Page 1 of 1

Tip: simple ways to protect your board

Posted: Sun Mar 27, 2005 8:33 pm
by Ms Givings
I hope a newbie will be forgiven for suggesting some simple ways to prevent new users of phpBB getting hacked?

My post was prompted by the attempt of a hacker (which we logged) to try to gain access to our board which is the latest version. Needless to add they failed!

1. keep your installation bang up to date and sign up for alerts here so that you are informed the moment a new version is released.

2. rename your phpBB folder to something that does not contain the words 'php' or 'bb' in any combination. This may prevent nasty little boys googling these keywords from even finding your board.

3. choose a difficult admin password that contains at least some upper case characters and numbers. Change it frequently.

4. If you have ftp access to your board password protect your phpbb/admin folder. You can do this by editing hta.access. Make sure it is different to your admin logon username and password.

5. Hide your memberlist from visitors (there are several mods that do this)

6. Turn on 'visual confirmation' in General config in your ACP (Requires users enter a code defined by an image when registering.)

7. If you don't need (or want) Search Engines to spider and index your board, disallow them in your robots text file.

8. Finally, if you have access to your phpBB database via phpMyadmin and/or Plesk, protect it with a third username/password combo. That way even if someone gets into your board, they will need a second password/username to get admin rights and a third one to gain access to your database.

Hope that helps someone

Posted: Sun Mar 27, 2005 9:19 pm
by Sphen
Generally, good ideas.

However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.

Re: Tip: simple ways to protect your board

Posted: Sun Mar 27, 2005 10:08 pm
by Darth Wong
Ms Givings wrote: 8. Finally, if you have access to your phpBB database via phpMyadmin and/or Plesk, protect it with a third username/password combo. That way even if someone gets into your board, they will need a second password/username to get admin rights and a third one to gain access to your database.

Another tip is to restrict the range of IP addresses allowed to connect to it, also via .htaccess.

Posted: Mon Mar 28, 2005 1:00 am
by igni ferroque
Isolate phpBB so that if another remote code execution vuln is discovered, the possible damage is limited.

Use mod_rewrite in combination with something like mod_dnsbl so that hosts running the various worms are automatically blacklisted. At the very least, send a 403.

Posted: Mon Mar 28, 2005 3:31 am
by Canadian Psycho
Sphen wrote: However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.


I believe he was referring to the folder on your FTP in which the phpbb forum software was installed. The root folder.

Cheers

Posted: Mon Mar 28, 2005 3:21 pm
by Ms Givings
Sphen wrote: Generally, good ideas.
However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.

I agree. I meant your 'phpBB installation'.
Canadian Psycho wrote: I believe he was referring to the folder on your FTP in which the phpbb forum software was installed. The root folder.

I was. My sloppy description. I've now edited my post to remove the ambiguity. Sorry.
BTW...I'm a 'she'...
;-)

Posted: Mon Mar 28, 2005 3:24 pm
by Canadian Psycho
A SHE! Oh...err...well...uhh...hmm...err...the....yes!

Cheers

Posted: Tue Mar 29, 2005 5:11 am
by battye
Sphen wrote: Generally, good ideas.

However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.


Huh? Deleting the folder that contains phpBB will delete phpBB.. or am I missing something?

Did you mean, ensure that the install/ and contrib/ folders be deleted? If so, I agree, not deleting them leaves a security hole wide open.

Posted: Tue Mar 29, 2005 2:46 pm
by Canadian Psycho
you're missing something. The "/install" and "/contrib" folders that are created with a fresh installation of phpBB should be deleted yes and this was mistaken earlier by Sphen.

So, when a fresh install of phpBB is done, the install and contrib folders should of course be deleted. But this initial post is referring to the phpBB root folder often named "/phpBB2" saying that said folder should probably be named something different like "homeforum" or "Banana" or something.

Cheers

Posted: Tue Apr 05, 2005 5:36 pm
by Sphen
No. What I meant was that the folder named in the first post was called install. That folder contains the install files and should be deleted after installation. I was not referring to the main folder, also known as the ROOT folder. If someone has a question, let's answer it, otherwise I see no point to this topic.

Sphen

And yes, I see that the post was edited, but it was called install.