Sentinel and .htaccess

Hangin' Around Joined: Nov 12, 2006 Posts: 41

I installed sentinel, last version.
I did everything by the book, but when I upload .htaccess with the correct information, it stops me from getting to admin, asking username and password...

Any help will be appreciated.

Sells PC To Pay For Divorce Joined: Posts: 5661

well then you mist a lot .....
first you have to set your admin in sentinel configuration page...

Posted: Tue Nov 14, 2006 5:58 pm

Ok, I manage to make it works, but everytime I click an admin option I am forced to input to password... What do I have to change on the setting to avoid that?

registered · Posted: Wed Nov 15, 2006 11:12 am

That does not make sense. Make sure browser is allowing cookies.

Posted: Wed Nov 15, 2006 12:14 pm

Browser allowing cookies is set.
I cannot access the admin if .htaccess is there...
It asks for a password that I don't know...
Only could access admin when change the name of .htaccess.
Please help!

Posted: Wed Nov 15, 2006 12:31 pm

Quote:

It asks for a password that I don't know...

That is the key right there. Sure wish the NukeSentinel(tm) manual was up-to-date with good setup instructions... the RavenNuke 2.02.02 distro actually has an excellent HowToInstall manual and a good page on this.

Unfortunately, I am having to get to work and will not be back on-line for another 16 hours or so.

Someone else is going to have to walk you through the whole HTTPAuth/CGIAuth setup process.... sorry.

Posted: Wed Nov 15, 2006 1:36 pm

this should cover it.....

Make sure that you have completed the Base RavenNuke76(tm) Configuration and the Forum Configuration before you configure NukeSentinel&trade. The Forum configuration can be reached by going into the administration screen, clicking on "modules administration" then selecting "Forums" and then selecting "Configuration" under the general administration section. You need to set a domain name (do not prefix domain name with http://) as well as a cookie domain (generally the same as your domain name) and do other settings such as timezone etc. After completing the Forum configuration and saving the changes, you may want to set the general preferences for your site under Administration Menu / Preferences. These settings can always be adjusted later but having them correct at the outset will help to prevent initial problems.

Track all IP's
Sentinel will carry out the following Email Admin, Block, and redirect to Default Page upon the following attacks; Union, Admin, Author, CLike, and Filter, exploit attempts.
Script blocker setting is preset to Email Admin only, as NukeSentinel(tm) is very aggressive in keyword matching and there are many false positives, so we leave this up to the Admin to decide.
You will want to review all blocker settings to suit your personal preferences.
You can't yet use the write to .htaccess setting but you soon will.
If you click on Admin Auth List, you should see the NukeSentinel(tm) ADMIN record that you added during Configuration.

Next, goto Blocker Configuration and Review the settings for all the Blockers. Most have been preset but you should still review them all.
Save these settings for each blocker type that you modify.

Now, you should be able to SAFELY activate the Admin Access Protection part of NukeSentinel(tm).
Go back to the NukeSentinel(tm) Administration main panel.
In the Administrative Settings section you should see a drop down box beside Admin Auth:. Hopefully you will see "Off", "Admin HTTPAuth", and "Admin CGIAuth".
It's okay if "Admin CGIAuth" is NOT there.
Simply click "Admin HTTPAuth" and save the settings.
If all is working for you, you will now be prompted with the standard Browser HTTP Authentication Pop Up.
Type in your NS id/pass and it should then let you in. Assuming it does, Close all browser sessions that you might have open so we can REALLY test this.
Open up a new, single browser session and type http://www.YOURDOMAIN.com or http://www.YOURDOMAIN.com/html and select GO or press enter.
You should see your nuke site with the Welcome message. Next, type http://www.YOURDOMAIN.com/admin.php or http://www.YOURDOMAIN.com/html/admin.php and select GO or press enter.
You should be prompted with the HTTP Authorization screen.
Enter your NS id/pass and submit it.
Assuming it works, you should now see the regular nuke Admin login screen.
Enter your nuke admin id/pass and submit it.
You should now see your nuke ACP.

If you do not have HTTP Auth and/or .htaccess, do not panic.
Read on and hopefully it can all be explained.

