Page 1 of 1
What should be my security extension strategy
Posted: Fri Sep 10, 2021 3:21 pm
by FuzMic
Hi guys
With Jm 4 will be 2 stage authentication be sufficient.
With Jm 3.x i use AdminExile to add a log in key but this ext seem to be in a limbo. I like this hoping it add an extra layer, know of any replacement.
i also use security Check to a 80% rating without using the backend htaccess control.
Any advice much appreciated
Re: What should be my security extension strategy
Posted: Fri Sep 10, 2021 9:16 pm
by AMurray
I use Akeeba Admin Tools on J4
It has both the 'secret key' you append to the URL (exactly like AdminExile) and the htaccess/htpasswd protection for the /administrator folder and a host of other security features and firewall.
Akeeba also have LoginGuard - an alternate 2FA component which occurs *after* you login (unlike Joomla's default 2FA where you have to put in the code within the login form itself) - both use authenticators like Google Authenticator (or others that can generate the random 6-digit code) or Yubikey.
https://extensions.joomla.org/extension ... oginguard/
https://extensions.joomla.org/extension/admin-tools/
Re: What should be my security extension strategy
Posted: Fri Sep 10, 2021 11:40 pm
by Webdongle
First and foremost ... keep everything up to date.
Re: What should be my security extension strategy
Posted: Sat Sep 11, 2021 6:40 am
by FuzMic
Murray bro thank you for taking me there. Noted the updating.
Re: What should be my security extension strategy
Posted: Sun Sep 12, 2021 7:15 am
by FuzMic
Murray
Bro I must done something wrong or miss something ... Admin Tool for Joomla from Akeeba
Going thro the :Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) i saw two new files in administrator directory 1) .htaccess 2) .htpasswd
HOWEVER when i log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type
http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
Where is my mental block?
Re: What should be my security extension strategy
Posted: Sun Sep 12, 2021 10:32 pm
by AMurray
However when I log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type
http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
From your description, it would seem AdminExile is still in use, so I'd remove that plugin given it won't work in J4.0 at this time.
Akeeba Tools also has a function similar to AdminExile - with the secret URL parameter, perhaps that would be easier for you, and something you're already use to with AdminExile. Instead of the htaccess maybe try the secret URL parameter option Akeeba Tools has, so access to your site's admin would be like your-site.com/adminstrator?parameter=secretvalue.
Going through the "Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) I saw two new files in administrator directory 1) .htaccess 2) .htpasswd
Correct. Those files are what Akeeba creates to protect the /administrator, using the standard Apache protection feature. When you have successfully set that up, the browser should should prompt you for those details just created, in a pop-up box.
The popup box should first appear when you save that setting in Akeeba tools, but if not, it may require a log out from Joomla, close down the browser then restart it and return to the web site; the htaccess 'session' remains active while the browser is open. There is no "logout" except for exiting the browser.
If the system is preventing access, you can delete (or rename) the htaccess/htpasswd from the /administrator folder using FTP or your hosting's file manager. (Note they are hidden files, so you need to turn on the option to show hidden files in the FTP or file manager (if applicable))
Re: What should be my security extension strategy
Posted: Mon Sep 13, 2021 7:10 am
by FuzMic
Thanks Murray for the effort to lead.
From after playing around i found the following
unless we have log out of the browser, the pop up will not appear to ask for akeeba username & password (before Joomla entry info set).
ie once we have entered the akeeba info (until log out of browser), accessing admin will directly go to joomla entry set.
Re: What should be my security extension strategy
Posted: Mon Sep 13, 2021 7:30 am
by sozzled
AMurray wrote: ↑Fri Sep 10, 2021 9:16 pm
I use Akeeba Admin Tools on J4
It has both the 'secret key' you append to the URL (exactly like AdminExile)
See the
AAT user guide. The security feature, that operates exactly like
AdminExileCode: Select all
http://www.example.com/administrator?foobar
is only available in the Professional version of
AAT.
Re: What should be my security extension strategy
Posted: Mon Sep 13, 2021 4:50 pm
by JAVesey
The free version of "SecurityCheck" offers (amongst other things) the functionality. It works with J3 and J4.
