Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Install Guide: Securing the "admin" Folder


wakerider017

Recommended Posts

I thought I would share how to secure the "admin" folder by means of changing the folders name.

 

 

1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

 

2. Download configure.php and open it with a text editor

 

3. Next locate the following lines:

 

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

 

 

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

 

NOTE the X's are just place holders.

 

4. In the two lines above replace admin with the new SECRET file name. Like below:

 

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

 

 

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

 

 

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

 

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.

 

 

In this case the file admin would be changed to secret_file_name_here

 

 

 

7. You are done!

Link to comment
Share on other sites

Wakerider,

Hey, I went to secure my admin like you said above but could never locate the line "define (DIR_WS or DIR_FS) either one? I am suppose to use the configure.php file in /catalog/admin, right?

 

Thanks in advance,

 

Gray~

Link to comment
Share on other sites

(continued from above....)

 

Or is it the one that is in /catalog/admin/includes/configure.php?

 

This file has the following code:

<?php
/*
 $Id: configure.php,v 1.14 2003/02/21 16:55:24 dgw_ Exp $

 osCommerce, Open Source E-Commerce Solutions
 http://www.oscommerce.com

 Copyright (c) 2002 osCommerce

 Released under the GNU General Public License
*/

// define our webserver variables
// FS = Filesystem (physical)
// WS = Webserver (virtual)
 define('HTTP_SERVER', 'http://phunpillows.com/OSCommerce/'); // eg, http://localhost or - https://localhost should not be NULL for productive servers
 define('HTTP_CATALOG_SERVER', '');
 define('HTTPS_CATALOG_SERVER', 'https://phunpillows.com/OSCommerce/');
 define('ENABLE_SSL_CATALOG', 'false'); // secure webserver for catalog module
 define('DIR_FS_DOCUMENT_ROOT', $DOCUMENT_ROOT); // where your pages are located on the server. if $DOCUMENT_ROOT doesnt suit you, replace with your local path. (eg, /usr/local/apache/htdocs)
 define('DIR_WS_ADMIN', '/catalog/admin/');
 define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);
 define('DIR_WS_CATALOG', '/OSCommerce/catalog/');
 define('DIR_FS_CATALOG', DIR_FS_DOCUMENT_ROOT . DIR_WS_CATALOG);
 define('DIR_WS_IMAGES', 'images/');
 define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
 define('DIR_WS_CATALOG_IMAGES', DIR_WS_CATALOG . 'images/');
 define('DIR_WS_INCLUDES', 'includes/');
 define('DIR_WS_BOXES', DIR_WS_INCLUDES . 'boxes/');
 define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
 define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
 define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
 define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
 define('DIR_WS_CATALOG_LANGUAGES', DIR_WS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_LANGUAGES', DIR_FS_CATALOG . 'includes/languages/');
 define('DIR_FS_CATALOG_IMAGES', DIR_FS_CATALOG . 'images/');
 define('DIR_FS_CATALOG_MODULES', DIR_FS_CATALOG . 'includes/modules/');
 define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

// define our database connection
define('DB_SERVER', '*****'); // eg, localhost - should not be empty for productive servers
 define('DB_SERVER_USERNAME', '*****');
 define('DB_SERVER_PASSWORD', '*****');
 define('DB_DATABASE', '*****');
 define('USE_PCONNECT', 'false');
 define('STORE_SESSIONS', '');
?>

Thanks in advance,

 

Gray~

Link to comment
Share on other sites

  • 2 years later...
I thought I would share how to secure the "admin" folder by means of changing the folders name.

1. Open your FTP client and locate the file >catalog>admin>includes>configure.php

 

2. Download configure.php and open it with a text editor

 

3. Next locate the following lines:

 

define('DIR_WS_ADMIN', '/admin/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/admin/'); // absolute pate required

 

NOTE the X's are just place holders.

 

4. In the two lines above replace admin with the new SECRET file name. Like below:

 

define('DIR_WS_ADMIN', '/secret_file_name_here/'); // absolute path required

define('DIR_FS_ADMIN', '/XxXxXx/XxXxXx/XxXxXx/XxXxXx/htdocs/store/catalog/secret_file_name_here/'); // absolute pate required

5. Now save the file and upload it to the server. You will need to replace the old >catalog>admin>includes>configure.php

 

6. Now go back to the catalog folder and change the "admin" folder's name to your new SECRET file name.

In this case the file admin would be changed to secret_file_name_here

7. You are done!

Thanks for this tip.

 

It works great, and it seems like a good idea to make it as difficult as possible for people to access the admin area.

