»How to protect your phpBB forum against hackers«
|
|||
|
made... posted by Xumuk |
|||
|
|||
| in-my-opinion.orgTechnology, Computers, Science, InternetSoftware by the adminHow to protect your phpBB forum against hackers |
|
|||
|
Here's a tip I use on all my PHPBB installs: Don't use your hosted account username/password for your mysql database connection info. Create a user called BSS with a password of BBS and give him only the rights needed (ie SELECT, INSERT, UPDATE, DELETE, CREATE). That way if your config.php is comprimised for some reason they only have access to the database, not the files. If you have a good backup strategy the damage would be minimal and in some cases not even noticed by your users. this tip combined with this other one about encrytping woudl be the ultimate.  posted by retorq |
|||
|
|||
|
|||
 HIMIK: if i use this Mod and try to access to the my ACP, i get this message
Fatal error: Cannot redeclare ech0() (previously declared in /home/www/web73/html/beta/a.php:16) in /home/www/web73/html/beta/a.php on line 16 I have uploaded a new .php file now (ver 1.0.1) should work OK now. posted by knn |
|||
|
|||
|
|||
 I have added a bunch of your suggested tips to my BB. One question with reguards to the .htaccess file. I put that in the root directory of the board itself?  and the .htacess file is a text file that contains:
Thank you for your help! 
posted by Sippenhaft |
|||
|
|||
|
|||
 Sippenhaft: dasrebellion.com...
that is the link to my site...so the .htacess file would be in the bb, correct? Yes. A .htaccess protects all files and folder where it is in AND all files and folders below. Sippenhaft: and the .htacess file is a text file that contains: You actually should also add
posted by knn |
|||
|
|
|||
|
|||
|
Thank you much! posted by Sippenhaft |
|||
|
|||
|
|||
|
knn: volonteshiva: I still see "Powered by phpBB modified v1.8 by Przemo © 2003 phpBB Group" here and it's still searchable in google... 1) Yeah, Google will take some time until it gets updated. 2) No, you are logged in, thus you see a template for logged in users. Unregistered visitors will see a different one where the "powered by" note is different. you can still do a link:http://www.phpbb.com and all forums with the copyright appear, easy as that. you can now add an outbound script to that change sthe url to something like  posted by poolie |
|||
|
|||
|
|||
|
poolie: you can still do a link:http://www.phpbb.com and all forums with the copyright appear, easy as that.
you can now add an outbound script to that change sthe url to something like mydomain.com... No. Google still sees "phpbb", no matter what the link is. That doesn't change the "text on the website" = the text that Google spiders posted by knn |
|||
|
|||
|
|||
|
Hello there, I read this post about giving the admin folder a new name, and I thought it was a pretty good idea. Then I changed its name into 'newname' (it's an example, of course), and I edited includes/functions.php as it was said. But the link to the admin panel still was admin/index.php[b] and not [b]newname/index.php! Does it mean once you've changed its name, the link to the admin panel isn't useful anymore? But I'd like to change in my whole phpBB the admin/... URLs to some newname/... (because I have Profile Edit Mod for example, which is very useful). Then which files should I edit in order to change the links to the admin panel into the right ones? Thank you for answering. posted by Hunchman801 |
|||
|
|||
|
|||
 Hunchman801: But the link to the admin panel still was admin/index.php and not newname/index.php! Yes, the automatically inserted link to your admin panel becomes useless, but as I write: you should delete this automatic link anyway. I someone finds out your (= the admin's) password hash (for example due to a bug in phpbb, or because you use the same password on other (buggy) boards) then he could enter your admin area easily. posted by knn |
|||
|
|||
|
|||
|
knn: If you have modded your forum a lot (= installed/changed/reprogrammed your forum) you have no chance to update it to the newest (= most secure) state. The automatic updates won't work. What do you think this are?  Also a patch is provided that you can use. knn: They have no step by step guide how to fix each one of them. For example if your version is 2.0.5 then what do you do to manually update it to the latest one? What I said above. Upgrade to 2.0.6 first using one of the many options avaliable and then goto 2.0.7, etc until you are at the most recent. If you are at all concerned about your site, you should be using the most recent version of all software on your site so when you do upgrade, you don't have to do all of that work. knn: They are unpolite: When I mentioned that they either a) treat security issues not seriously OR b) modding not seriously then my topic was locked and I was warned. Do you actually believe that crap? Security issues are treated seriously by the phpBB Teams. Why do you think there are so many minor releases of phpBB? If they didn't care about phpBB then it would still be at 2.0.0. knn: They even refused to fix a security bug (they claimed it was no security issue) that later caused the deletion of whole websites (see below: %2527 bug). Those that reported it said that they didn't think it could be exploited. When the phpBB Teams found out it could be exploited, they fixed it and released a version soon after. It was over a month later after the release when the santy worm came about. Like I said earlier, if people were concerned about security, they would have been checking for updates and upgraded. knn: Right now, while I write this, phpbb.com itself is under attack. Their site is unavailable except for the text: How the hackers hacked phpbb.com wasn't even through phpBB. It was through Awstats. If it was through phpBB, you would have seen reports of this new exploit all over the web and phpBB would have released a new version. I don't see how this has anything to do with how secure phpBB is. knn: They found you accidentally with Google. Often hackers look in Google for pages that contain "Powered by phpbb 2.0.3" ♣ or similar to exploit bugs in exactly this version. How can someone accidentally find something when they are looking for it? If a someone is looking for a board to hack and they are actively searching, they can't find it accidentally. Anyways, 2.0.12 has removed the version number from public view so this no longer implies. knn: Who can guarantee you that a hacker hasn't hack you silently 1 year ago and still can exploit this bug (= still has the old password hashes)? If you haven't changed your password in over a year, you are a dumbass. One of the best ways to keep your stuff secure is to change your password frequently. knn: Who can guarantee you that a hacker hasn't hacked SOME OTHER INSECURE phpBB board and uses their hashes. If you used the same password at that other board then the hacker can use that to log in. You shouldn't use the same password in multiple places. You stated why in the quote. A lot of those tips are good but I think they aren't needed. posted by anonymous2 |