I haven't used it in anger as I currently use AdminExile but, come the time to migrate --> J4, if a compatible version of AdminExile isn't available, then I will do so rather than delay the migration.
Hope this helps.
Re: What should be my security extension strategy
Posted: Tue Sep 14, 2021 4:17 am
by FuzMic
Hi guys
According to a number of you, AdminExile log in using eg
http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. x
With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
Re: What should be my security extension strategy
Posted: Tue Sep 14, 2021 6:55 am
by sozzled
FuzMic wrote: ↑Tue Sep 14, 2021 4:17 am
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. x
Are you using
Akeeba Admin Tools "Core" version or using
Akeeba Admin Tools "Professional" version?
Re: What should be my security extension strategy
Posted: Tue Sep 14, 2021 8:09 am
by FuzMic
Yes Auz mate, i use the Core, no subscription being pursued.
Re: What should be my security extension strategy
Posted: Tue Sep 14, 2021 8:19 am
by sozzled
As I wrote before, the feature you are looking for is not included in the version you are using! Please see the
AAT user guide.
Re: What should be my security extension strategy
Posted: Sun Sep 19, 2021 11:17 am
by Partic
Fuzmic,
Not seeing another reply to help you in the past few days, I'm hoping you may have worked it out, otherwise the following I hope helps clarify what's going on for you.
Admin Tools has a number of security features that you can put in place. You've configured two by the looks of it:
- URL parameter
- .htpasswd in the administrator folder
FuzMic wrote: ↑Tue Sep 14, 2021 4:17 am
Hi guys
According to a number of you, AdminExile log in using eg
http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
Using the URL parameter on it's own is similar to the AdminExile URL parameter.
FuzMic wrote: ↑Tue Sep 14, 2021 4:17 am
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. x
Your image shows the screen you're getting from the .htpasswd being configured.
FuzMic wrote: ↑Tue Sep 14, 2021 4:17 am
With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
So what you have configured is that you will go to:
jml4x.local/administrator/?foobar
Then you'll be prompted with the .htpasswd layer which you need to log in with the details in the .htpasswd file (most likely different to your Joomla login)
On successfully entering the .htpasswd authentication, and having the URL parameter in place, you will then be taken to the Joomla login.
If you go to /administrator without the URL parameter, you will get the .htpasswd authentication, but on successfully authenticating with that login, you will have failed the URL parameter check, and be redirected to the home page instead of the admin login screen.
Same will be happening with administrator/?AkUserName=AkPassword as that triggers .htpasswd, but will not match the URL parameter.
Re: What should be my security extension strategy
Posted: Sun Sep 19, 2021 1:34 pm
by sozzled
Thanks, mate. All good advice if people use Akeeba Admin Tools PRO. Not applicable for ?foobar if you use Akeeba Admin Tools "core" (not PRO). OK?
Re: What should be my security extension strategy
Posted: Mon Sep 20, 2021 12:05 am
by Partic
@Sozzled is correct. The URL parameter in the Admin Tools Web Application Firewall is only available in the PRO version. Having used the PRO version now for several years I've not paid attention to what CORE does not have in detail.
The "Password Protect Administrator" folder is a feature in both the CORE and PRO versions, and looks to be what you've configured, which is the .htpasswd feature. Using that feature on it's own is likely btw to be more effective than the URL parameter you've configured previously with AdminExile, though it means you need to manage another password layer for users needing admin access.
If you're using the CORE version, the third setting you might have configured is the Master Password, which is a different feature again. It is used to lock the Admin Tools component down to prevent accidental adjustment by other users of the site.
Re: What should be my security extension strategy
Posted: Mon Sep 20, 2021 12:43 am
by sozzled
Partic wrote: ↑Mon Sep 20, 2021 12:05 am
If you're using the CORE version ...
... which is what @FuzMic
said he did.
Re: What should be my security extension strategy
Posted: Mon Sep 20, 2021 12:08 pm
by FuzMic
Brothers thanks for your kind attention