Link to comment
Share on other sites

  • 3 weeks later...
Also you might want to secure it by adding .httaccess to the admin folder.

 

If you are using CPanel:

 

cpanelzt4.jpg

 

 

why not add an htaccess file and restrict just your IP address.

 

<LIMIT GET HEAD POST>

order allow,deny

allow from my_ip

</LIMIT>

Link to comment
Share on other sites

  • 1 month later...

Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well.

 

A nice little .htaccess for the wanna-be hackers:

 

AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd
AuthGroupFile /dev/null
AuthName "Username:"
AuthType Basic

<limit GET POST>
require valid-user
</limit>

 

 

Of course your .htpasswd looks like this:

 

.

 

(yes, an empty .htpasswd file)

 

 

And just to make things more interesting, an empty index.htm will complete the "honeypot"

 

 

Have fun!!

Link to comment
Share on other sites

  • 1 year later...
My DIR_FS_ADMIN line looks like this originally:

define('DIR_FS_ADMIN', DIR_FS_DOCUMENT_ROOT . DIR_WS_ADMIN);

 

What should it be changed to?

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

Always back up before making changes.

Link to comment
Share on other sites

That setting is fine. If it is not working, then it suggests that either your DIR_FS_DOCUMENT_ROOT or DIR_WS_ADMIN is incorrect.

 

Yes, they are incorrect because I changed the ADMIN file name. Maybe I should start at the beginning. My website got hacked so I wanted to change my ADMIN folder. Lets say I changed it to NEWadmin. I was told to go into my config file and change the path which still said ADMIN. So I changed 'DIR_WS_ADMIN' like the 1st poster said, but my DIR_FS_ADMIN is different than mentioned above. I tried leaving it as-is.

 

So, now when I log-in to mywebsite.com/NEWadmin, I am redirected here:

http://mywebsite.com/NEWadmin/login.php?os...inID=XXXXXXXXXX

 

I type in my login info and then I get an error saying:

 

Error 404 - Not found

Your browser can't find the document corresponding to the URL you typed in.

http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

Link to comment
Share on other sites

Error 404 - Not found

Your browser can't find the document corresponding to the URL you typed in.

http://palswithtails.com/NEWadmin/login.ph...inID=XXXXXXXXXX

First, I don't see how DIR_FS_ADMIN would affect that situation. You wouldn't be using it in generating a link. When you change DIR_WS_ADMIN, DIR_FS_ADMIN should change automatically in that code (since is composed by concatenating DIR_FS_DOCUMENT_ROOT and DIR_WS_ADMIN). Therefore, if all you did was rename admin, all you should have to do is update DIR_WS_ADMIN and DIR_FS_ADMIN will update automatically.

 

The first thing that I would try (to solve the 404 problem) would be clearing cookies. It's possible that you are picking up bad session information somewhere. If that doesn't work, the next thing I would try would be using LiveHTTPHeaders (Firefox plugin) to track what redirects it's doing. You'd go to your login page in the normal way. Turn on LiveHTTPHeaders in the sidebar. Submit your login info. Read the headers to see where it thinks it is going.

 

Another thing that you could try (if you don't want to install LiveHTTPHeaders) is when you get the 404 error, edit the URL in the browser. I.e. change

http://palswithtails.com/NEWadmin/login.php?action=process&osCAdminID=XXXXXXXXXX

to

http://palswithtails.com/NEWadmin/index.php?osCAdminID=XXXXXXXXXX

and see if that works. You need to keep the osCAdminID the same so it know about your login.

Always back up before making changes.

Link to comment
Share on other sites

I have the exact same problem. I renamed my admin folder. I went into the configuration file and changed the required admins into my new folder.

 

Now when i type in mysite.com/newadmin/login.php it takes me to my correct login page but when i enter my user and pass I get redirected to a 404 page that doesnt exist.

 

It looks like the program does an auto redirect to the OLD admin folder. What to do?

Link to comment
Share on other sites

I went into the configuration file and changed the required admins into my new folder.

Both DIR_WS_ADMIN and DIR_FS_ADMIN?

From catalog/admin/includes/configure.php:

  define('DIR_WS_ADMIN', '/catalog/admin/');
 define('DIR_FS_ADMIN', '/Library/WebServer/Documents/catalog/admin/');

Link to comment
Share on other sites

Yep.

 

Both DIR_WS_ADMIN and DIR_FS_ADMIN

From catalog/admin/includes/configure.php:

 

mysite.com/admin/login.php?action=process&osCAdminID=4d02951f65cd6684f9ec69f285902fdd

 

that's what i get redirected to (with 404 error) when i try to put in my login info.

