Page 2 of 2

Posted: Wed Jan 16, 2002 7:03 pm
by ICMafia

Code: Select all

<Limit GET>
order deny,allow
deny from all
allow from 0.0.0.0
</Limit>
where 0.0.0.0 is your IP or dns I do away with silly passwords, only if they share my IP can they get on!!!
It helps if you have an ISP who's dns is uncommon OR if you have a fixed IP. Used in conjusnction with .htpasswd its very very secure. Oh chmod htaccss at like 444 as well!!!!

Posted: Wed Jan 16, 2002 7:17 pm
by tanis
ICMafia wrote: are all deleted, rc2 has no deveper folder anyway, config.php is chmodded to 444 or 644 (forget) and I've htaccessed the admin folder. I think its reasonably secure.


444 is readable by everyone.. so anyone who has an account on your machine can read your database login and password. I'd rather chown config.php to the owner of the apache process and make it 400.

Posted: Wed Jan 16, 2002 7:38 pm
by ICMafia
400 gives me a 403 error
404 works though!

Posted: Wed Jan 16, 2002 7:43 pm
by ICMafia
grr
config.php is fine with 400
but .htaccess needs to be 404

Anyway I think its secure!!!

Posted: Wed Jan 16, 2002 7:45 pm
by tanis
Why should .htaccess be 404?? It should be fine with 400.

Posted: Wed Jan 16, 2002 9:32 pm
by hsim
maybe because Apache needs to read it and it is running as nobody :) but hey, except you build security holes into your scripts, Apache should protect your .ht* documents from being read

Posted: Wed Jan 16, 2002 9:41 pm
by tanis
wouldn't it be better to chown the file to nobody and make it accessible in read mode by that user only?

Posted: Thu Jan 17, 2002 12:16 pm
by ICMafia
anyway protecting config.php further
surely the config file could be moved to a new directory "locked" which can be fuly htaccessed .. if so how many files would need adjusting to make sure the board still worked>

Posted: Thu Jan 17, 2002 1:15 pm
by SHS`
ICMafia wrote: anyway protecting config.php further
surely the config file could be moved to a new directory "locked" which can be fuly htaccessed .. if so how many files would need adjusting to make sure the board still worked>


Why not move it outside of the webroot completely?? Shouldn't be too difficult as any real text editor will be able to do mass search&replace. It's just making sure everything worked afterwards. ;)

Total number of files that'll need to be modified will/should be total PHP files minus config.php minus /includes/*.php.

Posted: Thu Jan 17, 2002 1:54 pm
by ICMafia
Only one file needs amending common.php

@include($phpbb_root_path . 'config.'.$phpEx);

that line
so to put it in a "hidden" folder edit it this:

@include($phpbb_root_path . 'hidden/config.'.$phpEx);

not sure how to edit it to put it in root of site OR some no web accsible folder

Posted: Thu Jan 17, 2002 2:59 pm
by tanis

Code: Select all

@include($phpbb_root_path . '/home/myuser/config.'.$phpEx); 
could be ok. It all depends on the configuration of the machine you're using.. if your files are in htdocs/phpBB2, you can call it through "../../cfgfiles/config.php" for example.

Posted: Thu Jan 17, 2002 6:55 pm
by mat100
look at http://hacks.phpbb.com/forums , some seem having playing with upgrade.php

Posted: Sun Jan 20, 2002 6:07 pm
by Nuttzy99
Thanks for the .htaccess help!!!

-Nuttzy :cool: