• Hi, i've done install nodebb in my server, and nodebb is awesome. I just want ask, how to change admin login page URL for better security?

    thanks.

  • GNU/Linux

    Welcome to NodeBB. We have log in attempt protection just like in WordPress. So even if someone brute force your password they get maximum no. of set attempts by default.

    Nice suggestion by the way. I would be delighted to see a different log in name and different username option, if it is not already planned in next release @psychobunny .


  • I for one would still feel more secure if I could change my admin panel's URL.


  • This might be implemented down the road as a plugin. Could even set up a fake honeypot to track those trying to access it.


  • @meetdilip Interesting thought, this would usually be done within a Display Name rather than a username. However this was done due to Brute Force being a lot easier at the time, when passwords were encrypted with md5 etc, with Brute Force protection, it's not something that's really necessary anymore.

    I'll back this up with a few stats. NodeBB requires a password of at least 8 characters, Assuming you use a mixture of letters and numbers, it would take about 1 day 15 hours to brute force that 8 character password due to the 57731386986 combinations. Now imagine after every 3 failed attempts, it has to stop for 15 minutes because the account is locked out, so it's not even trying the combinations anymore. If someone obtained your admin password, it won't be through a brute force attack on NodeBB, it will be something silly like you reusing the same password on Adobes website and them getting hacked.

    Interesting story, as you've used SMF in the past. Popular anti virus supplier Avast had their forum hacked (they used SMF) in the press release Avast claimed it was down to a vulnerability in SMF. SMF emailed them and asked them to prove it, or at least allow them to investigate. No vulnerability was found, instead, the attack came from soneone logging in 4 months prior using an admin account, and slowly planting code into SMF via that admins control panel, it was assumed that the Admin had used the same password somewhere else with the same username.

    Moral of the story. Use different passwords, you'll be fine. 👍

    EDIT: For the giggles, I calculated the time taken to bruteforce my password...

    3.1809331492444e+33 years.

    That's 2.3x10+23 times longer than the age of the universe. 😆

  • Admin

    Meanwhile, his password actually is a_5mithrox

    I think it might be possible to reroute the admin page to another URL via a plugin, but at this point your account is already compromised (due to lack of secure password), so you're already in trouble anyways...

    Moral of the story. Use different passwords, you'll be fine. 👍

    👍


  • @psychobunny my first wireless router had a 25+ character key to get into the wireless. It's that. 😆


  • so, anyone can tell me how to change admin login page?
    like example.com/blablabla?


  • @YOLO said:

    so, anyone can tell me how to change admin login page?
    like example.com/blablabla?

    @psychobunny said:

    I think it might be possible to reroute the admin page to another URL via a plugin, but at this point your account is already compromised (due to lack of secure password), so you're already in trouble anyways...

Suggested Topics

  • 1
  • 2
  • 29
  • 5
  • 4
| |