What should be my security extension strategy Topic is solved

Discussion regarding Joomla! 4.x security issues.

Moderators: mandville, General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Locked
FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

What should be my security extension strategy

Post by FuzMic » Fri Sep 10, 2021 3:21 pm

Hi guys
With Jm 4 will be 2 stage authentication be sufficient.
With Jm 3.x i use AdminExile to add a log in key but this ext seem to be in a limbo. I like this hoping it add an extra layer, know of any replacement.
i also use security Check to a 80% rating without using the backend htaccess control.
Any advice much appreciated

User avatar
AMurray
Joomla! Exemplar
Joomla! Exemplar
Posts: 9634
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: What should be my security extension strategy

Post by AMurray » Fri Sep 10, 2021 9:16 pm

I use Akeeba Admin Tools on J4

It has both the 'secret key' you append to the URL (exactly like AdminExile) and the htaccess/htpasswd protection for the /administrator folder and a host of other security features and firewall.

Akeeba also have LoginGuard - an alternate 2FA component which occurs *after* you login (unlike Joomla's default 2FA where you have to put in the code within the login form itself) - both use authenticators like Google Authenticator (or others that can generate the random 6-digit code) or Yubikey.

https://extensions.joomla.org/extension ... oginguard/
https://extensions.joomla.org/extension/admin-tools/
Regards - A Murray
General Support Moderator

User avatar
Webdongle
Joomla! Master
Joomla! Master
Posts: 44018
Joined: Sat Apr 05, 2008 9:58 pm

Re: What should be my security extension strategy

Post by Webdongle » Fri Sep 10, 2021 11:40 pm

First and foremost ... keep everything up to date.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Sat Sep 11, 2021 6:40 am

Murray bro thank you for taking me there. Noted the updating.

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Sun Sep 12, 2021 7:15 am

Murray

Bro I must done something wrong or miss something ... Admin Tool for Joomla from Akeeba

Going thro the :Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) i saw two new files in administrator directory 1) .htaccess 2) .htpasswd

HOWEVER when i log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.

Where is my mental block?

User avatar
AMurray
Joomla! Exemplar
Joomla! Exemplar
Posts: 9634
Joined: Sat Feb 13, 2010 7:35 am
Location: Australia

Re: What should be my security extension strategy

Post by AMurray » Sun Sep 12, 2021 10:32 pm

However when I log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
From your description, it would seem AdminExile is still in use, so I'd remove that plugin given it won't work in J4.0 at this time.

Akeeba Tools also has a function similar to AdminExile - with the secret URL parameter, perhaps that would be easier for you, and something you're already use to with AdminExile. Instead of the htaccess maybe try the secret URL parameter option Akeeba Tools has, so access to your site's admin would be like your-site.com/adminstrator?parameter=secretvalue.
Going through the "Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) I saw two new files in administrator directory 1) .htaccess 2) .htpasswd
Correct. Those files are what Akeeba creates to protect the /administrator, using the standard Apache protection feature. When you have successfully set that up, the browser should should prompt you for those details just created, in a pop-up box.

The popup box should first appear when you save that setting in Akeeba tools, but if not, it may require a log out from Joomla, close down the browser then restart it and return to the web site; the htaccess 'session' remains active while the browser is open. There is no "logout" except for exiting the browser.

If the system is preventing access, you can delete (or rename) the htaccess/htpasswd from the /administrator folder using FTP or your hosting's file manager. (Note they are hidden files, so you need to turn on the option to show hidden files in the FTP or file manager (if applicable))
Regards - A Murray
General Support Moderator

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Mon Sep 13, 2021 7:10 am

Thanks Murray for the effort to lead.

From after playing around i found the following
unless we have log out of the browser, the pop up will not appear to ask for akeeba username & password (before Joomla entry info set).
ie once we have entered the akeeba info (until log out of browser), accessing admin will directly go to joomla entry set.

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: What should be my security extension strategy

Post by sozzled » Mon Sep 13, 2021 7:30 am

AMurray wrote:
Fri Sep 10, 2021 9:16 pm
I use Akeeba Admin Tools on J4

It has both the 'secret key' you append to the URL (exactly like AdminExile)
See the AAT user guide. The security feature, that operates exactly like AdminExile

Code: Select all

http://www.example.com/administrator?foobar
is only available in the Professional version of AAT. ;)

User avatar
JAVesey
Joomla! Hero
Joomla! Hero
Posts: 2620
Joined: Tue May 14, 2013 1:21 pm
Location: Cardiff, Wales, UK
Contact:

Re: What should be my security extension strategy

Post by JAVesey » Mon Sep 13, 2021 4:50 pm

The free version of "SecurityCheck" offers (amongst other things) the functionality. It works with J3 and J4.

