»How to protect your phpBB forum against hackers«
|
|||
 CodeZero: well... the thing is, that they are on my server. and they can make a file called highlight.php and direct it to my config.php which would show them the contents. then the a.php. and so forth. If the hackers are on your server and can upload files etc, you are lost. It means they have direct access. Then they don't need to hack phpBB. They hacked your ftp account already, which is worse. posted by knn |
|||
|
|
|||
| in-my-opinion.orgTechnology, Computers, Science, InternetSoftware by the adminHow to protect your phpBB forum against hackers |
|
|||
|
it isnt FULL acccess they are restricted to uplaoding/modyfying only the folder their ftp account allows. which is /users/theirusername. but using a highlight function php file, they can input ../../../config.php and then they are able to read it. So basically my question, is... is there a way to diable the highlight function on my hosting. posted by CodeZero |
|||
|
|||
|
|||
|
CodeZero: but using a highlight funvtion php file, they can input ../../../config.php and then they are able to read it. If you allow your users to upload scripts (.php files, .cgi files) you are are in deep trouble. They can write a .php that deletes the whole server. Some hosters only allow scripts to read/access/manipulate contents in their own folder/subfolders. But most hosters don't limit scripts that way. posted by knn |
|||
|
|||
|
|||
|
knn: Argh, hackers! What do you have against hackers? Hackers are the good guys: the people who create great new software etc. pbpBB itself was written by hackers! The term you're looking for is "crackers". Please don't confuse the two: you are giving hackers a bad name. For more information, please see the entries for hacker and cracker in The New Hacker's Dictionary ♣. - QS Computing  posted by qscomputing |
|||
|
|||
|
|||
 qscomputing: What do you have against hackers? Hackers are the good guys: the people who create great new software etc. pbpBB itself was written by hackers!
The term you're looking for is "crackers". Please don't confuse the two: you are giving hackers a bad name. Please reread all my posts in this thread. I use all kinds of terms (including "attackers" and "intrudors") so that this thread can be found by anyone when searching with Google. ANd although I know that the term "hacker" ORIGINALLY meant "computer expert" the meaning has definitely changed. posted by knn |
|||
|
|||
|
|||
|
knn: the meaning has definitely changed. No, it has not yet, but it will if people insist on using it incorrectly! I think that we have a duty to ensure that it is used correctly. Fair enough if you include it so that people can find it via google etc, but you should explain its meaning in the text. QS Computing posted by qscomputing |
|||
|
|||
|
|||
|
knn: ...no other registered user (or intruder) can gain admin rights. By adding an IP security, it will automatically be harder for anyone with bad intensions, to gain access to your ACP Add this in the top of root/admin/index.php and maybe all other files in /admin/ require($DOCUMENT_ROOT.'/includes/adminip.php'); if ($REMOTE_ADDR !=$ADMINIP) { header("Location: /error/401.php"); exit; } And this in adminip.php (edit path to fit your own websites tree structure) <?php
$ADMINIP="your.I.P.number"; // find your IP here http://www.myip.dk ?> Kind regards Frank / Anakin posted by Anakin |
|||
|
|||
|
|||
|
Anakin: By adding an IP security, it will automatically be harder for anyone with bad intensions, to gain access to your ACP Yes, but my mod does that already (Tip 5) posted by knn |
|||
|
|||
|
|||
|
Firstly thank you for a truly wonderful website. I am running phpBB 2.0.13. Should I implement all your tips or are some of them not needed anymore? knn: You should use other means to backup your database anyway. I am currently writing a phpBB Backup Suite, so check here in a few days. I will upload it. Secondly, in the absence of such a Backup Suite as you are writing what choice do I really have but to backup via the ACP. Any suggestions? There are no MODS I could find on phpBB.com that help make back-ups independent of the ACP "Backup database" button. Once again, thanks. You have no idea how much more confident I feel after reading your tips. posted by jayray999 |
|||
|
|||
|
|||
|
I did think of phpMyAdmin but it seems quite a dangerous thing to have in my document root. Might as well have the files you are suggesting that I delete in this tip. posted by jayray999 |
|||
|
|||
|
|||
|
Ok I should have read up more before bothering you. Here is a nice couple of articles: Manual command line backups:  Automated backups using crond:  I hope this helps anyone else in my situation. posted by jayray999 |
|||
|
|||
|
|||
|
jayray999: Manual command line backups:
