Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Admin Folder in another domain


Guest

Recommended Posts

Hi Forum Members,

 

I would like to place my renamed admin folder on a different server, domain etc. I have been messing around *adim/includes/configure.php but I am having trouble as I cannot get it to work. Did anyone manage to do so and can share the general concept.

 

The server hosting the database and site [everything apart from the admin folder] is on yahoo web hosting and if I am not mistaken, they do not allow remote connection to the mysql database [or something similar to it].

 

Moreover is there a way to create a honeypot [bogus admin folder] without using .htaccess as yahoo doesn’t allow such neither.

 

*admin folder renamed

 

Thanks for any help

 

With best regards

 

Proimage

Link to comment
Share on other sites

Well, going back to first principles, your admin system has to have full access to your database, and the ability to manipulate files under the store server's filesystem (e.g., upload product images). If it can't do both those things, it's dead in the water. What exactly are you trying to accomplish? Renaming admin and putting it under password protection is normally enough security -- do you need something beyond that? Is this a performance issue? Admin functions don't normally hit the server and database all that hard, compared to store (catalog) activity, so if you're overloaded as it is, I don't think splitting off admin to another server is going to do much for you.

 

You should certainly be able to move your admin functions to a different domain name under the same hosting account (i.e., subdomain or add-on domain), so long as this domain can access the database and the filesystem. However, going to a completely different server is going to be tricky. Your store database would have to allow full remote access from another machine (a security exposure in itself) and your store filesystem would have to allow remote operations (rcp, remote shell, etc.), again, a security hassle.

 

If you want a honeypot for hackers, once you've renamed your admin (and password protected it), you could create a real-looking admin directory that appears to be doing all the right things, but is really configured to connect to a "sandbox" database and a separate file tree. That is, use real osC admin code and a real initial copy of your product files and database, but pointing to a sandbox file tree and a sandbox database copy. Leave off the password protection, and enjoy the show as hackers mess around in your "admin". You can even set things up so that you can "one click" restore the sandbox to its original state. Call it "rake_smooth.php" :) . Once a hacker sees that he's not affecting the real store, hopefully he'll give up in disgust. Of course, you've done everything you can in the way of security fixes to keep him from doing damage from the store side, right?

Link to comment
Share on other sites

 

If you want a honeypot for hackers, once you've renamed your admin (and password protected it), you could create a real-looking admin directory that appears to be doing all the right things, but is really configured to connect to a "sandbox" database and a separate file tree. That is, use real osC admin code and a real initial copy of your product files and database, but pointing to a sandbox file tree and a sandbox database copy. Leave off the password protection, and enjoy the show as hackers mess around in your "admin". You can even set things up so that you can "one click" restore the sandbox to its original state. Call it "rake_smooth.php" :) . Once a hacker sees that he's not affecting the real store, hopefully he'll give up in disgust. Of course, you've done everything you can in the way of security fixes to keep him from doing damage from the store side, right?

 

MrPhil

 

Thats a great idea indeed... Thanks for the admin info as well.

 

How would you suggest me to set up a sandbox database... :-" [Can I just create a dummy database and amend the bogus admin/incl.config.php to call that.... I would love to track/log their ips as well and play with them later... :rolleyes:

 

Regs Fab

Link to comment
Share on other sites

I don't see why you couldn't just go into phpMyAdmin (or your host's control panel) and create a new database with a different name than your real one, and then copy your real one over to it. This would be a good time to take a backup of your real database, anyway (.sql file), which you can also import into the honeypot database. Create a copy of your files in their own sandbox tree, with a different (but plausible) name from your real ones. Copy all of your admin files to the "admin" directory, and change configure.php to point to the honeypot database and the honeypot file tree. You probably will want to rig up a shell script to do this in one operation -- restoring the original database content and files. You could fire it off manually or on a daily cron job.

 

[Can I just create a dummy database and amend the bogus admin/incl.config.php to call that.... I would love to track/log their ips as well and play with them later...

Sure -- like a cat plays with a mouse before killing and eating it?

Link to comment
Share on other sites

Hi MrPhil,

 

I just play... don't go for the kill... I am a CEH [White Hat]

 

A Contrib proposal for Honeypots...

 

Create an auto emailing system that notifies the admin with an entry and the IP

 

Simple enough for anyone with programming skills but I am not good at such...

 

This is the recommended practice as good hackers attack log files upon entry first, then try to achieve their secondary goals.

 

Anyone that can guide me to it and share it with the rest of the gang.

 

Regs Fab

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...