Do basic group permissions rely on .htaccess file settings?

[tgjgold]

Hello Wiser than me,

I have installed an out of the box 3.3.8 phpbb. The site is intended for a few dozen invited people, but they first have to get to the site and register on their own. I do not know the people personally. Only a few have registered and from the acp logs barely any activity from them.

So I gave bots and guests - no access, except guests can see an about forum on the home page.

I'm assuming no access means anyone can still get to the home page.

If I wanted to firewall access I would have to use .htaccess on Apache or webconfig on iis.

I am on IIS.

I am dismayed at the amount of access still available.

My question is,

Does the installation .htaccess file perhaps contain some fundamental settings that I need to transpose to webconfig on IIS? Is it possible to stop bots getting to the home page to begin with? I do not need google or anything to promote the site.

I don't understand how I could have so many hits on the member list page, which is not available from the home page or the forum topics viewable.

It seems like I will have to somehow deny access to Britain, using the webconfig file, in my case.
Has anyone perhaps done so? Why would all that traffic be coming from only two IP addresses?

Silly me, I thought no access would keep everything private.
any suggestions welcomed.

[warmweer]

...
Silly me, I thought no access would keep everything private.

No Access means that the content of that page cannot be seen (based on the phpBB permissions).
But anyone can still browse to the urls. Try it without being logged in.

[Mick]

I don't understand how I could have so many hits on the member list page

Probably spambots, that’s one of their favourite haunts. They do it all the time on this site. Please fill out the Support Request Template and post it back here to enable us to assist you better.

[tgjgold]

hello again warmweer,

I do see that anyone can access the page by knowing its url and after checking the request is redirected to the post in page.
And it would make sense for some hacker to get hold of the login names and then just have to crack the passwords.

I will look to see what the template form is like, don't want to give out site specific information.

Do you know if there's anything in the .htaccess file settings that phpBB sets either at installation or thereafter that would need to be copied on the corresponsing IIS server webconfig fie?

I was trying not to post too much, thus the multiple related questions in the original post. Is this not good protoco? e.g. The question on blocking access from Britain via the .htaccess file?

I'll re-read the guidelines, but will stick to one question in the future.
Any short answers, if possible, to the questions above are appreciated.

thanks.

[warmweer]

And it would make sense for some hacker to get hold of the login names and then just have to crack the passwords.

If that were possible, phpBB would have been hacked a long time ago already.

[tgjgold]

If that were possible, phpBB would have been hacked a long time ago already.

I'm sorry for not being precise.
What I was aiming to explain was why there would be some many hits on the memberlist page.

Were one able to see the member handles, the guest would have the login names to try hacking.

There were also many hits on the search and I can see now that if there's anything in the forum
that slipped by with guest permissions, the topics would show up and the corresponding login names.

And obviously if the admin posts anything ,the admin's login name would be given away in red.
And in that case that's a safety issue that even a registered user could exploit.
The captcha while login in would not kick in till 3 incorrect tries or so. (maybe it's a setting)

I'm sure you are aware of all this, but someone new like me might miss it.
So I just tossed it in.

OK. so no help on locking out Britain?

But for now my safest approach is to not allow registration at all, unless I'm given a heads up and momentarily enable it, or I add the user manually.

If anyone knows the answer to the original question on .htaccess, I would be much obliged.

thanks.

[david63]

If anyone knows the answer to the original question on .htaccess, I would be much obliged.

thanks.

The answer is that in a standard install of phpBB there is no connection between phpBB's permission system and a .htaccess file

[Mick]

If a ‘hacker’ was so interested in getting in and he needed user names I’m sure he’d join up first so everything would be there for him to see. I personally think you’re worrying about nothing. It is extremely unlikely anyone is trying to hack your board. Have you spoken to your host about it as, should it happen, it would most likely be server side not the board? What registration settings and spambot countermeasures do you have in place?

[thecoalman]

The web.config file should be present and is the equivalent of the .htaccess file. Among other things they will attempt to block access to some files no one should be accessing. Web security is layered and it's just one layer. As already mentioned it has no connection to phpBB permissions.

There is no known exploits in phpBB, "hackers" aren't sitting at a keyboard trying to break into your site. They have script and just bang away at IP's/domains looking for known exploits.

