Support

Admin Tools

#22361 administrator login directory

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by born2webdesign on Friday, 27 March 2015 10:22 CDT

born2webdesign
 Hi,

please, reactivate the administrator login directory - give a hint about the potential pitfall in the post-install instructions (or, are there pre-install/-activate ones?). To simply remove a feature without notice, just to save people with miss-configured servers doesn't seem right. (kindof reminds me of Joomla's stupid 'index.html's all over the place, instead of using .htaccess)

TIA,

Valentin

nicholas
Akeeba Staff
Manager
It will be added back in 3.5.1 but without support. We know what causes the problems, the solution is outside what we can possibly do (we're not your hosts) so if you want to use it you'll have to do it at your own risk.

That said, please let me reiterate that it adds no real protection against hackers. I already know how to circumvent it to exploit badly written plugins. I also understand it offers no protection against direct access to badly written .php files (that's why the .htaccess Maker has the back-end protection feature). Overall, it only gives you a FALSE sense of security. It's the same as the GeoBlock feature: looks fancy, offers no protection, our clients raised hell when we tried removing it. All right, people, all right, if you want a useless feature so badly I'm adding it back, stop shouting. I just can't understand for the life of me why you so desperately want snake oil security features when we offer more than three dozen actual, honest-to-God, perfectly working security features... Well, it's your choice :)

Regarding Joomla!'s index.html files, you may not realise it but they were removed because of my blog post and my constant bitching about it in every single opportunity I got :D The bottom line is that I do understand what offers security and what offers a false sense of security. I'm a proponent of the former and against the latter. When I first implemented the renamed administrator directory it seemed like a good idea. On second and third look, not so much: it doesn't solve any problem, it only makes it seem so. On top of that it caused a hell of a lot of issues. That's why I decided to remove it. I didn't wake up on the wrong side of bed one morning and said "OK, let's do something to upset my clients". Quite the contrary.

If you really want to secure your administrator login page use the administrator password protection (holds off the bots without bringing down your server), the secret URL parameter (works like the custom administrator directory without the drawbacks) and two factor authentication (protects you efficiently if both defenses are compromised). This is what we do on our own site, bringing down the number of daily attacks to our administrator login page from 1000+ to ZERO. Try it, you'll be amazed!

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

born2webdesign
Thanks for the reply Nicholas,

I do understand that it is snake oil - but sometimes that actually might do you _some_ good ;) E.g., all the automated password guessing attacks are diverted - and I get notified about them immediately via E-Mail.
I guess, I don't really care, whether directory or URL parameter (dir just looks a little nicer), but about a feature being removed without notice - clients not being able to log into their websites from their bookmarks!
Good you bring it back - and you are right about the password protection, of course.
BTW, I hadn't noticed about the missing 'index.html's, yet. Thanks for your work on that - I did read your famous post about it, once ;)

Cheers,

Valentin

nicholas
Akeeba Staff
Manager
E.g., all the automated password guessing attacks are diverted


That's a bad example... and the reason I call it snake-oil. You want to prevent these brute force attacks as early as possible. With Administrator Password Protection only the .htaccess and .htpasswd files are read from the in-memory cache and a 401 HTTP header is sent. This is very fast and can handle dozens of brute force attempts per second. With any PHP-based method you need to load a hell of a lot more things which take anywhere between 0.3 to 1.5 seconds per request. This means that brute force attacks increase your server load and can make your entire server (and site) slower or even knock it off-line.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

born2webdesign
Once again, you are right - I agree with your reasoning. Especially, if you see any sort of real traffic on your site - but on some small sites I might see "huge spikes" of login atempts of 20 per day. I think such sites are _much_ less likely to be DoSed. And non-savvy users of such sites might not want to handle the "double login". So I am happy (and certain clients, too) the snake-oil option is there. Of course, if you want to improve security and you can educate your users - go for the password.
Thanks for taking the time to clear this up.
Mainly out of couriosity: In the case of URL parameter or renamed admin login, would it be possible to throw a 404 on "/administrator" instead of redirecting to "/"? It _would_ slightly increase the snake-oil-security (as far as security-by-obscurity does). I know, I know ... ;)

nicholas
Akeeba Staff
Manager
In the case of URL parameter or renamed admin login, would it be possible to throw a 404 on "/administrator" instead of redirecting to "/"? It _would_ slightly increase the snake-oil-security (as far as security-by-obscurity does). I know, I know ... ;)


There is a slight problem with 404. Chrome and possibly other browser cache the HTTP response. The next time you try visiting /administrator they will show the 404 page WITHOUT asking the server. Considering that when you visit the custom "directory" (which is in fact a SEF URL...) you get redirected to /administrator this would give legitimate users the perception that they can't log in to their sites anymore.

I know, this is Chrome not following the web standards. Google is slowly and steadily becoming the new Microsoft. Ironically, Microsoft is now becoming the new Google. You get the picture...

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

born2webdesign
I see, thanks. Than maybe in the futute - when Google gets their act together.
Closing this now.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!