 

 

Here's what's in the php.

 

define('DIR_WS_HTTP_ADMIN', '/gooba/');

define('DIR_WS_HTTPS_ADMIN', '/gooba/');

 

define('DIR_FS_ADMIN', '/home/thename/public_html/gooba/'); // absolute path required

 

 

my admin folder has been renamed to gooba. please help me solve this. thank you so much:)

Link to comment
Share on other sites

Does catalog/admin/includes/local/configure.php exist? If it does, make the same changes there.

 

Regards

Jim

See my profile for a list of my addons and ways to get support.

Link to comment
Share on other sites

  • 2 weeks later...

After changing admin name to newname, all is fine, except for one issue. This error message appears at top of page:

 

 

Error, Backup Directory Does Not Exist, please create it or run "auto_backup_setup.php"

 

Backups dir is located in folder of newname(admin). After running auto_backp_setup.php, I receive this error:

 

Warning: mkdir() [function.mkdir]: No such file or directory in /xxxx/xxxxxxx/public_html/newname/auto_backup_setup.php on line 7

 

Bennett

Link to comment
Share on other sites

Check your ADMIN/INCLUDES/CONFIGURE.PHP file:

 

define('DIR_FS_ADMIN', '/home/servername/public_html/catalog/newadminname/');

define('DIR_FS_BACKUP', DIR_FS_ADMIN . 'backups/');

 

I suspect u forgot one!!

Sam

 

Remember, What you think I ment may not be what I thought I ment when I said it.

 

Contributions:

 

Auto Backup your Database, Easy way

 

Multi Images with Fancy Pop-ups, Easy way

 

Products in columns with multi buy etc etc

 

Disable any Category or Product, Easy way

 

Secure & Improve your account pages et al.

Link to comment
Share on other sites

  • 6 months later...

Hi, I am new to osCommerce.

 

I've been trying to secure my admin folder.

 

When I follow your instructions and try to login to my newly renamed admin section, all I get is this

 

 

Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'mydbpassword'@'localhost' (using password: YES) in /path_to_admin_directory/newadminname/includes/functions/database.php on line 19

Unable to connect to database server!

 

Thanks in advance

Link to comment
Share on other sites

  • 1 year later...

I found that after making the changes to catalog/admin/includes/configure.php, and then renaming the directory, I also had to edit the [new admin directory name]/.htaccess file, as it had a hard-wired AuthUserFile line that also specified the admin directory.

 

One other thing I had to do was rewrite a hard-wired link to the Admin panel that the site has on its public navigation bar.

 

Now the renamed directory is working smoothly.

 

Just hoping to keep all the @#$%@#$ hackers out. I came in late to a nightmare of a site and am trying to regain control of it.

Link to comment
Share on other sites

  • 1 month later...

After you get done changing the admin folders name I recommend using this in your .htaccess file. Unless someone knows your ip and clones it, or some other hacking method. It wont let anyone in but the one who holds the correct ip, you presumably.

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
# IP address of my home computer
allow from 00.000.000.000
# IP addresses of my two work computers
# allow from 00.000.000.000
# allow from 000.000.00.000
# IP address at my uncle's house
# allow from 000.000.0.00

More can be found on this thread Installing admin in a Subdomain

Link to comment
Share on other sites

  • 4 months later...

ive followed these instructions step by step, also ammending the htaccess file

but now my left hand admin menu has gone to S**t

the java menu is no longer working and the text is hanging off the left hand side of the browser window?

 

[see attached]

 

any ideas why its done this?

 

cheers

post-296846-0-97870400-1315388775_thumb.jpg

Link to comment
Share on other sites

  • 4 months later...
Actually, in addition to moving your live admin folder, you should leave a "honeypot" admin folder as well. A nice little .htaccess for the wanna-be hackers:
AuthUserFile /xxxxx/xxxxx/xxxxx/html/catalog/admin/.htpasswd AuthGroupFile /dev/null AuthName "Username:" AuthType Basic  require valid-user 

Of course your .htpasswd looks like this:

.

(yes, an empty .htpasswd file) And just to make things more interesting, an empty index.htm will complete the "honeypot" Have fun!!

 

Sir Harry Flashman,

That sounds like a neat trick - can you please tell me how to do this - bit confused on where to insert the code. Running OSC version 2.3 and already renamed the admin folder and works great - just looking for sum extra security and throwing off anyone trying to hack my site..

Many thanks!

Jasper~

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...