If you want to block common bots like Google/Bing/etc. the best method is with robots.txt.
https://developers.google.com/search/do ... bots/intro

What I was aiming to explain was why there would be some many hits on the memberlist page.

Were one able to see the member handles, the guest would have the login names to try hacking.

With phpBB's default permissions this should be denied to anyone that is not logged in. In any event under security settings there is settings for failed logins, they are time barred for short time after X amount of login failures. With a sufficient password it would take them six gazillion years to brute force the correct one.

As far as your stats and blocking the UK AWstats uses GeoIP which may or may not be providing accurate information. Additionally trying to do this with .htaccess can create performance issues. If you feel it necessary your best bet is to look into a service like Cloudflare. Optionally if you have a small group you can whiltelist IP's but you need to manage that list if their IP's are changing.

[tgjgold]

Thank you all for the great responses!

What registration settings and spambot countermeasures do you have in place?

,
Registrations were set for administrator approval, bots 'no access". I had a limited "about" forum - accessible to users with a couple of topics -registration eligibility information - and a second short one of interest to the residents of a home owners association.

My intent was to see if there was enough interest in the community and see if the HOA board would sponsor it or else manage it independently, which i now prefer. I opted to do admin registration approval so I could confirm residency. After seeing the number of hits the site was getting it appeared that if I wanted to show the board that this site was bullet proof, then this was not the way to do it, except I've got to get the residents to sign up, which a few did.

"hackers" aren't sitting at a keyboard trying to break into your site

I soon started getting hack registrations with login email addresses such as
[email protected] - and luckily I was monitoring since I got three of those in about 5 minutes.
So I am assuming it would have to be a person doing it to get through the captcha.
Also look at how many hits from one IP address?
So I will change methodology and have closed web side open registration.

I also had a zillion search hits, and I did find a phpBB posting on how to deny guests search.
I found a couple of topics without post enabled that still had guest permissions by using search.

Thank you for the basic guidance on blocking out google, which a closed site doesn't need.

If someone within the registered users wanted to screw the admin and can see their login, then they could sign in repeatedly until the system locks out further signing in. I'm not sure how I've got those settings but it's there for safety. As an admin, if i go to sign in and am locked out, it would give me the creeps.

it would most likely be server side

What happens if the admin loses his password? Is it un-encrypted in the mySql database?

----------------------------------------

I will check feature suggestions, if it's not already one, to add an admin alias field in the profile so that it would appear in place of the admin login handle wherever there's a UI field that currently would display the actual login.

I imagine that the admins on this site already do not post, but in a small group it would be nice to see 'admin' online or what site related news were posted.

[HiFiKabin]

Are you using the default prosilver style? if not what style are you using?

Which CAPTCHA are you using for registration?

What (if any) extensions have you enabled?

[Mick]

What you call hackers aren’t hackers they’re spambots. Can you post a link so we can have a look please?

[warmweer]

What happens if the admin loses his password? Is it un-encrypted in the mySql database?

No, actually you can see that for yourself (users_table)

[thecoalman]

[email protected] - and luckily I was monitoring since I got three of those in about 5 minutes.

This is a spammer, Gmail does not consider the period as part of the email address thus [email protected] , [email protected], [email protected] and any other variation goes to the same Gmail account. This behavior for mail provider is not typical so phpBB does not check for it. Spammers will exploit this on phpBB forums(and elsewhere) by registering multiple accounts with effectively the same email address. It's a gmail issue because they get multiple email accounts by registering one account with gmail.

I also had a zillion search hits, and I did find a phpBB posting on how to deny guests search.

One thing to be aware of is your server stats are not necessarily indicative of someone actually using that page. The server stats are going to record any request for search.php(and other pages) including ones where they are getting the error "you do not have permissions..." issued by phpBB.

If someone within the registered users wanted to screw the admin and can see their login, then they could sign in repeatedly until the system locks out further signing in.

While it's valid issue I don't recall this issue ever coming up. You would need to be fairly persistent to do this. One thing you can do is find an old unused account. Change the email, username and password. Set the account to founder status. An account with founder status has full admin privileges' and doesn't need to belong to any admin group. It's stealth account that can be used for various things, if for example you lose control of your main account. Founders can only be administered by other founders and the account is not easily found without direct access to the DB.

[Mick]

Agreed, I can’t say as I’ve ever heard of any phpBB board being brute forced. My advice is enjoy your board.