.htaccess files are very versatile, and can easily protect some area of Your Homepage. In the case of Mambo, I am here giving You a way to secure it in less than 5 minutes. 

All You have to do is to drop a file named .htaccess in Your /administrator directory

Here is a templates of .htaccess You can use
# Do not allow any user to access this file - to copy in all .htaccess
<Files .htaccess>
order allow,deny
deny from all
</Files>

force admin area with .htaccess password
AuthType Basic
AuthUserFile /pathto/.htpasswd
AuthGroupFile /dev/null
AuthName "Walter Cedric Administrator Area"
<Limit GET POST>
require valid-user
</Limit>

  • pathto should normally be outside you public webserver directory!
    In plesk, that means outside the httpdocs directory!
  • .htpasswd is a Text file which contains a mapping login:password.

Example of .htpasswd
admin:XXXXXXX

XXXXXXX must be replace by it's crypt version, use that Url to create a new
crypted value:

http://de.selfhtml.org/cgi-bin/cryptform.pl?password=aSI45I56B4KgR34542

In this example, I want to have aSI45I56B4KgR34542 as password (my real password is even more complex!), the page then display me

cziW29BR6Y3fM

Be careful it is changing at each reload of the page since the system add "salt" to the password in order to avoid brute force attack with dictionnary.

So I create a file .htpasswd which contains:

Example of .htpasswd
admin:cziW29BR6Y3fM

So In order to be able to go in my administrator Mambo panel, I will have to type

 

user name: admin
password: cziW29BR6Y3fM

HTACCESS is containing a lot more keywords and way to protect some data or directories.
I recommend You to google a little bit to find some exhaustive articles like this one in german:
optionen">http://de.selfhtml.org/servercgi/server/htaccess.htmoptionen

If Youre using my component hashcash or any statistics log tools on YOur server, YOu may know the IP of the bad guys which try to break Your site. There is a way to block these attacking zombies at the server level. Just extends the section Limit of the .htaccess file

 <Limit GET POST>
order allow,deny
allow from all
deny from
  XXX.XXX.XXX.XXX
deny from .microsoft.com 
</Limit>

where XXX.XXX.XXX.XXX is the IP or part of the IP (XXX or XXX.XXX or XXX.XXX.XXX), but it can be a DNS. You can add as many lines as You want.

comments powered by Disqus

You might like also

No Thumbnail was found
Joomla! 1.0.5 is now available on the forge for download here. This is a Bug and Security Release, which means it contains fixes for Security Vulnerabilities. It is highly recommend that you upgrade to this version. …
4953 Days ago
Todo list for securing Your Joomla/Mambo installation against hackers
A lot of Mambo/Joomla site has been hacked last week, since I've already help someone hardening an installation (mambo 4.5.2.3), I've decide to write a tutorial for the benefit of the open source community... Some steps are common sense while others are not. But:Do not think that doing all steps below will protect You! nothing is secure in the computer world! or not very long...Do not think that after doing all steps below, Joomla will be as user friendly for …
4959 Days ago
No Thumbnail was found
For "Joe six pack" user to advance users... You only want to use Mambo admin panel- EASIESTYour provider has given You a plesk panel - EASYYour provider only give You a Telnet or ssh access to the server - ADVANCE USERYou want more! - VERY ADVANCE USERI am using the method 4, which isn't more difficult and a lot better, open the script and set the variable according to the internal documentation. Upload the file to the server (not in …
5076 Days ago