-1

Suppose I have index.php and admin.php.

If there is no link to admin.php inside index.php, is there a way to know that the page admin.php exist , other by trying to type it in the browser ? (Because, when you don't have a index.php, and if you don't disable Index in .htacess. One can see all pages on server...)

If no, it means it's better to rename my admin page with a complex string (for example a 64 alpha numeric string) instead of "admin.php" so that someone who tried admin.php, will have a 404 instead of my admin page ? Someone trying to brute force will have to first find the admin page, and then hack the password ?

Mansur Khan
  • 1,675
  • 1
  • 12
  • 24

2 Answers2

3

No. Not unless you do something silly like allow upload of scripts to the server (in which a person could upload a shell that could read all your files), or you have indexing enabled.

You can disable indexing with htaccess by placing the following in an .htaccess file on the root of your server:

Options -Indexes

However, there are several tools that bruteforce/try regular names for admin systems (/admin.php, /admin, /wp-admin etc.) that could find names such as admin.php very easily.

Most importantly, though, is that if your security is well enough (usernames/passwords and such), so it doesn't matter whether a person can see your admin.php file, and that's the approach you should go after.

h2ooooooo
  • 39,111
  • 8
  • 68
  • 102
  • Does it mean that if your admin page is a complex url, it is more secure ? Because a brute force will need to find your page, and then to find the password. – Mansur Khan May 25 '13 at 14:49
  • 1
    No, it could still be bruteforced, and if your security is lacking, then anyone with the link could *accidentally* publish the link to the public eye, hence opening up your entire admin interface. – h2ooooooo May 25 '13 at 14:50
  • @h2ooooooo, I believe OP is referring to it as an extra layer of security, on top of the usual username/password one. I personally don't think it's necessary, but it wouldn't hurt to have it – Matanya May 25 '13 at 14:53
  • 2
    its like this try to imagine I have a car and I put it in street or I put it in jungle. the main secure point is about the doors lock. but also I should add that this is an additional security too because less people will have chance to try to hack. or not so easy to find that way. – Sina R. May 25 '13 at 14:54
  • I agree it can be brute force but it is will require an amount of time. if the admin url is a 64 alpha numeric string, you will need to find it first and then brute force the password. To me it adds security ? Am i missing something ? – Mansur Khan May 25 '13 at 14:55
  • Good one, @imsiso, but the jungle still makes stealing less plausible, as the car is less likely to be found in the first place, let alone broken into – Matanya May 25 '13 at 14:55
  • @imsiso : I agree you, the car will be secured only with doors locked but still, it will be safer in the jungle that in dangerous area for instance. – Mansur Khan May 25 '13 at 14:57
  • @MansurKhan I don't know what you want do discuss about.I say do that because its not so hard and/or its for sure will not cause security lake. btw are you from India? – Sina R. May 25 '13 at 15:12
1

The only way I could figure out is quite funny, but here it is:

What about validating the IP Address of the user then redirect (server-side, obviously) to a page that doesn't exist if the test fails?

That would let the unauthorized user think that the page doesn't even exist. Then, if that user can figure out that he got tricked and manage to find an authorized IP (assuming that he also pretend to have this IP), your login security will come in its way.

Frederik.L
  • 5,522
  • 2
  • 29
  • 41
  • This could be done with a simple [fake 404 page](http://stackoverflow.com/questions/437256/sending-a-404-error-in-php). You'll have to copy your webservers regular 404 page HTML yourself though, as it's otherwise very easy to see the difference. – h2ooooooo May 25 '13 at 15:42