Select Page

Protecting You Mambo admin panel using htaccess

Protecting You Mambo admin panel using htaccess

 .htaccess files are very versatile, and can easily protect some area of Your Homepage. In the case of Mambo, I am here giving You a way to secure it in less than 5 minutes. 

All You have to do is to drop a file named .htaccess in Your /administrator directory

Here is a templates of .htaccess You can use
# Do not allow any user to access this file – to copy in all .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

#force admin area with .htaccess password
AuthType Basic
AuthUserFile /pathto/.htpasswd
AuthGroupFile /dev/null
AuthName "Walter Cedric Administrator Area"
<Limit GET POST>
require valid-user
</Limit>

  • pathto should normally be outside you public webserver directory!
    In plesk, that means outside the httpdocs directory!
  • .htpasswd is a Text file which contains a mapping login:password.
Example of .htpasswd
admin:XXXXXXX

XXXXXXX must be replace by it’s crypt version, use that Url to create a new
crypted value:

http://de.selfhtml.org/cgi-bin/cryptform.pl?password=aSI45I#56B4KgR34542

In this example, I want to have aSI45I#56B4KgR34542 as password (my real password is even more complex!), the page then display me

cziW29BR6Y3fM

Be careful it is changing at each reload of the page since the system add "salt" to the password in order to avoid brute force attack with dictionnary.

So I create a file .htpasswd which contains:

Example of .htpasswd
admin:cziW29BR6Y3fM

So In order to be able to go in my administrator Mambo panel, I will have to type

 

user name: admin
password: cziW29BR6Y3fM

HTACCESS is containing a lot more keywords and way to protect some data or directories.
I recommend You to google a little bit to find some exhaustive articles like this one in german:
http://de.selfhtml.org/servercgi/server/htaccess.htm#optionen

If Youre using my component hashcash or any statistics log tools on YOur server, YOu may know the IP of the bad guys which try to break Your site. There is a way to block these attacking zombies at the server level. Just extends the section Limit of the .htaccess file

 <Limit GET POST>
order allow,deny
allow from all
deny from
  XXX.XXX.XXX.XXX
deny from .microsoft.com 
</Limit>

where XXX.XXX.XXX.XXX is the IP or part of the IP (XXX or XXX.XXX or XXX.XXX.XXX), but it can be a DNS. You can add as many lines as You want.

About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.

Categories