Tuesday, May 29, 2012

Protect Your Admin Panel

One of the main reasons why some government or private websites get hacked is the poor enforcement of security in their Admin Panel. After some nasty SQL Injection techniques, the next goal of the cracker is to find the admin page where he or she can put in the username and password he or she just got from the site. (I’m not really sure if there are ch1xorz who are into SQL Injection.lolz)

With the use of common google dorks like inurl:admin/admin.php or inurl:/admin/login.asp, a cracker could still find a lot of websites he can try out with easy to guess passwords (admin:admin) or the ‘ or ’1 = ’1 SQL Injection String (well, there are still a lot of strings but this is one of the common ones I know). But take note, there are still many ways of injecting a site but so far SQL Injection is really one of the most common attacks.

But with proper enforcement of security on the Admin Panel then you should be able to prevent some skiddie and easy attacks. And so let’s tackle 4 safety tips about some easy website configuration (the n00bz way) for the Admin Panel:

1. Enable HTTPS encryption or Use SSL Login Pages
This kind of encryption protects you from a script kiddie who does sniffing. Although HTTPS can be bypassed through SSL Strip but at least we can have some protection from easy MITM attacks. HTTPS is inarguably an important protection rather than an unencrypted HTTP which cripples your logins.

2. Edit The Name of Your Admin Panel
Don’t name your Admin Panel to common file names like admin.php, login.php, admin/login.asp, admin.php, cpanel.php, etc. Make sure your Admin Panel is not easy to find and cannot be scanned easily by common ‘Admin Finders’ on the net. If possible try an Admin Finder to check your website.

3. Enable or Create an .htaccess File
This kind of configuration allows website view restriction or site folder restriction especially in some sensitive files like backup files, scripts, and the Admin Panel. Adding a server-side protection around the Admin Panel folder is like adding a second layer of protection to your website. I suggest you only allow your IP address to login to your panel in order to stop people from trying to bypass your Admin Panel. If you have a fixed or static IP address, you might want to consider editing these codes:
allow from xxx.xxx.xxx.xxx
deny from xxx.xxx.xxx.xx
Under allow from, replace the xxx.xxx.xxx.xxx to your fixed IP Adress there so that it will only allow you who can see a certain folder from the site just like the Admin Panel. Then under deny from, replace xxx.xxx.xxx.xx, with the IP Adress you want to block to the site especially spammers and people who tries to invade your website. Take note you can add more values or IP Addresses under the deny from and allow from code.

4. Update your site
Fix your code and update your version. This article should help you in avoiding SQL Injection.
Well, that’s it for now! If you want to add some things about Web Admin Panel Security then just feel free to comment below and if you are interested in learning more about the .htacess file, click here.

1 comment: