can we secure cron.php?

[awardle]

Hi,

 

Is it possible to secure the cron.php file? to prevent anyone going to that url and running a cron job? i.e. if it could check if localhost executed it?

 

For example my cron runs every day at 8am, however at 11:50 the cron job has been ran again by what looks like a bot.

 

HTTP/1.0 ia_archiver+(+http://www.alexa.com/site/help/webmasters;+crawler@alexa.com)

 

I'm still looking into why or how the bot found this cron page but was also thinking any user who knows that a website is running whmcs could also execute the cron when ever they like.

 

Which is a complete pain as my customers have been sent two reminders in just one day

 

Thanks Aaron.

[bear]

You could (and probably should) restrict access to the admin area to certain IPs, as well as renaming it to prevent anything "finding" that directory accidentally.

 

Order Deny,Allow
Deny from all
Allow from ip.address.goes.here

 

I should think you could also rename it, just make sure you change your cron entry to the new name.

[awardle]

Thanks for the reply, I did not know I could rename the folder so will do just that.

 

I might also password protect the entire admin folder with IIS Password as our Windows Scheduler system can log into this.

 

Thanks

[bear]

If you do rename the folder, make sure you take these steps: http://wiki.whmcs.com/Furthur_Security_Steps

[othellotech]

or just rename cron.php and add a "honeypot" cron.php which can be used to update your f/walls and block the-little-sh!ts that try and abuse your setup

[bear]

I should think you could also rename it, just make sure you change your cron entry to the new name.

 

or just rename cron.php

 

Yeah, that.