[Security suggestion] Check your admin passwords
This is a reply to the following Announcement post of Alex:
Check your admin passwords
Alex,
I posted several times, that there is a serious need to be able to rename the default admin.cgi script name and the admin directory name.
This can be a secondary security protection against the hacker bots, which are looking for LinksSQL installations, and try to locate and do dictionary and security hole attacks against the admin.cgi.
As I remember, the admin/admin.cgi path currently is hardcoded into scripts and templates. This should be changed to be variable based, so the site owner would be allowed to rename admin directory & script name.
For example would be possible to hide the admin interface from prying eyes like this:
/adm843/639admin.cgi
or
/sec_admin_kjhl/secure_admin_lkwjf.cgi
or
/admindir/admin8364.cgi
etc...
This kind of solutions could highly increase admin interface security.
Could be even more comfortable, if on the admin Setup page there would be a tool, which could rename the admin directory, rename admin.cgi upon fillin a small form, and do changes in the config.
Also in the LSQL installer could be an option to change admin directory name, and admin.cgi name (userful for new users, new installations).
Alex, if you are worrying about security of LSQL admin interfaces, then please put this feature to the first place of your TODO list!!!
Best regards,
Webmaster33
Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
Check your admin passwords
Alex,
I posted several times, that there is a serious need to be able to rename the default admin.cgi script name and the admin directory name.
This can be a secondary security protection against the hacker bots, which are looking for LinksSQL installations, and try to locate and do dictionary and security hole attacks against the admin.cgi.
As I remember, the admin/admin.cgi path currently is hardcoded into scripts and templates. This should be changed to be variable based, so the site owner would be allowed to rename admin directory & script name.
For example would be possible to hide the admin interface from prying eyes like this:
/adm843/639admin.cgi
or
/sec_admin_kjhl/secure_admin_lkwjf.cgi
or
/admindir/admin8364.cgi
etc...
This kind of solutions could highly increase admin interface security.
Could be even more comfortable, if on the admin Setup page there would be a tool, which could rename the admin directory, rename admin.cgi upon fillin a small form, and do changes in the config.
Also in the LSQL installer could be an option to change admin directory name, and admin.cgi name (userful for new users, new installations).
Alex, if you are worrying about security of LSQL admin interfaces, then please put this feature to the first place of your TODO list!!!
Best regards,
Webmaster33
Paid Support from Webmaster33. Expert in Perl programming & Gossamer Threads applications. (click here for prices)
Webmaster33's products (upd.2004.09.26) | Private message | Contact me | Was my post helpful? Donate my help...
[Security suggestion] Check your admin passwords