Helpful Information
 
 
Category: vBulletin 4 Articles
[HOW TO - vB4] Time based OTP for ACP

One of the recommended security precautions we all vBulletin administrators should have in place is a password protected, at the web server level, ACP.
This is easily done when Apache is in the picture by placing an .htaccess file in the admincp directory that points to the appropriate password file.
No reason to go further into this as it's something more or less we all know of.

How about extending the password protection so that the HTTP authentication passwords change every now and then?
We would need to login to our server, change the passwords, notify our fellow administrators.
Easy job, but just another thing we need to have on our admin task list.

How about making the HTTP passwords rotate automatically if we are not logged in to the vBulletin ACP?
I liked the idea since I use OTP all the time for Google, eBanking and other services.

So I compiled a short bash script that does the trick.
It runs every minute via cron, checks if there's an active admin session and if not rotates the HTTP password every 30 seconds.
I would then setup an account in the Google Authenticator (or other RFC6238 compatible) application on my smartphone and I'm good to go.

This is a recent update to the approach described here (http://www.theadminzone.com/threads/vbulletin-4-x-one-time-password-acp-protection.104363/) that we had running for a couple of years.

The attached script is commented so you can get the details by simply checking its contents.
In its current form works with Apache and vBulletin 4.x but one could easily adapt it to other web servers or software.

Of course, any comments and/or enhancement ideas are always welcomed and appreciated.

And the usual "use it at your own discretion and risk":
The script is provided "as is" without any implied or expressed warranty it will suit your needs or environment.


With fellow-admin greetings,

McGyver










privacy (GDPR)