MyBB Central

Full Version: Security...
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
I have read two separate tutorials on simple MyBB security. both helped in their own sense although they both repeated one another a lot! lol
Both of them suggested that the admin dir be renamed. I had posted some issues with this however I got it to work. Something I was curious about however is if it would be worth creating other fake dir to throw off a hackers search so to speak.
Most MyBB root folders have the following dir:
admin
archive
cache
images
inc
install
jscripts
uploads

Anyone who is used to dealing with MyBB software will know this.
If you change the admin dir to a new name its gonna be kinda obvious which one is the admin dir with a new name. However I was thinking if you were to add in a few fake dir with fake files it would cause more confusion for hackers to figure out which dir is the true admin dir.
I don't know a lot about this kinda stuff but this is just simply something that I thought of while trying to go to sleep the other night! lmao
Please lemme know if this is worth doing or if it's just a stupid idea.
Quote:If you change the admin dir to a new name its gonna be kinda obvious which one is the admin dir with a new name.

If a hacker has got FTP access to be able to see the list of folders then a renamed admin directory won't do anything, you'll be screwed already, and making more folders won't do anything really, unless you make hundreds or thousands, which would be a monumental waste of time and disk space; if a hacker has got to the list of folders, a few dummy ones will just make them laugh.

Generally renaming the admin folder helps when people would normally go to yourforum.com/admin/, they'll get a 404, they don't know what it's been renamed to so can't access it. There's a plugin on MyBB Source that will display a fake login page at ./admin/ and when you try to login, it will always say the details are wrong, even if they're right; it isn't set up to log anyone in, it's programmed to simply say the details are wrong all the time. There's also a tutorial in the MyBB Comm. forums tutorial section on making a fake ACP login page.
Mmk sounds good to me! lol Is the tutorial your talking about teaching you how to make the fake one log their IP or such so you can IP ban them? I heard of this being done as well...
Or you can set up your forum so only your ip can access the admin panel or a few ips (of your other admins) can log in. If it doesn't recognize the index it will take you to the forum index. I will find the guide though im pretty sure its on mybb official forums in tutorials.
Yea I saw that tutorial as well although my question on that was what happens when your IP changes? I know that if the router gets shut off and such that your IP changes when it reconnects. If my IP changes and I'm not allowed access how do I go about getting back in...
htaccess protect your admincp too

It's one of the best forms of protection. Even if they manage to sql inject an admin account they can't access the admincp.

Another step to take...delete the admin/modules/tools/backupdb.php

You should be doing backups from phpmyadmin or cron. And if your account is compromised your don't want them to get a dump of your database.
Well so far I have renamed the admin dir as well as removed the link from the forum so you have to know the URL to get to it anyway. I'll deff. be looking into these as well though! Thank you for the tips!