What should be my security extension strategy Topic is solved
Moderators: mandville, General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Forum Post Assistant / FPA - If you are serious about wanting help, you will use this tool to help you post.
Windows Defender SmartScreen Issues <-- please read this if using Windows 10.
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
What should be my security extension strategy
Hi guys
With Jm 4 will be 2 stage authentication be sufficient.
With Jm 3.x i use AdminExile to add a log in key but this ext seem to be in a limbo. I like this hoping it add an extra layer, know of any replacement.
i also use security Check to a 80% rating without using the backend htaccess control.
Any advice much appreciated
With Jm 4 will be 2 stage authentication be sufficient.
With Jm 3.x i use AdminExile to add a log in key but this ext seem to be in a limbo. I like this hoping it add an extra layer, know of any replacement.
i also use security Check to a 80% rating without using the backend htaccess control.
Any advice much appreciated
- AMurray
- Joomla! Exemplar
- Posts: 9634
- Joined: Sat Feb 13, 2010 7:35 am
- Location: Australia
Re: What should be my security extension strategy
I use Akeeba Admin Tools on J4
It has both the 'secret key' you append to the URL (exactly like AdminExile) and the htaccess/htpasswd protection for the /administrator folder and a host of other security features and firewall.
Akeeba also have LoginGuard - an alternate 2FA component which occurs *after* you login (unlike Joomla's default 2FA where you have to put in the code within the login form itself) - both use authenticators like Google Authenticator (or others that can generate the random 6-digit code) or Yubikey.
https://extensions.joomla.org/extension ... oginguard/
https://extensions.joomla.org/extension/admin-tools/
It has both the 'secret key' you append to the URL (exactly like AdminExile) and the htaccess/htpasswd protection for the /administrator folder and a host of other security features and firewall.
Akeeba also have LoginGuard - an alternate 2FA component which occurs *after* you login (unlike Joomla's default 2FA where you have to put in the code within the login form itself) - both use authenticators like Google Authenticator (or others that can generate the random 6-digit code) or Yubikey.
https://extensions.joomla.org/extension ... oginguard/
https://extensions.joomla.org/extension/admin-tools/
Regards - A Murray
General Support Moderator
General Support Moderator
- Webdongle
- Joomla! Master
- Posts: 44018
- Joined: Sat Apr 05, 2008 9:58 pm
Re: What should be my security extension strategy
First and foremost ... keep everything up to date.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Murray bro thank you for taking me there. Noted the updating.
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Murray
Bro I must done something wrong or miss something ... Admin Tool for Joomla from Akeeba
Going thro the :Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) i saw two new files in administrator directory 1) .htaccess 2) .htpasswd
HOWEVER when i log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
Where is my mental block?
Bro I must done something wrong or miss something ... Admin Tool for Joomla from Akeeba
Going thro the :Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) i saw two new files in administrator directory 1) .htaccess 2) .htpasswd
HOWEVER when i log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
Where is my mental block?
- AMurray
- Joomla! Exemplar
- Posts: 9634
- Joined: Sat Feb 13, 2010 7:35 am
- Location: Australia
Re: What should be my security extension strategy
From your description, it would seem AdminExile is still in use, so I'd remove that plugin given it won't work in J4.0 at this time.However when I log in eg "local.website/administrator/index.php" and I was presented the Joomla backend login, then using Joomla username & password i get into. In my old way i type http://local.website/administrator/?2nd ... ndPassWord else i just can't get to Joomla backend login.
Akeeba Tools also has a function similar to AdminExile - with the secret URL parameter, perhaps that would be easier for you, and something you're already use to with AdminExile. Instead of the htaccess maybe try the secret URL parameter option Akeeba Tools has, so access to your site's admin would be like your-site.com/adminstrator?parameter=secretvalue.