phpbb.com... Automated backups using crond: phpbb.com... Check out IMO → PhpBB mod (freeware): Backup database and files posted by knn |
|||
|
|||
|
|||
|
Reading everything about this topic, I can do nothing but shake my head. The arguing takes away from everything. Naturally anonymous2 got angry because from the beginning of these 5 pages there has been nothing but attack on phpBB. I think if it had been handled without malice from the very beginning anonymous2 would not have found the need to come and defend phpBB. First of all, as a common rule on the internet, changing your password often is one you hear no matter where you are. I wouldn't exactly use anonymous2's term "dumbass" but I'd be just as arrogant I guess because I'd call you an "IDIOT", that is my opinion and everyone is entitled to opinions. Secondly, there are 4 admin at my phpbb forums. First and foremost is me, I installed phpbb, I fixed all the errors in the mods to make them work with phpbb, I designed the style for my forums and my friend's. Second is my friend, who pays for our web space, I'd trust that man with my life never mind my forums. Third and fourth are two men that I know beyond a shadow of a doubt that their motives on the internet are as pure as my own, to be sure that all that we meet have a safe and secure internet experience. If their experience becomes the slightest bit unsafe we are there to make them safe again. Telling people to have only one admin on their forums is wrong, but telling them to be sure their co-admins are ones you would trust with your life before trusting them with your forums would be safe! Securing your forums is a good thing, but NOTHING absolutely NOTHING is better than taking backups on your forums once or twice a day. That means both your files on your website and your database. Anyone who does not take backups constantly of their forums and databases does not care enough about their site to be running one in my opinion. Let a hacker/cracker delete everything, if you are properly prepared it would take about an hour to restore your site back to the last backup, and that is if you have a large database like I do and you have to split up your posts, posts_text, and search engine tables in order to upload them back to the database due to limits by your webhost, or if you have a good host like mine you can just send them the database and they'll have it loaded for you in minutes. File transfer for the rest of your site shouldn't take more than 15 minutes, and that is if you are heavily loaded with mods and running a slow connection (although dial up could take longer, but since I haven't used dial up in about 8 years I can't say how long it would take). Using all the security in the world is not better than making sure you have a good working copy of your website that can be restored at a moments notice! posted by Just my opinion |
|||
|
|||
|
||||||
|
Just my opinion: Naturally anonymous2 got angry because from the beginning of these 5 pages there has been nothing but attack on phpBB. I disagree, the first pages are about making your phpbb forum safer. Just my opinion: First of all, as a common rule on the internet, changing your password often is one you hear no matter where you are. I wouldn't exactly use anonymous2's term "dumbass" but I'd be just as arrogant I guess because I'd call you an "IDIOT", that is my opinion and everyone is entitled to opinions. 1) You are talking about an ideal here which would also include all your admins and mods to change their password frequently. 2) How often do you want to change your password? If you change it once a month (which hardly will be done by any webmaster) then an attacker has 1 month time anyway. 3) Having your password changed doesn't protect you against a lot of crackers who harm/intrude without knowing your password anyway. Just my opinion: Securing your forums is a good thing, but NOTHING absolutely NOTHING is better than taking backups on your forums once or twice a day. 1) Yes, very true. But if you have a highly frequented forum (say, 2000 posts a day) then losing these 2000 posts isn't nice either. 2) So where is the backup function of phpBB? There is only a rudimentary one. As I can see from your comments, you are talking
while I am talking about practical security tips. posted by knn |
||||||
|
||||||
|
|||
|
knn: TIP A: Force an ADDITIONAL login to access the admin panel.
I think one of the best ideas is to password-protect your admin folder. I have written a .php script that will do that for you.
stuggleing with this bit chmodded the as you have suggested but its refuseing to work properly! posted by smoki |
|||
|
|||
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
Goto page Previous
1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 Next
 Register Log in |
The time now is 6 July 2008, 04:17 php B.B. |