define('DIR_WS_CATALOG', '/OSCommerce/catalog/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
define('DB_SERVER', '*****'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', '*****');
 define('DB_SERVER_PASSWORD', '*****');
 define('DB_DATABASE', '*****');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', '');
?>

Thanks in advance,

 

Gray~

[Davefromcornwall 0]

I thought I would share how to secure the "admin" folder by means of changing the folders name.

1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

 

2. Download configure.php and open it with a text editor

 

3. Next locate the following lines:

 

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

 

NOTE the X's are just place holders.

 

4. In the two lines above replace admin with the new SECRET file name. Like below:

 

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

 

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.

In this case the file admin would be changed to secret_file_name_here

7. You are done!

Thanks for this tip.

 

It works great, and it seems like a good idea to make it as difficult as possible for people to access the admin area.

[mme 0]

Also you might want to secure it by adding .httaccess to the admin folder.

 

If you are using CPanel:

 

[jay2xra 0]

Also you might want to secure it by adding .httaccess to the admin folder.

 

If you are using CPanel:

 

 

 

why not add an htaccess file and restrict just your IP address.

 

<LIMIT GET HEAD POST>

order allow,deny

allow from my_ip

</LIMIT>

[SirHarryFlashman 1]

Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well.

 

A nice little .htaccess for the wanna-be hackers:

 

AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd
AuthGroupFile /dev/null
AuthName "Username:"
AuthType Basic

<limit GET POST>
require valid-user
</limit>

 

 

Of course your .htpasswd looks like this:

 

.

 

(yes, an empty .htpasswd file)

 

 

And just to make things more interesting, an empty index.htm will complete the "honeypot"

 

 

Have fun!!

[palswithtails 0]

Hi WakeRider,

My DIR_FS_ADMIN line looks like this originally:

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

What should it be changed to?

[♥ecartz 693]

My DIR_FS_ADMIN line looks like this originally:

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

What should it be changed to?

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

[palswithtails 0]

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

 

Yes, they are incorrect because I changed the ADMIN file name. Maybe I should start at the beginning. My website got hacked so I wanted to change my ADMIN folder. Lets say I changed it to NEWadmin. I was told to go into my config file and change the path which still said ADMIN. So I changed 'DIR_WS_ADMIN' like the 1st poster said, but my DIR_FS_ADMIN is different than mentioned above. I tried leaving it as-is.

 

So, now when I log-in to mywebsite.com/NEWadmin, I am redirected here:

http://mywebsite.com/NEWadmin/login.php?os...inID=XXXXXXXXXX

 

I type in my login info and then I get an error saying:

 

Error 404 - Not found

Your browser can't find the document corresponding to the URL you typed in.

http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

[♥ecartz 693]

Error 404 - Not found

Your browser can't find the document corresponding to the URL you typed in.

http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

First, I don't see how DIR_FS_ADMIN would affect that situation. You wouldn't be using it in generating a link. When you change DIR_WS_ADMIN, DIR_FS_ADMIN should change automatically in that code (since is composed by concatenating DIR_FS_DOCUMENT_ROOT and DIR_WS_ADMIN). Therefore, if all you did was rename admin, all you should have to do is update DIR_WS_ADMIN and DIR_FS_ADMIN will update automatically.

 

The first thing that I would try (to solve the 404 problem) would be clearing cookies. It's possible that you are picking up bad session information somewhere. If that doesn't work, the next thing I would try would be using LiveHTTPHeaders (Firefox plugin) to track what redirects it's doing. You'd go to your login page in the normal way. Turn on LiveHTTPHeaders in the sidebar. Submit your login info. Read the headers to see where it thinks it is going.

 

Another thing that you could try (if you don't want to install LiveHTTPHeaders) is when you get the 404 error, edit the URL in the browser. I.e. change

http://palswithtails.com/NEWadmin/login.php?action=process&osCAdminID=XXXXXXXXXX

to

http://palswithtails.com/NEWadmin/index.php?osCAdminID=XXXXXXXXXX

and see if that works. You need to keep the osCAdminID the same so it know about your login.

[palswithtails 0]

Hmm not of that seemed to work. I wonder if my Admin ID is somehow wrong. Is that stored in my DB somewhere?

[dancer123 0]

I have the exact same problem. I renamed my admin folder. I went into the configuration file and changed the required admins into my new folder.

 

Now when i type in mysite.com/newadmin/login.php it takes me to my correct login page but when i enter my user and pass I get redirected to a 404 page that doesnt exist.

