Hi, for security reasons, should I chmod 755 the admin directory, and the directory which contains all the .php files ?
Is there no problem with this ?

Thanks,
Benj

There should be no reason to have to do that. I have used a .htpasswd file to protect the actual admin directory, and of course it will work fine. :)

@werehere
Could you e-mail me your .htpasswd file because I am not an expert in this area but I want protect my admin directory , too.

That would be very friendly :)

My E-mail Address: zapboard@zapboard.de

Unfortunately werehere the .htaccess file will not protect you against local users (who really pose the biggest threat). Here is what I did.

This comes with the following disclaimers :)
- These instructions are for *NIX platforms only - I
don't use windoze for anything server related and
I highly recommend you don't either :)
- You MAY have to be root to do some of the following
- If you are somewhat of a newbie please write down
file perms etc. before you try this - That
way if you mess up you can undo what you did.

OK now that that is out of the way...

I installed the forum into a directory called questions. Then I "chgrp -R nobody questions". This changes the GID for questions and all sub dirs to nobody. Then I "chmod -R 750 questions". Now if you are not root or nobody you cannot even change to the directory. Is this a liitle paranoid? Maybe...but better safe than sorry.

One caveat - the web server I use runs as nobody. If your does change nobody to what you server runs as.

BTW zap, werehere's .htpasswd files wouldn't be of much use to you - it would have HIS usernames and passwords :)

Here is some info on creating your own:
To create the .htpasswd file, use the htpasswd command with the following format:
# htpasswd [-c] .htpasswd {username}
This command line will prompt you for a password for that user. The password that you type will not be echoed onto the screen, and it will be immediately encrypted.

The output from this command is a .htpasswd file with an entry with the form:
{user}:{encrypted password}
The -c option creates a new passwd file instead of editing an old one. So only use the -c option the first time the htpasswd command is used.

Finally, make sure that read permissions for this file are set for everyone (ie. owner, group, and other).

customcpu,

Thank you for clarifying. It would not protect your directories from ftp access, if others could access those directories. If they can, then I suggest you talk to your host about security, of find another. :)

I try not to use ftp (plaintext passwords). I also try not to use a hosting company - I own the server :) (The way I have the one machine set up I felt this was necessary. I gave a few people who are getting acquainted to Linux shell accounts, but i didn't want to chroot them as I felt it would kind of put a damper on their learning experience :))
I would be leery of trusting your hosting company to take care of security though - I have seen some almost unbelievable incompetence!