Support

Admin Tools

#30485 .htacess login backend yes or no?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by jjst135 on Wednesday, 14 November 2018 11:26 CST

jjst135
Hi!

We have secured all our (client) websites with Akeeba Admin Tools. Of course ;-)

For site managers logins we use:
- Password-protect Administrator (.htaccess in administrator folder)
- Admin Administrator secret URL parameter

Non of our clients have Super User access. They only have access to the part they need. We ourselfs do have SU access, but implemented 2FA on all these accounts to make thise more secure.

The .htaccess protection layer is sometimes a bit difficult for our clients to work with. We would prefer to disable this protection. But I am wondering if the Admin Administrator secret URL parameter is as strong as a protection a the .htaccess protection.

What is the major difference in functionality between both methods (URL string and .htaccess)?

What are the biggest risks when disabling the .htaccess login?

I am just looking for a secure solution that is also user friendly. I know this is always a challenge ;-)

Any insights that can help us decide are welcome. Thanks!

Kind regards, Jip

nicholas
Akeeba Staff
Manager
The administrator password protection uses .htaccess files. As a result it is implemented by the web server (Apache) before PHP and Joomla! are loaded. Very little processing is required for the server to determine whether to block a user based on this. Think of it as a tall fence around your site.

The administrator secret parameter uses PHP code running inside Joomla!. It is just as secure BUT a lot more processing is required to handle it. The server needs to not only run the Apache code to handle a request but also bring up PHP, have PHP load, parse, compile and execute the several hundreds of .php files which make up Joomla's boot process (including all plugins being loaded), connect to the database server and execute several queries until we get to the point where Admin Tools can determine if the secret word has been supplied. Then we need to go through a similar process to pass the response back to Apache so it can send it back to the client. Think of it as having to check and stamp passports.

So, both are quite secure. The only difference is how do they respond to a brute force attack, i.e. someone running dozens of requests trying to guess the password. The former will quickly reply "access denied" without using up a lot of resources. The latter will boggle your server until it dies.

For your purposes the secret URL parameter seems to be a better fit.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

jjst135
Thanks for your info Nicolas. It's helpful.

So both are good ways to protect the backend of the site. Htaccess is nice and fast ('server tool'), the query string takes up more server resources. ('sofware tool').

About 'bruceforcing' the query string: I believe Admin Tools will block an IP when the query string is wrong a couple of times right? After being blocked a message appears 'Your IP has been blocked'. But if they keep trying this will still load all the PHP / database queries until it gets to the admin tools plugin that will output the message again? So the server resources are still used in this case and might cause the server to overload? There not much to be done about that?

Is the .htaccess only a 'browser' protection when a user browses to the admin page? Or does it also influence direct approach of files / scripts in the administration folder?


nicholas
Akeeba Staff
Manager
I believe Admin Tools will block an IP when the query string is wrong a couple of times right?


Correct.

But if they keep trying this will still load all the PHP / database queries until it gets to the admin tools plugin that will output the message again?


Correct. Admin Tools is a Joomla plugin. Joomla has to do its initialization. As soon as it reaches the onAfterInitialize stage Admin Tools kicks in and blocks the blacklisted IPs (if the IP is not blacklisted other checks are made, including the secret URL parameter for the backend pages). This minimizes the amount of database queries executed.

So the server resources are still used in this case and might cause the server to overload?


Correct.

There not much to be done about that?


Not really.

While we could in theory put the blacklisted IPs in .htaccess this would only offer marginal performance gains until you hit about 50 to 300 IPs in the blacklist (depending on your server), at which point the performance is the same. Worse, blacklisted IPs in the .htaccess need to be parsed and compared for every request of every resource being accessed, including static media. Not to mention that some servers prefer to have a .htaccess file which is unwriteable to the software running on the server for security reasons (a human needs to upload updates to the .htaccess manually), thereby making it impossible to use that method anyway.

If you factor all these you quickly realize that you're much better off not using .htaccess for IP blacklisting in most cases.

What makes more sense is having a server-level firewall (e.g. an IPTables OS-level firewall and mod_security2 for Apache with a good ruleset) to snuff most attacks before they hit the PHP application. Then just rely on the PHP software firewall (Admin Tools) to kill off the attacks that make it through. Layers of defence work better than a monolithic single line of defence as the French can tell you (think about the failure of the Maginot Line in WW2).

Is the .htaccess only a 'browser' protection when a user browses to the admin page? Or does it also influence direct approach of files / scripts in the administration folder?


This question does not make sense. The web server does not server "browsers" and "scripts". It fulfils HTTP requests. It doesn't know and doesn't care if the request came from a browser being operated by a human, a software bot, or an alien in a spaceship piggybacking on NASA's Deep Space Network to troll us petty humans. The web server simply sees a request and serves it based on some rules. The .htaccess file is a set of rules which are added on top of the base set of rules configured by the server administrator (your host).

So, .htaccess contents apply to all request made to the browser, no matter their origin or intent.

Nicholas K. Dionysopoulos

Lead Developer and Director

πŸ‡¬πŸ‡·Greek: native πŸ‡¬πŸ‡§English: excellent πŸ‡«πŸ‡·French: basic β€’ πŸ• My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

jjst135
Ok, thanks for explaining Nicolas. We do use a mod_security firewall on our server. So I think we are pretty good covered on that end.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!