hey,
my friend has placed his admin folder like this www.somesite.com/admin so as to have easy access to it when he needs it...this obvoiusly makes and tom ,dick and harry have access to the id/paaswrd pop-up...he seems to think that no one will bother to do a dict/brute crack on it....should he be worried ....is there any easy way by which someone can hijack his site
exploit vulnerability
- bad_brain
- Site Owner
- Posts: 11638
- Joined: 06 Apr 2005, 16:00
- 19
- Location: In your eye floaters.
- Contact:
Hm, hard to say, depends on which server- and administration-app-version is installed, correct CHMOD settings, etc... the path isn´t that important.
Webmin for example has an option to add a continiously expanding delay between each failed login attempt ("Enable password timeouts"), so an attacker which tries to brute force the login would need months...
But it´s possible to block someone completely after a defined number of failed login attempts by an Apache module named pw_auth too, available
here.
And it´s inevitable to choose GOOD passwords and usernames, use the maximum ammount of possible digits with numbers, letters in lower and upper case and (if possible) special symbols like $%'#....
Just give us a little more info about the server and we can give you more help, because there are many options like the combination of symmetric/asymmetric password authentification and so on....
Webmin for example has an option to add a continiously expanding delay between each failed login attempt ("Enable password timeouts"), so an attacker which tries to brute force the login would need months...
But it´s possible to block someone completely after a defined number of failed login attempts by an Apache module named pw_auth too, available
here.
And it´s inevitable to choose GOOD passwords and usernames, use the maximum ammount of possible digits with numbers, letters in lower and upper case and (if possible) special symbols like $%'#....
Just give us a little more info about the server and we can give you more help, because there are many options like the combination of symmetric/asymmetric password authentification and so on....