PHP-Nuke Security Tools

Posted on Thursday, June 03, 2004 @ 00:21:39 CDT in General
by kguske

Here is a comparison of the advertised features of 7 tools for protecting PHP-Nuke-based websites. Each tool has its own unique features to help you protect your Php-Nuke-based website. This comparison can help you choose among alternatives.
Updated 6/14/2005 with NukeSentinel(tm) version 2.3.0
Updated 12/19/2004 with NukeSentinel(tm) version 2.1.2
Updated 10/7/2004 with additions to Protector System
We have not evaluated these solutions, thus we leave the editorial for you in our Forums. We welcome corrections to the comparisons below, which were based on features noted in the documentation.

PHP-Nuke Security Tools Admin Secure Fortress™ Intrusos myNukeSecurity NukeSentinel™ NSN Secure Admin Protector
Version 1.7 1.20 Beta 2.0 1.01 2.3.0 1.1.1a 1.15.b2
Requires PHP-Nuke
5.5 to 7.40
Can be integrated with any PHP-based portal PHP-Nuke PHP-Nuke
6.5 to 7.3
PHP-Nuke
6.5 to 7.8
(24)
PHP-Nuke
6.5 to 7.2
PHP-Nuke
6.5 to 7.4
Replaces
Includes updated Union Tap
Includes mySecureAdmin Hackalert,
IP Banner


Advertised Features






Blocks Cross Site Scripting (XSS) Yes 1 Yes 2 No No Yes No Yes
Verify Admin account session from cookie Yes No No Yes 18 No No Yes
Insert Admin DEFINE for newer patched modules if not present
No No No No Yes No No
Use HTTP Authorization for Admin access, if available Yes 20 No No No Yes 21 No No
Compare admin account to "mirrored" table or valid IP Address Yes No Yes Yes No 3 Yes Yes
Admin acct changes require God admin approval Yes No No No No Yes No
Delete unapproved admins on Admin Panel Yes No No No No 3 Yes No
Admin account change notification Yes No No No No No No
Ban Level Site / Server & modules Site Admin Site Site / Server Admin Site / Server & modules
Ban by IP Single, class or range 19 Yes No Single or class Single, class, or range No Single, class, or range
Ban by User ID / Username Yes No 2 No No No No Yes 4
Ban by Referer No No No Yes Yes No Yes
Ban by Proxy Manual Manual No Yes Yes No Yes
Ban Bots, Spiders, Harvesters Yes Manual No No Yes No Yes
Ban Expiration Yes 5 No No No Yes No Yes
Block SQL Injections Yes 6 Yes No Yes Yes No Yes
- Plaintext Yes Yes No Yes Yes No Yes
- Base64 Yes Yes No Yes Yes No Yes
- Hex Yes Yes No No Yes No Yes
- c-Like Yes Yes No No Yes No Yes
Block Bad HTML Yes 6 Yes No Yes Yes No No
Block Selected Request Methods Yes No No No Yes No No
Block Specified Strings from Database Queries No No No No Yes No No
DoS / Flood Protection Yes No No No Yes No Yes 7
Santy Worm Protection No No No No Yes No No
Classless Inter-Domain Routing (CIDR) Support No No No No Yes No No
Fight Back Notification Notification 8 Notification Notification PopUps On/Off 9 No Notification
Auto Ban On/Off On/Off 10 No Yes On/Off No Yes
Ban Storage database, .htaccess htm,CSV 11 database log file database, .htaccess database database, .htaccess
Email Notification Yes Yes12 No On/Off On/Off On/Off Yes
Blocked Page Html, error page 13 html hard-coded hard-coded html / template or forward n/a html or forward
Banned Display None provided HTML, CSV Module Log file Last 10 and Blocked IPs, Scrolling, Count None provided Banned IP Block, Site Info
Admin Function Yes No Yes Yes Yes Yes Yes
Context-sensitive Help No No No No Yes No Yes
Protected IPs (testing) Yes Manual n/a Yes Single or range n/a Yes
Remove ban Function Manual n/a Manual Function n/a Function
Admin.php access attempt logging Yes No Yes Yes Yes 22 Yes Yes
Blocked module access attempt logging Yes No No No No No Yes
Performance Impact DB Queries 14 CSV Lookup 15 DB Insert On Attack Log file write on Attack DB Queries 14 DB Queries DB Queries
Additional Features
Visitor logging Yes No No No Yes 22 No Yes
Remove inactive users No No No No No No Yes
Site Close / Open Admin Function Yes No No No Yes No Yes
Maximum Site Visitors Yes No No No No No No
Tracking System Yes 16 No No No Yes 22 No Yes 17
Optimize & repair tables Yes No No No Yes 23 No Yes
Add Notes to logged IP addresses No No No No Yes No Yes
Download and upload banned IP addresses for sharing with other sites Yes No No No No No No
IP to Country Lookup No No No No Yes No Yes
List / Ban IP Ranges by Country No No No No Yes No No
Edit .htaccess file through Nuke admin No No No No No No Yes
Supports PHP-Nuke 7.7+ WYSIWYG Editor No No No No Yes No No
1 index.php and modules.php
2 To be enhanced in future release of Fortress™
3 A mirrored admin table exists, and could be used for this purpose with modifications
4 Select users to ban
5 For modules only, Ban expiration for entire site to be incorporated in future release of Admin Secure
6 “Deep Scanning” option
7 Hammer
8 Alligators
9 PC Killer available as an add-on template from GanjaUK.com
10 BanOnDemand™
11 HTM for logging, CSV for banning; No database tables are required
12 Summary notification to pager and/or detail email notification
13 400, 403, 404, 410 error pages
14 Using visitor tracking option can negatively impact performance
15 "Has been tested on a site passing 7.5 million page hits per month"
16 Affects Performance
17 Logs attempts after banning
18 All cookies are coded with md5 hash
19 Generates individual IP bans for IPs within ranges,which can only be entered on IP upload
20 Supports HTTP Admin Authentication only if PHP is compiled as an Apache module, rather than as a CGI module
21 Supports HTTP Admin Authentication if PHP is compiled as an Apache module OR as a CGI module
22 Via IP tracking module, which can impact performance
23 Database functions operate on all Nuke database tables, not just those required for protection
24 NukeSentinel authors currently recommend using versions of PHP-Nuke prior to 7.7 until security issues are addressed