Advance security with login page Advance security with login page
 

News:

CPG Release 1.6.26
Correct PHP8.2 issues with user and language managers.
Additional fixes for PHP 8.2
Correct PHP8 error with SMF 2.0 bridge.
Correct IPTC supplimental category parsing.
Download and info HERE

Main Menu

Advance security with login page

Started by Hanna., March 13, 2019, 05:20:15 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Hanna.

Hi all. I am sorry to tell but my server had to suspend my uptime with multiple pages that run with Coppermine. Massive attacks and attempts on login.php/admin.php.

I am seeking support for this issue in order to get my web sites back up. What are the options of masking/moving/renaming the login.php or something like that to avoid these massive attacks? It is not about the username/passwords, it is simply about running the login.php/admin.php and abusing them.

I have blocked about 100 IPs, but it won't solve this. Please help.

phill104

Was a hacking attempt successful or is there just a huge load being placed on your server due to attempt?
It is a mistake to think you can solve any major problems just with potatoes.

Hanna.

Quote from: Phill Luckhurst on March 13, 2019, 10:35:56 PM
Was a hacking attempt successful or is there just a huge load being placed on your server due to attempt?

Thankfully not successfull! I got 10+ coppermines on my cloud. However my provider totally suspended me because the abuse was outrageous (huge amounts of attacks, fake traffic etc.) and if this happens again I will be put in court to answer for this because of the choice of scripts I am using. (Coppermine is one of them.) - Not safe because the way to attack is always their attempts on login.php/admin.php even though I deleted the menu off my theme for now, and blocked a bunch of IPs.

phill104

Without knowing exactly what the attack it is very hard for us to comment. Generally Coppermine is a very secure package. While there have been breaches over the years the team have been very quick to patch them. All vendors are the same whether free or paid. So as long as your installs are up to date you should not have a problem.


If at some point your system have been compromised it is important to identify the leak and to remove all traces of the attack (the payload) from your system. This can be very time consuming and requires a certain level of skill. If your sites have been compromised then this is a route you should go down, and by the sounds of it you will need to find someone to help you with the task. If your sites are secure and your host is blaming you because external forces are trying, and failing to attack you, then no court will hold you responsible.
It is a mistake to think you can solve any major problems just with potatoes.

ron4mac

#4
For guarding my sites (mostly Joomla) I use a small script that informs me of any added or changed files. I can fire it off with a cron job and it emails me daily with a status. It works well for sites where files seldom get changed (such as CPG or Joomla sites). If there is a folder that regularly gets changes (like CPG albums), it can be marked for exclusion from the scan. If anyone is interested, I can post the script here.


Here's that script.
I wrote it with an md5 file check option but I only ever use file size.

phill104

I am interested. Always good to see new options.

It is a mistake to think you can solve any major problems just with potatoes.

gmc

Sounds like this is more of a 'denial of service' type attack - flooding the server with requests... rather than a hack that altered files...

Certainly login.php can be renamed... but if others need to login - you would be updating your menu with the path to the new login page. 

(And even though I don't think this was a case of files being altered - always interested in seeing scripts we can use to monitor...)
Thanks!
Greg
My Coppermine Gallery
Need a web hosting account? See my gallery for an offer for CPG Forum users.
Send me money

ron4mac


Hanna.

Quote from: gmc on March 14, 2019, 06:21:58 PM
Certainly login.php can be renamed... but if others need to login - you would be updating your menu with the path to the new login page. 

How can I do this? I am the only user and I need to block/deny people from admin.php entirely.

phill104

#9
In your case maybe adding some rules to .htaccess will do what you want.

<Files admin.php>
order deny,allow
deny from all
allow from <YOUR_IP_ADDRESS>
</Files>


For example will completely block access to admin.php

You would then need to modify the rule to allow just your ip access. You can use google to lookup other options and how to use htaccess files. Server setup is best explored via websites dedicated to whatever platform your host is running rather than here.
It is a mistake to think you can solve any major problems just with potatoes.

ΑndrĂ©

Quote from: Hanna. on March 13, 2019, 05:20:15 PM
What are the options of masking/moving/renaming the login.php

You can rename login.php to something like mylogin.php. Then you need to open mylogin.php and replace all occurrences of login.php to mylogin.php. Maybe the same can be done with admin.php, but I haven't tested this yet.