powered by Jive Software

Admin page security to avoid Hacking

I have a website name http://www.example.com:9090/ - This is default to invoke the admin page of my openfire instance. I am feeling that I should secure the Openfire Admin page so that there should one more authentication before admin page … like via .htaccess or any other way where no one should able to invoke admin page so that hacker should not be able to hack my website.

Any pointer or help will be much appreciated.

Rgds,

Hi,

a double authentication does not really help much. A long password and an administrator name which is not “admin” may help much more.

You could create another account and add it to the system property admin.authorizedJIDs = "admin@example.com,newuser@example.com"

and then test whether you can login with this new account. Then remove "admin@example.com" from admin.authorizedJIDs. So a potential hacker may have some fun guessing the right username and password to get admin access.

Or you use a firewall to block access to port 9090 and then Apache, mod_proxy and mod_auth? to get a basic authentication popup.

LG

I just keep mine behind a firewall and SSH tunnel into it when I need to access it.

Please can you provide the details on how can I keep it behind firewall& SSH for the just the admin page. Please provide more details.

It’s the same as LG suggested, except with SSH instead of Apache. Block port 9090 and/or 9091 with a firewall. And then, assuming your OpenFire server binds to localhost (mine does), create an SSH tunnel and go to http://localhost:9090/ in your browser. SSH tunnel command would be:

ssh -f user@example.com -L 9090:localhost:9090 -N

That will background SSH without executing a command. The -L option tunnels port 9090 on the remote machine to your own local 9090 port, enabling you to access the admin page on the remote machine through the firewall.