 

It looks like the program does an auto redirect to the OLD admin folder. What to do?

[Jan Zonjee 59]

I went into the configuration file and changed the required admins into my new folder.

Both DIR_WS_ADMIN and DIR_FS_ADMIN?

From catalog/admin/includes/configure.php:

  define('DIR_WS_ADMIN', '/catalog/admin/');
 define('DIR_FS_ADMIN', '/Library/WebServer/Documents/catalog/admin/');

[dancer123 0]

Yep.

 

Both DIR_WS_ADMIN and DIR_FS_ADMIN

From catalog/admin/includes/configure.php:

 

mysite.com/admin/login.php?action=process&osCAdminID=4d02951f65cd6684f9ec69f285902fdd

 

that's what i get redirected to (with 404 error) when i try to put in my login info.

 

 

Here's what's in the php.

 

define('DIR_WS_HTTP_ADMIN', '/gooba/');

define('DIR_WS_HTTPS_ADMIN', '/gooba/');

 

define('DIR_FS_ADMIN', '/home/thename/public_html/gooba/'); // absolute path required

 

 

my admin folder has been renamed to gooba. please help me solve this. thank you so much:)

[♥kymation 631]

Does catalog/admin/includes/local/configure.php exist? If it does, make the same changes there.

 

Regards

Jim

[blr044 10]

After changing admin name to newname, all is fine, except for one issue. This error message appears at top of page:

 

 

Error, Backup Directory Does Not Exist, please create it or run "auto_backup_setup.php"

 

Backups dir is located in folder of newname(admin). After running auto_backp_setup.php, I receive this error:

 

Warning: mkdir() [function.mkdir]: No such file or directory in /xxxx/xxxxxxx/public_html/newname/auto_backup_setup.php on line 7

 

Bennett

[spooks 79]

Check your ADMIN/INCLUDES/CONFIGURE.PHP file:

 

define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/newadminname/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

I suspect u forgot one!!

[Greeny 0]

Hi, I am new to osCommerce.

 

I've been trying to secure my admin folder.

 

When I follow your instructions and try to login to my newly renamed admin section, all I get is this

 

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19

Unable to connect to database server!

 

Thanks in advance

[tonybrasunas 0]

I found that after making the changes to catalog/admin/includes/configure.php, and then renaming the directory, I also had to edit the [new admin directory name]/.htaccess file, as it had a hard-wired AuthUserFile line that also specified the admin directory.

 

One other thing I had to do was rewrite a hard-wired link to the Admin panel that the site has on its public navigation bar.

 

Now the renamed directory is working smoothly.

 

Just hoping to keep all the @#$%@#$ hackers out. I came in late to a nightmare of a site and am trying to regain control of it.

[matrix2223 1]

After you get done changing the admin folders name I recommend using this in your .htaccess file. Unless someone knows your ip and clones it, or some other hacking method. It wont let anyone in but the one who holds the correct ip, you presumably.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# IP address of my home computer
allow from 00.000.000.000
# IP addresses of my two work computers
# allow from 00.000.000.000
# allow from 000.000.00.000
# IP address at my uncle's house
# allow from 000.000.0.00

More can be found on this thread Installing admin in a Subdomain

[KomplikatedOne 0]

ive followed these instructions step by step, also ammending the htaccess file

but now my left hand admin menu has gone to S**t

the java menu is no longer working and the text is hanging off the left hand side of the browser window?

 

[see attached]

 

any ideas why its done this?

 

cheers

[KomplikatedOne 0]

hmm not only the left hand menu thats gone screwy, buw appears most of the buttons in the admin section have reverted to text?

still no nearer working out why

[KomplikatedOne 0]

ok ignore the above, turned out to be a totally different issue

someone had removed a jquery file used by the redmond theme

 

i would remove the above if i could, but i cant

[jaspervdz 3]

Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well. A nice little .htaccess for the wanna-be hackers:

AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd AuthGroupFile /dev/null AuthName "Username:" AuthType Basic  require valid-user 

Of course your .htpasswd looks like this:

.

(yes, an empty .htpasswd file) And just to make things more interesting, an empty index.htm will complete the "honeypot" Have fun!!

 

Sir Harry Flashman,

That sounds like a neat trick - can you please tell me how to do this - bit confused on where to insert the code. Running OSC version 2.3 and already renamed the admin folder and works great - just looking for sum extra security and throwing off anyone trying to hack my site..

Many thanks!

Jasper~