Correct. Those files are what Akeeba creates to protect the /administrator, using the standard Apache protection feature. When you have successfully set that up, the browser should should prompt you for those details just created, in a pop-up box.Going through the "Password-protect Administrator" with a new Username and Password (different from Joomla SuperUser & password) I saw two new files in administrator directory 1) .htaccess 2) .htpasswd
The popup box should first appear when you save that setting in Akeeba tools, but if not, it may require a log out from Joomla, close down the browser then restart it and return to the web site; the htaccess 'session' remains active while the browser is open. There is no "logout" except for exiting the browser.
If the system is preventing access, you can delete (or rename) the htaccess/htpasswd from the /administrator folder using FTP or your hosting's file manager. (Note they are hidden files, so you need to turn on the option to show hidden files in the FTP or file manager (if applicable))
Regards - A Murray
General Support Moderator
General Support Moderator
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Thanks Murray for the effort to lead.
From after playing around i found the following
unless we have log out of the browser, the pop up will not appear to ask for akeeba username & password (before Joomla entry info set).
ie once we have entered the akeeba info (until log out of browser), accessing admin will directly go to joomla entry set.
From after playing around i found the following
unless we have log out of the browser, the pop up will not appear to ask for akeeba username & password (before Joomla entry info set).
ie once we have entered the akeeba info (until log out of browser), accessing admin will directly go to joomla entry set.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: What should be my security extension strategy
See the AAT user guide. The security feature, that operates exactly like AdminExile
Code: Select all
http://www.example.com/administrator?foobar
- JAVesey
- Joomla! Hero
- Posts: 2620
- Joined: Tue May 14, 2013 1:21 pm
- Location: Cardiff, Wales, UK
- Contact:
Re: What should be my security extension strategy
The free version of "SecurityCheck" offers (amongst other things) the functionality. It works with J3 and J4.
I haven't used it in anger as I currently use AdminExile but, come the time to migrate --> J4, if a compatible version of AdminExile isn't available, then I will do so rather than delay the migration.
Hope this helps.
I haven't used it in anger as I currently use AdminExile but, come the time to migrate --> J4, if a compatible version of AdminExile isn't available, then I will do so rather than delay the migration.
Hope this helps.
John V
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
Cardiff, Wales, UK
Joomla 5.0.3 "live" site on PHP 8.2.15 and MariaDB 10.11.7
Joomla 5.0.3 on XAMMP for OSX with PHP 8.2.4 and MariaDB 10.4.28
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Hi guys
According to a number of you, AdminExile log in using eg http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. x
With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
According to a number of you, AdminExile log in using eg http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
What i find is if i use "jml4x.local/administrator/?AkUserName=AkPassword" it will ask for AkUserName & AkPassword instead of directly open to Joomla login ie ignore info after /? as in attached. x
With AdminExile it accept the url info after /? and take me direct to Joomla backend login. In Akeeba though, once it get the AkUserName..., it will open direct to Jm backend unless you log out from the browser.
You do not have the required permissions to view the files attached to this post.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: What should be my security extension strategy
Are you using Akeeba Admin Tools "Core" version or using Akeeba Admin Tools "Professional" version?
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Yes Auz mate, i use the Core, no subscription being pursued.
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: What should be my security extension strategy
As I wrote before, the feature you are looking for is not included in the version you are using! Please see the AAT user guide.
- Partic
- Joomla! Enthusiast
- Posts: 107
- Joined: Fri Sep 16, 2005 10:08 pm
- Location: Melbourne, Australia
- Contact:
Re: What should be my security extension strategy
Fuzmic,
Not seeing another reply to help you in the past few days, I'm hoping you may have worked it out, otherwise the following I hope helps clarify what's going on for you.
Admin Tools has a number of security features that you can put in place. You've configured two by the looks of it:
- URL parameter
- .htpasswd in the administrator folder
jml4x.local/administrator/?foobar
Then you'll be prompted with the .htpasswd layer which you need to log in with the details in the .htpasswd file (most likely different to your Joomla login)
On successfully entering the .htpasswd authentication, and having the URL parameter in place, you will then be taken to the Joomla login.
