Tip: simple ways to protect your board

The 2.0.x discussion forum has been locked; this will remain read-only. The 3.0.x discussion forum has been renamed phpBB Discussion.
Locked
Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Tip: simple ways to protect your board

Post by Ms Givings »

I hope a newbie will be forgiven for suggesting some simple ways to prevent new users of phpBB getting hacked?

My post was prompted by the attempt of a hacker (which we logged) to try to gain access to our board which is the latest version. Needless to add they failed!

1. keep your installation bang up to date and sign up for alerts here so that you are informed the moment a new version is released.

2. rename your phpBB folder to something that does not contain the words 'php' or 'bb' in any combination. This may prevent nasty little boys googling these keywords from even finding your board.

3. choose a difficult admin password that contains at least some upper case characters and numbers. Change it frequently.

4. If you have ftp access to your board password protect your phpbb/admin folder. You can do this by editing hta.access. Make sure it is different to your admin logon username and password.

5. Hide your memberlist from visitors (there are several mods that do this)

6. Turn on 'visual confirmation' in General config in your ACP (Requires users enter a code defined by an image when registering.)

7. If you don't need (or want) Search Engines to spider and index your board, disallow them in your robots text file.

8. Finally, if you have access to your phpBB database via phpMyadmin and/or Plesk, protect it with a third username/password combo. That way even if someone gets into your board, they will need a second password/username to get admin rights and a third one to gain access to your database.

Hope that helps someone
Last edited by Ms Givings on Mon Mar 28, 2005 3:19 pm, edited 2 times in total.
Miranda
a fool and his honey are soon parted

Sphen
Registered User
Posts: 524
Joined: Wed May 19, 2004 5:06 pm
Location: Land of the Beaver
Contact:

Post by Sphen »

Generally, good ideas.

However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.
I think, therefore I am, I think...
My previous posts are under the name "UberSphen"

Darth Wong
Registered User
Posts: 2398
Joined: Wed Jul 03, 2002 5:20 am
Location: Toronto, Canada
Contact:

Re: Tip: simple ways to protect your board

Post by Darth Wong »

Ms Givings wrote: 8. Finally, if you have access to your phpBB database via phpMyadmin and/or Plesk, protect it with a third username/password combo. That way even if someone gets into your board, they will need a second password/username to get admin rights and a third one to gain access to your database.

Another tip is to restrict the range of IP addresses allowed to connect to it, also via .htaccess.
Not a three-foot tall green gnome in real-life: My home page.
My wretched hive of scum and villainy: http://bbs.stardestroyer.net/

igni ferroque
Registered User
Posts: 15
Joined: Sun Mar 07, 2004 6:50 pm

Post by igni ferroque »

Isolate phpBB so that if another remote code execution vuln is discovered, the possible damage is limited.

Use mod_rewrite in combination with something like mod_dnsbl so that hosts running the various worms are automatically blacklisted. At the very least, send a 403.

Canadian Psycho
Registered User
Posts: 99
Joined: Sun Sep 19, 2004 4:01 am
Contact:

Post by Canadian Psycho »

Sphen wrote: However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.


I believe he was referring to the folder on your FTP in which the phpbb forum software was installed. The root folder.

Cheers
I have never let my schooling get in the way of my education.
--Mark Twain--

Ms Givings
Registered User
Posts: 17
Joined: Tue Feb 22, 2005 10:44 pm

Post by Ms Givings »

Sphen wrote: Generally, good ideas.
However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.

I agree. I meant your 'phpBB installation'.
Canadian Psycho wrote: I believe he was referring to the folder on your FTP in which the phpbb forum software was installed. The root folder.

I was. My sloppy description. I've now edited my post to remove the ambiguity. Sorry.
BTW...I'm a 'she'...
;-)
Miranda
a fool and his honey are soon parted

Canadian Psycho
Registered User
Posts: 99
Joined: Sun Sep 19, 2004 4:01 am
Contact:

Post by Canadian Psycho »

A SHE! Oh...err...well...uhh...hmm...err...the....yes!

Cheers
I have never let my schooling get in the way of my education.
--Mark Twain--

User avatar
battye
Extension Customisations
Extension Customisations
Posts: 10946
Joined: Wed Feb 11, 2004 11:02 am
Location: Australia
Contact:

Post by battye »

Sphen wrote: Generally, good ideas.

However, for number two, you shouldn't even have the folder on your server in the first place. Once you've installed, delete that folder.


Huh? Deleting the folder that contains phpBB will delete phpBB.. or am I missing something?

Did you mean, ensure that the install/ and contrib/ folders be deleted? If so, I agree, not deleting them leaves a security hole wide open.
Customisations Team Member

https://github.com/battye/php-array-parser - Give it a Star! :D

Canadian Psycho
Registered User
Posts: 99
Joined: Sun Sep 19, 2004 4:01 am
Contact:

Post by Canadian Psycho »

you're missing something. The "/install" and "/contrib" folders that are created with a fresh installation of phpBB should be deleted yes and this was mistaken earlier by Sphen.

So, when a fresh install of phpBB is done, the install and contrib folders should of course be deleted. But this initial post is referring to the phpBB root folder often named "/phpBB2" saying that said folder should probably be named something different like "homeforum" or "Banana" or something.

Cheers
I have never let my schooling get in the way of my education.
--Mark Twain--

Sphen
Registered User
Posts: 524
Joined: Wed May 19, 2004 5:06 pm
Location: Land of the Beaver
Contact:

Post by Sphen »

No. What I meant was that the folder named in the first post was called install. That folder contains the install files and should be deleted after installation. I was not referring to the main folder, also known as the ROOT folder. If someone has a question, let's answer it, otherwise I see no point to this topic.

Sphen

And yes, I see that the post was edited, but it was called install.
I think, therefore I am, I think...
My previous posts are under the name "UberSphen"

Locked

Return to “2.0.x Discussion”