|||
|
|||
|
||||||||
|
anonymous2: knn: They are unpolite: When I mentioned that they either a) treat security issues not seriously OR b) modding not seriously then my topic was locked and I was warned. Do you actually believe that crap? Security issues are treated seriously by the phpBB Teams. Yes, I believe "that crap". Because it happened to me. When I was visiting another forum regarding the phpbb.com hack others agreed, too, that phpbb is "stuck-up" regarding such issues. anonymous2: knn: They even refused to fix a security bug (they claimed it was no security issue) that later caused the deletion of whole websites (see below: %2527 bug). Those that reported it said that they didn't think it could be exploited. When the phpBB Teams found out it could be exploited, they fixed it and released a version soon after. = when thousands of forums were hacked/deleted. anonymous2: It was over a month later after the release when the santy worm came about. Like I said earlier, if people were concerned about security, they would have been checking for updates and upgraded. The santy worm was just a WORM. The exploit could be used to delete/harm a forum at any time. With r without worm. anonymous2: How the hackers hacked phpbb.com wasn't even through phpBB. It was through Awstats. Says who? Oh, phpbb itself. anonymous2: If it was through phpBB, you would have seen reports of this new exploit all over the web and phpBB would have released a new version. But awstats as an installed server software should be even more frequent than phpbb. Thus your comment does not apply. anonymous2: knn: They found you accidentally with Google. Often hackers look in Google for pages that contain "Powered by phpbb 2.0.3" ♣ or similar to exploit bugs in exactly this version. How can someone accidentally find something when they are looking for it? Please don't play with words. If they find you by "powered by 2.0.3" then they find YOUR FORUM not by looking for your forum, but by looking for any forum. anonymous2: A lot of those tips are good but I think they aren't needed. I disagree. All of the tips are needed even with the newest phpbb version. anonymous2: If you haven't changed your password in over a year, you are a dumbass. Hey, you must be a phpbb moderator or some bigger fish there or so...
posted by knn |
||||||||
|
||||||||
|
|||
|
knn: Yes, I believe "that crap". Because it happened to me. When I was visiting another forum regarding the phpbb.com hack others agreed, too, that phpbb is "stuck-up" regarding such issues. Probably because those people submited "security" problems when they weren't really ones. When the developer tells them that his or her security issues isn't even an issue, the person that submitted it gets angry. They feel like they know more about the software than the actual people that developed it. I know this will be hard for you to hear but you don't know more than the developers. If the developers say its not a security exploit, then it probably isn't. The developers take time on every security report to see if it is valid or not. If it is, a new release is put together. If not, nothing is done. I'm guessing the security report you submited was something about leaving the admin folder named "admin" as an exploit . . . knn: = when thousands of forums were hacked/deleted. phpbb.com... Shortly afterwards, 2.0.11 was released. It wasn't until December that most boards started to get hacked because nobody knew about it. knn: But awstats as an installed server software should be even more frequent than phpbb. Thus your comment does not apply. What? Could you finish your sentence? There's no verb in it. It makes no sense at all. If you were trying to say "But awstats, as an installed server software, should be updated even more frequently than phpBB." that makes just as much sense as your other sentence. With the Santy worm, the whole server could be taken out. I don't see how where software is installed makes a difference when it comes to upgrading. knn: Hey ... is for horses ... knn: you must be a phpbb moderator or some bigger fish there or so...
• Calling people "dumbass" • Calling my statements "crap" • Playing with words • Stating that my security tips aren't needed Are you really that stupid? So I'm walking down the street and I hear someone call another a dumbass, does that automatically make him a phpBB Moderator? I think not. "Playing with words" hahaha I was proving your choice of words wrong. A site isn't accidentally hacked. posted by anonymous2 |
|||
|
|||
|
|||
|
anonymous2: I know this will be hard for you to hear but you don't know more than the developers. If the developers say its not a security exploit, then it probably isn't. That is the most arrogant thing I have ever read in my entire life. "Oh, if Ford says that your car is secure, then, it must be still sitting in your driveway (despite it having been broken into because someone at Ford designed insecure locks)." The worst possible person to comment on a program's security is the developer. posted by A Goat |
|||
|
|||
|
||||||||
|
anonymous2: knn: If you have modded your forum a lot (= installed/changed/reprogrammed your forum) you have no chance to update it to the newest (= most secure) state. The automatic updates won't work. What do you think this are? Yes, good link. BUT HOW THE HECK DOES ONE FIND IT? It's hidden under "modifications -> upgrade tools" Is that where security updates should be? It's so hidden that a phpbb moderator even told me that there is nothing like that.
Moreover, as far as I can see, their updates contain ALL KINDs of fixes, not only security issues. If you go to phpbb.com, do you see any link to "Security related upgrades"? My god, the bug, that caused whole forums to be deleted was fixed by simply deleting 1 word! O-N-E freaking word. Yet it's not mentioned ANYWHERE in clear words. Just check their "Security tracker" at  Give me a break. posted by knn |
||||||||
|
||||||||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
Goto page Previous
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
 Register Log in |
The time now is 6 July 2008, 04:15 php B.B. |