Home > Technical & Creative Skills > Programming, Servers & Scripts

How to Protect Your Prosper from Attacks ? (14)

01-05-2013 06:01 AM #1 dario (Member)
How to Protect Your Prosper from Attacks ?

It's not hard to find someone's P202 login page.
Do you protect your prosper installation with additional gimmicks ?

01-05-2013 06:53 AM #2 zeno (Administrator)

You could block access from all IPs other than ones you specify? e.g. with htaccess:

Code:

order deny,allow
deny from all
allow from 111.222.333.444

Not sure if that can cause problems with tracking, but I assume you can block access just at the main directory containing the login page.

01-05-2013 07:47 AM #3 dextrous (Member)

Originally Posted by zeno

You could block access from all IPs other than ones you specify? e.g. with htaccess:

Code:

order deny,allow
deny from all
allow from 111.222.333.444

Not sure if that can cause problems with tracking, but I assume you can block access just at the main directory containing the login page.

That would destroy the tracking completely if you use it for the whole install, since you are not accepting any traffic from anywhere but your own IP.

You could block just the 202-login.php from being accessed by anyone but you pretty simply; save the following as ".htaccess" and put it to the same directory with your 202-login.php.

Code:

<Files 202-login.php>
order deny,allow
deny from all
allow from 127.0.0.1
ErrorDocument 403 http://www.youtube.com/watch?v=bPWVq6MwW4E
</Files>

Just change 127.0.0.1 to your own IP and the youtube URL to wherever you want the malicious users to redirect

01-05-2013 08:22 AM #4 maveris (Member)

I used this for awhile: http://stmforum.com/forum/showthread...light=htaccess

Very safe, I found it to be a little bit overdoing it actually as it was a pain to enter two different passwords all the time. The easier solution is renaming the 202-login.php which is mentioned later in the thread I linked above and a strong password that you change regularly. Your mileage may vary though depending on how often you're being attacked and how valuable what you're trying to protect is.

01-05-2013 10:03 AM #5 dextrous (Member)

I've personally preferred to just deny every other IP except my own, this way it doesn't matter even if the attacker found out where your login is AND you don't have to enter your info twice to just login to P202.

(+ it's hilarious monitoring your access logs and seeing noobs being redirected to fuck you -videos)

Some servers don't allow .htaccess rewrites, eg. those with mod_rewrite disabled, for these instances you could just modify the 202-login.php to die if the IP doesn't match with the one specified.

In these cases, adding something like:

Code:

$ip = $_SERVER['REMOTE_ADDR'];
if($ip != 127.0.0.1) {
die();
}

which basically kills the script if the IP doesn't match, could do the trick

01-05-2013 08:06 PM #6 zeno (Administrator)

Yeh I like that method dextrous, less server dependent.

01-11-2013 08:43 AM #7 dario (Member)

Originally Posted by dextrous

Code:

<Files 202-login.php>
order deny,allow
deny from all
allow from 127.0.0.1
ErrorDocument 403 http://www.youtube.com/watch?v=bPWVq6MwW4E
</Files>

Just change 127.0.0.1 to your own IP and the youtube URL to wherever you want the malicious users to redirect

How to allow more than one IP to the login page ?

01-11-2013 09:44 AM #8 khnum (Member)

^^

add another line with the ip adress you want to allow access from;

<Files 202-login.php>
order deny,allow
deny from all
allow from 127.0.0.1
allow from xxx.x.x.x ---< IP HERE
ErrorDocument 403 http://www.youtube.com/watch?v=bPWVq6MwW4E
</Files>

If someone would really want access to your prosper though, they could simply hack your server, there is really no real way to secure you prosper/tracking server other then to update all the software packages like PhpMyAdmin/mySQL etc.. frequently. Blocking someone from viewing your /202-login page isn't really securing anything but it will keep some computer newbs out for sure

01-11-2013 11:01 AM #9 dextrous (Member)

Assuming your server and important software are up to date, but thats a whole other subject since the thread is about securing the Prosper installation and not the server per se.

01-12-2013 04:50 AM #10 khnum (Member)

^^

Agreed.

But it was just to indicate that online there is no 100% surefire way to secure your stuff.

One single vulnerability on your server side could give the bad guy full access to all the stuff on there.. From there on he/she could find all the data inside of your prosper installation. - Just saying keep your stuff up to date!

01-13-2013 10:05 AM #11 luxus95 (Member)

Thank you for your trick

who else want to see F**k off video. Just try to log in to my domain

02-03-2013 11:41 AM #12 everest2012 (Member)

If you have a halfway decent password, what difference does it make if somebody finds your P202 login page?

Sorry for the noob question, just trying to figure out why/if I should bother securing my own P202 installation.

02-03-2013 12:06 PM #13 snipe (Member)

Originally Posted by everest2012

It's just an extra layer of protection, it's really not necessary.

You're essentially stopping the possibility of a brute force attack, but if you have a strong password this shouldn't be an issue.
http://howsecureismypassword.net gives you a good idea of how secure your password is against a brute force attack.

02-04-2013 11:13 AM #14 caurmen (Administrator)

Also, of course, you need to be sure that you're not using your Prosper password anywhere else - otherwise if that other place gets compromised (depressingly common these days) your Prosper install's basically wide open. I can't stress enough how much of a good idea it is to use a password manager like LastPass (not an affiliate link) these days - they'll generate you unique, secure passwords for every site you use and manage them for you.

Home > Technical & Creative Skills > Programming, Servers & Scripts