There are 2 basic ways that PHP can be integrated into Apache. One is as an Apache module and the other is as a CGI program. If your host is running PHP as an Apache module, then you have the capability of using HTTP Authentication as a function of the browser and you do not even need .htaccess/.staccess. If, however, your host is running PHP as a CGI program, then we have to use the same HTTP Authentication but with a .htaccess and .staccess (a password file). As an Apache module you have more flexibility than as a CGI. There are pro's and con's to each but I will only address the impact as it relates to NukeSentinel(tm). The reason we introduced this scheme is to protect your admin.php file from being so easily cracked. It provides an extra layer of security to gain access to the standard phpnuke Admin Control Panel (ACP). There are other safe-guards built into NukeSentinel(tm) that protects admin.php, but this is a very nice and secure caveat.

Should you find yourself in the smaller group of users that require CGI Auth (as we call it), the following procedure will need to be done to use and activate CGI Auth (HTTP Authentication using .htaccess and .staccess).

* Change your permissions on both .htaccess and .staccess to 777
* Place the paths to .htaccess and .staccess in the NukeSentinel(tm) Admin Control Panel
* Select CGI Auth Access from the drop down box
* From the NukeSentinel Admin Control Panel, select Scan For New Admins
* Now select Admin Auth List and make sure that all admins have been assigned passwords
* Now, you should see a link that says Build CGIAuth file: -- Click it. That will build your .staccess id:pass file.
* Now back in the main NS ACP, in the .staccess box, you will see a link that says CGI Auth Setup -- click it. It should produce a new window with the following information:
Save this in .htaccess :

# -------------------------------------------
# Start of NukeSentinel(tm) admin.php Auth
# -------------------------------------------
<Files .staccess>
deny from all
</Files>

<Files admin.php>

<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>
# -------------------------------------------
# End of NukeSentinel(tm) admin.php Auth
# -------------------------------------------

USERNAME will be your username and the path may be different

* Copy and paste that into your .htaccess file

That is the procedure. It sounds more complicated than what it is and I took the long way around hoping you'd understand it more clearly.

Posted: Thu Nov 16, 2006 5:33 am

Thanks hitwalker!

Posted: Thu Nov 16, 2006 10:25 am

I greatly appreciate this wonderfull explanation.
My problem continues with the .htaccess file, when is there, the system stops me, then I assume it is related to the lines "require valid-user" in

<Files admin.php>
<Limit GET POST PUT>
require valid-user
</Limit>
AuthName "Restricted by NukeSentinel(tm)"
AuthType Basic
AuthUserFile /home/USERNAME/public_html/.staccess
</Files>

If the function of those lines are to request for second time to validate the admin, I think I don't need it... Without that request, the .htaccess would go...

Posted: Fri Nov 17, 2006 5:58 am

In the NukeSentinel administration setup, what method of "Admin Auth" did you choose?

What happens if you comment out those lines? Do you still get your first pop-up when you asked for admin.php? If so, then you are using HTTPAuth, which is fine, and you do not need those lines.

Posted: Fri Nov 17, 2006 9:21 am

With the following .htaccess lines and HTTPAuth, everything works fine

<Files .staccess>
deny from all
</Files>

Do am I protected?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

If you have a separate HTTP authentication login before logging into your admin page, and different user ids and different, difficult-to-guess passwords for both, you should be protected.

Posted: Sat Nov 18, 2006 7:19 am

And with HTTPAuth, you also do not need to have the .staccess file, and you can also remove the statements from your .htaccess:

<Files .staccess>
deny from all
</Files>

If after you do this, you still get the pop-up for your first access within a new browser window to admin.php, you are protected (but kguske's comments should also be taken into consideration - these should just be standard things we do these days with our logins).

Posted: Sat Nov 18, 2006 8:50 am

Thanks, friends for all your help.
I have a last request:
I know how to change the admin.php file and indicates it on the config.php, but when I do that, it works ok, but when logout, the system still looks for admin.php.
Is there other file that I need to change?

Posted: Sat Nov 18, 2006 9:14 am

Leave that to its defult setting it doesnt offer any benefits to change the location of the admin file and can even cause thigs to stop working, especially any modules you might add.