Sunday, 14 April 2013

Perkuat admin login web

By dxCyberz ISD   Posted at  Sunday, April 14, 2013   Security No comments

cuman mau mengingatkan
jangan sampe ke asyikan deface web orang lain sampe sampe security web kita gak di perhatikan
mungkin kalaw bug sql or apalah itu tidak ada di web kita
tapi bagaimana jika web 1 hostingan sama kita itu di serang dan melakukan jumping server
maka matilah web kita :-D dia bisa melihat user login mysql kita :-D
ada sedikit cara untuk melindungi nya login admin nya
1.menggunakan managemen protect web yang ada di cpanel pilih lah dir login admin nyalalu seting user & password nya
2.menggunakan ip khusus dalam arti hanya ip kita saja yang bisa masuk ke dir admin
cra nya dengan menggunakan .htaccess


AuthUserFile /dev/null
AuthGroupFile /dev/null

AuthName “Access Control”
AuthType Basic

order deny,allow
deny from all

#IP address to Whitelist
allow from xxx.xxx.xxx.xxx
yang xxx.xxx itu ip kita / yang sering kita gunakan
3. buat lah file dengan nama protext.php / apalah terserah
<?php



session_start();


$admin_user_name = "nama";

$admin_password = "password";

//you can change the username and password by changing the above two strings


if (!isset($HTTP_SESSION_VARS['user'])) {



if(isset($HTTP_POST_VARS['u_name']))

$u_name = $HTTP_POST_VARS['u_name'];



if(isset($HTTP_POST_VARS['u_password']))

$u_password = $HTTP_POST_VARS['u_password'];



if(!isset($u_name)) {

?>

<HTML>

<HEAD>

<TITLE><?php echo $HTTP_SERVER_VARS['HTTP_HOST']; ?> : Authentication Required</TITLE>

</HEAD>

<BODY bgcolor=#ffffff>

<table border=0 cellspacing=0 cellpadding=0 width=100%>

<TR><TD>

<font face=verdana size=2><B>(Access Restricted to Authorized Personnel)</b> </font></td>

</tr></table>

<P></P>

<font face=verdana size=2>

<center>

<?php

$form_to = "http://$HTTP_SERVER_VARS[HTTP_HOST]$HTTP_SERVER_VARS[PHP_SELF]";



if(isset($HTTP_SERVER_VARS["QUERY_STRING"]))

$form_to = $form_to ."?". $HTTP_SERVER_VARS["QUERY_STRING"];



?>

<form method=post action=<?php echo $form_to; ?>>

<table border=0 width=350>

<TR>

<TD><font face=verdana size=2><B>User Name</B></font></TD>

<TD><font face=verdana size=2><input type=text name=u_name size=20></font></TD></TR>

<TR>

<TD><font face=verdana size=2><B>Password</B></font></TD>

<TD><font face=verdana size=2><input type=password name=u_password size=20></font></TD>

</TR>

</table>

<input type=submit value=Login></form>

</center>

</font>

</BODY>

</HTML>



<?php

exit;

}

else {



function login_error($host,$php_self) {

echo "<HTML><HEAD>

<TITLE>$host : Administration</TITLE>

</HEAD><BODY bgcolor=#ffffff>

<table border=0 cellspacing=0 cellpadding=0 width=100%>

<TR><TD align=left>

<font face=verdana size=2><B> You Need to log on to access this part of the site! </b> </font></td>

</tr></table>

<P></P>

<font face=verdana size=2>

<center>";



echo "Error: You are not authorized to access this part of the site!

<B><a href=$php_self>Click here</a></b> to login again.<P>

</center>

</font>

</BODY>

</HTML>";

session_unregister("adb_password");

session_unregister("user");

exit;

}



$user_checked_passed = false;





if(isset($HTTP_SESSION_VARS['adb_password'])) {



$adb_session_password = $HTTP_SESSION_VARS['adb_password'];

$adb_session_user = $HTTP_SESSION_VARS['user'];





if($admin_password != $adb_session_password)

login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);

else {

$user_checked_passed = true;

}

}





if($user_checked_passed == false) {



if(strlen($u_name)< 2)

login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);



if(isset($admin_password)) {



if($admin_password == $u_password) {



session_register("adb_password");

session_register("user");



$adb_password = $admin_password;

$user = $u_name;

}

else { //password in-correct

login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);

}

}

else {

login_error($HTTP_SERVER_VARS['HTTP_HOST'],$HTTP_SERVER_VARS['PHP_SELF']);

}



$page_location = $HTTP_SERVER_VARS['PHP_SELF'];

if(isset($HTTP_SERVER_VARS["QUERY_STRING"]))

$page_location = $page_location ."?". $HTTP_SERVER_VARS["QUERY_STRING"];



header ("Location: ". $page_location);

}

}

}

?>

4.tinggal masukan ke dir admin di index.php
cara nya include 'protect.php';

5.lalu protect.php nya kamu encrypt supaya tidak terbaca :-D

jika menggunakan semua nya berarti security web kamu ada 3 :-D
*1 ip protect jika tembus masih ada 2 lagi :-D
* 2 page password protect ( yang di cpanel ) jika tembus juga masih ada 1 lagi :-D
*3 password protect page jika masih tembus juga ya tinggal menu login admin nya aja hehhehe
tapi kemungkinan besar gak mungkin bisa tembus semua nya

Sumber : http://forum.indonesiansecuritydown.org/thread-1.html

About the Author

Nulla sagittis convallis arcu. Sed sed nunc. Curabitur consequat. Quisque metus enim, venenatis fermentum, mollis in, porta et, nibh. Duis vulputate elit in elit. Mauris dictum libero id justo.
View all posts by: BT9

0 comments:

Back to top ↑
Connect with Us

Site Rank

Total Pageviews

© 2013 dxCyberz Blog. WP Mythemeshop Converted by Bloggertheme9
Blogger templates. Proudly Powered by Blogger.