how to protect my phpbb forum from potential hackers

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Post Reply
craigprunty
Registered User
Posts: 18
Joined: Fri Mar 05, 2010 5:05 pm

how to protect my phpbb forum from potential hackers

Post by craigprunty » Sun May 16, 2010 9:52 pm

Ive heard many stories of peoples forums being hit by hackers getting into the control panel and blanking sites out etc etc :!:

I am protecting my adm folder using a security password on the folder and file directory with a feature from my hosting provider andthenhost.com.

Is this the best method to help secure my forum or are there any over measures I can take :?:

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by Phil » Sun May 16, 2010 11:27 pm

phpBB3 received a paid security audit and has had no major vulnerabilities found since its release multiple years ago. As long as you use good security practices (use a unique, secure password when registering your account), you shouldn't need to take any additional measures.
Moving on, with the wind. | My Corner of the Web

User avatar
onehundredandtwo
Registered User
Posts: 1228
Joined: Fri Nov 14, 2008 8:07 am

Re: how to protect my phpbb forum from potential hackers

Post by onehundredandtwo » Mon May 17, 2010 6:11 am

Probably the best advice I could give you is to keep phpBB and any MODs up-to-date. Most forums that are hacked are using old, out-of-date software or MODs which leaves them open to attack.
Need help preventing spam? Read Preventing spam in phpBB 3.0.6 and above

Oleg
Former Team Member
Posts: 1221
Joined: Sat Jan 30, 2010 4:42 pm
Location: NYC
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by Oleg » Mon May 17, 2010 6:14 am

iWisdom wrote:phpBB3 received a paid security audit and has had no major vulnerabilities found since its release multiple years ago. As long as you use good security practices (use a unique, secure password when registering your account), you shouldn't need to take any additional measures.
Say, what would happen if all phpbb files and directories were given world-writable bits during installation?

Code and password security does not imply deployment security.
Participate in phpBB development: Get involved | Issue tracker | Report a bug | Development board | [url=irc://chat.freenode.net/phpbb-dev]Development IRC chat[/url]
My stuff: mindlinkgame.com

User avatar
Phil
Former Team Member
Posts: 10403
Joined: Sat Nov 25, 2006 4:11 am
Name: Phil Crumm
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by Phil » Mon May 17, 2010 6:35 am

nn- wrote:Code and password security does not imply deployment security.
Emphasis added below:
iWisdom wrote:phpBB3 received a paid security audit and has had no major vulnerabilities found since its release multiple years ago. As long as you use good security practices (use a unique, secure password when registering your account), you shouldn't need to take any additional measures.
Moving on, with the wind. | My Corner of the Web

Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: how to protect my phpbb forum from potential hackers

Post by Desdenova » Mon May 17, 2010 6:42 am

iWisdom wrote:
nn- wrote:Code and password security does not imply deployment security.
Emphasis added below:
iWisdom wrote:phpBB3 received a paid security audit and has had no major vulnerabilities found since its release multiple years ago. As long as you use good security practices (use a unique, secure password when registering your account), you shouldn't need to take any additional measures.
*cough* godaddy shared hosting attacks *cough*

User avatar
Ephemeraboy
Registered User
Posts: 331
Joined: Tue Dec 29, 2009 4:25 pm
Location: Bandung Kota Hujan
Name: Bernando Bona Tius Sianipar
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by Ephemeraboy » Mon May 17, 2010 7:48 am

so hosting can take responsible of the hacked case..??
hm..
My diary, my notepad, and my life on
http://www.bonatius.com
My online shop at
http://www.nefara.com

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by ChrisRLG » Mon May 17, 2010 8:45 am

Just like with MS Windows installations, a 'hack' will come in via any known vulnerability. EG a vulnerability in a PDF reader can infect your windows XP machine.

For servers it can be from vulnerabilities in the op system itself, the added 'server' software such as PHP, apache, MySQL etc, the hosting control software such as CPanel, or the installed domain software such as blogging, CMS or forum.

The 'affected' software (EG your phpBB installation) may well not be the vulnerability used to gain access (mostly is not), but may well be the targeted installation for data after they gain access.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

craigprunty
Registered User
Posts: 18
Joined: Fri Mar 05, 2010 5:05 pm

Re: how to protect my phpbb forum from potential hackers

Post by craigprunty » Mon May 17, 2010 1:31 pm

cheers all.

I do try to keep up-to-date on MOD’s which of course can be a big vulnerability if not kept up-to-date with the version of PHPBB your running.

I also use the firewall settings within my VPS to control multiple connection attempts and also rename any mod install.php files.

I think the number one rule is to always keep a good up-to-date backup of your file structure and MySQL table and if a vulnerability dues leak out with your hosting OS or phpbb version and your hit by an attack then at least you can restore your forum and apply the patch..... :roll:

Desdenova
Registered User
Posts: 646
Joined: Sat Feb 23, 2008 7:25 pm

Re: how to protect my phpbb forum from potential hackers

Post by Desdenova » Mon May 17, 2010 2:41 pm

Don't rename the mod install files, download a copy of them and delete them on-server. It's too risky to leave them up.

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10348
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by Noxwizard » Mon May 17, 2010 2:58 pm

It is also important to keep all of the applications on your own machine up to date. The majority of the attacks over the past year have been caused by trojans that get on your machine through out-dated installations of Adobe Acrobat/Reader, Flash, Java, and QuickTime. It then proceeds to steal FTP credentials. If you use FileZilla, remember that your passwords are not encrypted on the disk, so it's best not to save them in the site manager. If you have the option of using SFTP, then do so, as some variants of the trojan sniff the traffic that goes through and steals the passwords that way.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

craigprunty
Registered User
Posts: 18
Joined: Fri Mar 05, 2010 5:05 pm

Re: how to protect my phpbb forum from potential hackers

Post by craigprunty » Mon May 17, 2010 6:58 pm

good point about the FTP Noxwizard.

I do use filezilla but dont save any passwords on my machine and always setup my internet browsers to clear cache and not to save passwords.

People seem to also think they are also protected by a Firewall Router but i always find it best practice to use an software application firewall that monitors local application activity as well.

A really good feature with my hosting provider with regards to FTP access is the "FTP unlock time period" or "IP your IP only".

I must say this was a good feature i liked with the new control panel when i moved. You can demo this feature here - -spam-
Last edited by Brf on Mon May 17, 2010 7:02 pm, edited 1 time in total.
Reason: removed spam link

User avatar
ChrisRLG
Former Team Member
Posts: 3420
Joined: Wed Nov 24, 2004 3:18 pm
Location: Essex, UK
Contact:

Re: how to protect my phpbb forum from potential hackers

Post by ChrisRLG » Mon May 17, 2010 10:11 pm

For those who might like to use SFTP to replace FTP here is a link to a blog article with the 'how to' info for the client side. http://malwareremoval.com/wp/vista/164/ ... -a-how-to/

All my servers have been set up to only use SFTP for over the last 3 years.
phpBB: The All Important Rules - Bertie Bear 3.0 - No support via PM system - use the forums please.
phpBB v2: Retirement (1/1/2009) : phpBB v3: Read Me Topic - Custom BBCodes - Support Template
Matthew 7:7"Ask and it will be given to you; seek and you will find; knock and a door will be opened to you."
My Links: MS MVP (Consumer Security) - Malware Removal:University - Own Forum: Custom BBCode testing

Post Reply

Return to “phpBB Discussion”