If you go to /administrator without the URL parameter, you will get the .htpasswd authentication, but on successfully authenticating with that login, you will have failed the URL parameter check, and be redirected to the home page instead of the admin login screen.
Same will be happening with administrator/?AkUserName=AkPassword as that triggers .htpasswd, but will not match the URL parameter.
Not seeing another reply to help you in the past few days, I'm hoping you may have worked it out, otherwise the following I hope helps clarify what's going on for you.
Admin Tools has a number of security features that you can put in place. You've configured two by the looks of it:
- URL parameter
- .htpasswd in the administrator folder
Using the URL parameter on it's own is similar to the AdminExile URL parameter.FuzMic wrote: ↑Tue Sep 14, 2021 4:17 amHi guys
According to a number of you, AdminExile log in using eg http://www.example.com/administrator?foobar is the same as Akeeba Admin Tool. I seem to get a different flavour. By the way AdminExile don't work with Jm 4 that is why i put up this thread.
Your image shows the screen you're getting from the .htpasswd being configured.
So what you have configured is that you will go to:
jml4x.local/administrator/?foobar
Then you'll be prompted with the .htpasswd layer which you need to log in with the details in the .htpasswd file (most likely different to your Joomla login)
On successfully entering the .htpasswd authentication, and having the URL parameter in place, you will then be taken to the Joomla login.
If you go to /administrator without the URL parameter, you will get the .htpasswd authentication, but on successfully authenticating with that login, you will have failed the URL parameter check, and be redirected to the home page instead of the admin login screen.
Same will be happening with administrator/?AkUserName=AkPassword as that triggers .htpasswd, but will not match the URL parameter.
Patrick Jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: What should be my security extension strategy
Thanks, mate. All good advice if people use Akeeba Admin Tools PRO. Not applicable for ?foobar if you use Akeeba Admin Tools "core" (not PRO). OK?
- Partic
- Joomla! Enthusiast
- Posts: 107
- Joined: Fri Sep 16, 2005 10:08 pm
- Location: Melbourne, Australia
- Contact:
Re: What should be my security extension strategy
@Sozzled is correct. The URL parameter in the Admin Tools Web Application Firewall is only available in the PRO version. Having used the PRO version now for several years I've not paid attention to what CORE does not have in detail.
The "Password Protect Administrator" folder is a feature in both the CORE and PRO versions, and looks to be what you've configured, which is the .htpasswd feature. Using that feature on it's own is likely btw to be more effective than the URL parameter you've configured previously with AdminExile, though it means you need to manage another password layer for users needing admin access.
If you're using the CORE version, the third setting you might have configured is the Master Password, which is a different feature again. It is used to lock the Admin Tools component down to prevent accidental adjustment by other users of the site.
The "Password Protect Administrator" folder is a feature in both the CORE and PRO versions, and looks to be what you've configured, which is the .htpasswd feature. Using that feature on it's own is likely btw to be more effective than the URL parameter you've configured previously with AdminExile, though it means you need to manage another password layer for users needing admin access.
If you're using the CORE version, the third setting you might have configured is the Master Password, which is a different feature again. It is used to lock the Admin Tools component down to prevent accidental adjustment by other users of the site.
Patrick Jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson
Joomla Certified Administrator | Melbourne Australia
https://exam.joomla.org/directory/user/ ... ck-jackson
-
- I've been banned!
- Posts: 13639
- Joined: Sun Jul 05, 2009 3:30 am
- Location: Canberra, Australia
Re: What should be my security extension strategy
... which is what @FuzMic said he did.
-
- Joomla! Explorer
- Posts: 426
- Joined: Mon Oct 08, 2012 4:45 am
Re: What should be my security extension strategy
Brothers thanks for your kind attention