Access to your vBulletin files should only come through a web browser in most instances. However sometimes someone will start poking around on your server and you don't want them entering directories that should be secure. You can prevent this using server configuration files such as .htaccess or web.config. These files let you control who has access to your directories.
Securing the admincp, modcp, and install directories.
These three directories often require access by staff for the maintanence and running of your forums. Should someone's account get compromised, they may provide a way into the system for further malicious mischief. Especially the admincp. The general premise is that anyone with access to the admincp can do very bad things including disabling your forums, hijacking other accounts, installing plugins that log, redirect or do other malicious things to users and so forth. Securing these directories should be on the security conscious admin's mind from the beginning. To do this you would use .htaccess to ask for a secondary username and password. Ideally each person should have their own.
To do this you will find instructions here:
.htaccess - http://www.javascriptkit.com/howto/htaccess3.shtml
web.config - http://support.microsoft.com/kb/815151
Restrict Access via IP Address
Alternatively, if you're the only one who requires access to these directories, you can restrict that access to your IP Address. Doing so requires a static IP Address from your internet service provider.
.htaccess:
Code:
order deny,allow deny from all # allow the admin allow from 83.116.19.53 # allow moderator: allow from 83.116.19.59 #for all the xxx.xxx.xxx.xxx put in an ip-addres, or ip-range
[code]
Code:
<security> <ipSecurity allowUnlisted="false"> <!-- this line blocks everybody, except those listed below --> <clear/> <!-- removes all upstream restrictions --> <add ipAddress="127.0.0.1" allowed="true"/> <!-- allow requests from the local machine --> <add ipAddress="83.116.19.53" allowed="true"/> <!-- allow the specific IP of 83.116.19.53 --> <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/> <!--allow network 83.116.119.0 to 83.116.119.255--> <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/> <!--allow network 83.116.0.0 to 83.116.255.255--> <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/> <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255--> </ipSecurity> </security>
For a bit of security through obscurity you can also rename these directories inside your config.php file. Then when someone tries to access the original names, they will get an error. Though, I recommend leaving empty directories named with admincp and modcp and a deny from all .htaccess within. To rename these directories look for this section in the config.php file:
Code:
// ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ****** // This setting allows you to change the name of the folders that the admin and // moderator control panels reside in. You may wish to do this for security purposes. // Please note that if you change the name of the directory here, you will still need // to manually change the name of the directory on the server. $config['Misc']['admincpdir'] = 'admincp'; $config['Misc']['modcpdir'] = 'modcp';
Other Directories - includes, packages and vb
No one should need direct access to these directories at any time. However I feel these should be secured nonetheless. They contain the inner workings of your vBulletin system. To secure these you should include a deny from all directive in the .htaccess for each directory. To do this create a .htaccess file with the single following line in it:
Code:
deny from all
Warning
There is one fatal caveat to securing directories and files via .htaccess or web.config files. If the attacker has access to the server via FTP or other means, they can possibly delete these files and remove any security they provide.
Excellent information - have a question regarding your code.