Search…

X3 Photo Gallery Support Forums

Search…
 
hyc
Experienced
Topic Author
Posts: 27
Joined: 24 Jul 2021, 06:09

Panel security, 2FA, and login form

24 Jul 2021, 08:46

Hi all,

I am discovering this tool and trying to understand the possibilities prior to making my choice.

While looking at the demo website I wasn't able to find answers to my questions, please let me know if you know about it :

1- is there some admin tools management to protect the panel better ? 

2- can we change the name of the admin link to anything else (/admin instead of /panel for example)? 

3- in the login from the demo, I inspected and saw an input field nickname (with value 'googooforgaga') what is that ? some sort of backdoor ? 

Thank you for your help !
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: Panel security, 2FA, and login form

25 Jul 2021, 04:47

Hi!
hyc wrote:2- can we change the name of the admin link to anything else (/admin instead of /panel for example)?
Yes, and that is a good idea, something I do myself. You can rename the panel to a "secret" folder name that only you know, and access the panel from your secret url. Highly effective security through obscurity.
hyc wrote:3- in the login from the demo, I inspected and saw an input field nickname (with value 'googooforgaga') what is that ? some sort of backdoor ?
This is a built-in anti-bot "honeypot" mechanism. Basically we add two input fields invisible to humans, one which is pre-populated and one which is empty. Then we adjust the values via Javascript on human interaction. If any of the two fields are incorrectly populated on login, the login attempt is blocked. Bots will usually try to populate input fields on login, and this allows us to catch them.
hyc wrote:1- is there some admin tools management to protect the panel better ?
There are no specific "tools" for this, and the X3 panel login already has several mechanisms in place to prevent mischief. The X3 panel has been around several years already, with no reports of hijacking, so I think it's pretty effective. Having said that, you can never be paranoid enough about security. In addition to the above, I might suggest the following:
  • Personally, I use Cloudflare Access for my X3 panel url. Basically it's another login layer, which sends login code by email when you attempt to login. This requires your website to be using the Cloudflare service of course, but it's available in the "free" plan.
  • You could also setup additional protection via .htaccess (if Apache server), in which case you can block access to an URL by additional login and/or user-agent and/or IP range. Personally, I block some URL's so that they can only be accessed by Mac|Chrome.
  • Of course, use a strong password.
Keep in mind, if someone somehow gets access to your username and password, there's not much that can be done (unless you have additional layers of security).