I haven't used it in anger as I currently use AdminExile but, come the time to migrate --> J4, if a compatible version of AdminExile isn't available, then I will do so rather than delay the migration.

Hope this helps.
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Tue Sep 14, 2021 4:17 am

Hi guys

According to a number of you, AdminExile log in using eg http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.

What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. xImage

With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
You do not have the required permissions to view the files attached to this post.

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: What should be my security extension strategy

Post by sozzled » Tue Sep 14, 2021 6:55 am

FuzMic wrote:
Tue Sep 14, 2021 4:17 am
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. xImage
Are you using Akeeba Admin Tools "Core" version or using Akeeba Admin Tools "Professional" version?

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Tue Sep 14, 2021 8:09 am

Yes Auz mate, i use the Core, no subscription being pursued.

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: What should be my security extension strategy

Post by sozzled » Tue Sep 14, 2021 8:19 am

As I wrote before, the feature you are looking for is not included in the version you are using! Please see the AAT user guide. ;)

User avatar
Partic
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 107
Joined: Fri Sep 16, 2005 10:08 pm
Location: Melbourne, Australia
Contact:

Re: What should be my security extension strategy

Post by Partic » Sun Sep 19, 2021 11:17 am

Fuzmic,

Not seeing another reply to help you in the past few days, I'm hoping you may have worked it out, otherwise the following I hope helps clarify what's going on for you.

Admin Tools has a number of security features that you can put in place. You've configured two by the looks of it:
- URL parameter
- .htpasswd in the administrator folder
FuzMic wrote:
Tue Sep 14, 2021 4:17 am
Hi guys

According to a number of you, AdminExile log in using eg http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
Using the URL parameter on it's own is similar to the AdminExile URL parameter.
FuzMic wrote:
Tue Sep 14, 2021 4:17 am
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. xImage
Your image shows the screen you're getting from the .htpasswd being configured.
FuzMic wrote:
Tue Sep 14, 2021 4:17 am
With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
So what you have configured is that you will go to:
jml4x.local/administrator/?foobar

Then you'll be prompted with the .htpasswd layer which you need to log in with the details in the .htpasswd file (most likely different to your Joomla login)

On successfully entering the .htpasswd authentication, and having the URL parameter in place, you will then be taken to the Joomla login.

If you go to /administrator without the URL parameter, you will get the .htpasswd authentication, but on successfully authenticating with that login, you will have failed the URL parameter check, and be redirected to the home page instead of the admin login screen.

Same will be happening with administrator/?AkUserName=AkPassword as that triggers .htpasswd, but will not match the URL parameter.
Patrick Jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: What should be my security extension strategy

Post by sozzled » Sun Sep 19, 2021 1:34 pm

Thanks, mate. All good advice if people use Akeeba Admin Tools PRO. Not applicable for ?foobar if you use Akeeba Admin Tools "core" (not PRO). OK?

User avatar
Partic
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 107
Joined: Fri Sep 16, 2005 10:08 pm
Location: Melbourne, Australia
Contact:

Re: What should be my security extension strategy

Post by Partic » Mon Sep 20, 2021 12:05 am

@Sozzled is correct. The URL parameter in the Admin Tools Web Application Firewall is only available in the PRO version. Having used the PRO version now for several years I've not paid attention to what CORE does not have in detail.

The "Password Protect Administrator" folder is a feature in both the CORE and PRO versions, and looks to be what you've configured, which is the .htpasswd feature. Using that feature on it's own is likely btw to be more effective than the URL parameter you've configured previously with AdminExile, though it means you need to manage another password layer for users needing admin access.

If you're using the CORE version, the third setting you might have configured is the Master Password, which is a different feature again. It is used to lock the Admin Tools component down to prevent accidental adjustment by other users of the site.
Patrick Jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson

sozzled
I've been banned!
Posts: 13639
Joined: Sun Jul 05, 2009 3:30 am
Location: Canberra, Australia

Re: What should be my security extension strategy

Post by sozzled » Mon Sep 20, 2021 12:43 am

Partic wrote:
Mon Sep 20, 2021 12:05 am
If you're using the CORE version ...
... which is what @FuzMic said he did. :)

FuzMic
Joomla! Explorer
Joomla! Explorer
Posts: 426
Joined: Mon Oct 08, 2012 4:45 am

Re: What should be my security extension strategy

Post by FuzMic » Mon Sep 20, 2021 12:08 pm

Brothers thanks for your kind attention ☺️😊


Locked

Return to “Security in Joomla! 4.x”