SECURITY --> URL rewriting

[Izal]

I reviewed the server logs yesterday and was shocked to find that the admin log in URL was taking a hammering. Whilst I am happy to put all my faith in one basket with your guys on the security of the login system, I would however like to take advantage of the Apache rewrite engine and curb this activity.

My knowledge of URL Rewriting is basically this... Crash course! Here is the beginnings, can someone help me put this right as its not working, I get server redirecting to an invalid address error. SO I change it slightly and by swapping out the $1 for %1 and still get the same error, when I use admin.domainname.com/cms/admin I get dumped at admin.domainname.com/cms/

What I would like to do is add a layer that pushes these login attempts to the site root /cms/ where the CMS is installed. The prefix in this instance is admin but it could be any. The idea being that this will allow someone to use cheeseontoast.mydomain.com/cms/admin and administer the site while all attempts on the admin URL for this site would dump the hack attempt in to the site root making it impossible to brute force their way in to the server.

Code: Select all

Options +FollowSymLinks
Options -Indexes
RewriteEngine On

# We need to test the URL to see if the request is for the admin URL
# 1. if the URL has /cms/admin/ in the REQUEST_URI and
# 2. if the DOMAIN has admin. as the subdomain, we issue the admin pages
RewriteCond %{REQUEST_URI} ^/cms/admin/$ [NC]
RewriteCond %{HTTP_HOST} ^admin\.(.*)/$ [NC]
RewriteRule .* http://$1/cms/admin/ [L]

# We need to test the URL to see if the request is for the admin URL witout the prefix
# 1. if the URL has /cms/admin/ in the REQUEST_URI and
# 2. if the DOMAIN has not got admin. as the subdomain, we issue the site root pages
RewriteCond %{REQUEST_URI} ^/cms/admin/$ [NC]
RewriteCond %{HTTP_HOST} !^admin\.(.*)/$ [NC]
RewriteRule .* http://$1/cms/ [L]

# if we get here, its likely nothing matched, so do nothing to the URL
RewriteRule .* - [L]

This is something I have never used before as server management is not something I have had to consider until now. So anyone got any ideas on how I can fix this without having to hard code the domain name so that others viewing this can implement the same "front door policy" to add an additional layer of security to what I am sure is a robust login in system but for one weakness, the end user password! 

I have already masked the editor name and I do use an alternate "Editor" name for the login, I assume that the hammering is assuming that the "norm" Editor username is being used...

So, please, what am I doing wrong, how can I tell if URL rewriting is actually working properly? It is installed on the server as .htaccess is used on some folders to protect them which is done via the adminCP of the host which does that job, they do not provide any other .htaccess tools or information. What I have hacked together is what I understand from having my head wrecked on the http'd apache site which TBH is a nightmare to get any coherent information from, its like they expect you to have prior knowledge!

Anyone got any ideas?

[replytomk3]

You are vastly overblowing it. Just rename the admin directory to a random unguessable name, implement all suggested filters in htaccess, and change the setting for the new admin folder name in config.php.

[Izal]

Thanks but no.

I want it separate from the CMS, if no one here knows, where can I find out why its not working or what it is that I need to change?

I have tried the apache site and I can not make any headway with the information in the site, not a very user friendly site which is why I am asking for help and no offense but I don't want to do it in the CMS settings or going around renaming files or folders but thanks anyway.

[calguy1000]

Then.... it's not a CMSMS question.... it's an apache config question, and not really applicable to this site.

[Izal]

Fair nuff, all I was wanting to know was what was wrong with the script, the deal being that if anyone else was wanting to do this, the would be able to follow it from a newbie point of view. That is why I posted in this forum because of the title of it but obviously I was wrong.

I have tried reading the apache site, that is where I got my info from to write the script I did, What I dont understand is when I do hard coding of some elements it partly works but I have installed CMS on three friends sites to help them and I wanted a generic way of writing this so it didn't matter what domain it was on, making it useful on here if someone in to URL rewriting wanted to use it they could. So where do you suggest I go for help because I am not getting help on apache site.

So if anyone picks up on this thread that does know and feels like contributing...

If I do solve this in the mean time, any objections to me answering my own thread or is their a rule about that? 

Don't mind me, its just the way I am.

[Dr.CSS]

If you do solve it there is nothing wrong with posting it here, and please add [solved] to the first post subject line when/if you do...

[replytomk3]

The idea being that this will allow someone to use cheeseontoast.mydomain.com/cms/admin and administer the site while all attempts on the admin URL for this site would dump the hack attempt in to the site root

You might not understand what I said. I said it is not required the admin URL for CMSMS be /admin. It can be anything that you want, so /admin can even be used to detect any attempts to login into your site.

Your admin url can be www.site.com/asdfawerwaer/ if you wanted it to be. Noone would be able to guess the name of the folder, so noone could do brute force method of login.