Secure Your Forum

[DeLeTeD]

Alright since i am White Hat I decided to make a tutorial on how to secure your forum. Following everything will not make your site impossible to hack as anything can be hacked however it will help cut down on script skiddies. This is not a copy and paste, I spent time writing it up so it might have some grammatical errors, so if you catch any let me know. Any changes just reply.


Staff - This is one of the biggest reasons why and how sites get hacked. (little kids favorite method). They will tell a staff member to sign up on there forum and phish there password. Tell all your staff members to use a separate password for your forum that is completely different then any other site they visit. Using a random character generator with no words makes a huge difference. Also set or remind your staff to change there password at least once every 60 days.

Admin Folder (more info) - Move the default admin folder. This means if any admin account at a forum level get's hacked the chance of them gaining admin cp access is greatly reduced since they won't know where to go to access the admin cp. Another option which requires some work but would be helpful is to keep the default admin login and save records of attempts. So you can see who is trying to access the admin cp. Another tip regarding the Admin Folder is to add a htaccess with a user name and password. This adds a second level of security. Give a separate one to each user who has admin cp access. You can also only allow only certain ips.

Who Can Access - Based on KWWHunction and how members look for staff be careful who can access the admin cp. Don't just give your forum power to anyone, no matter how trustworthy they seem.

Forum Mods/Add ons - Be careful as to what you install. An example is the inferno shoutbox for vBulletin. Although it has great features it not only uses a lot of your servers CPU it is also exploitible. How to prevent this? Do some simple searching if the mod your installing is exploitble.

Forum Upgrades - Always make sure you have the latest version of your forum script as it will help prevent a lot of these exploits.

Remove Un needed Files - A few examples is to remove your install files & folders. Alot of sites don't do this and is a major mistake. If your using vb the whole install folder should be removed. Another example is the upgrade file on vb. It is only a problem if they get your vb customer number, but just to be safe.

Along with removing the install folders if (and I know most here are) using a nulled version of a script make sure you remove the validate.php or keygen.php or any other files you used to install the site. More info from Litewarez here http://www.besthostingforums.com/showthread.php?t=21057

File Permissions - Make sure your chmod is 664 and nothings else. Leaving it like 777 which allows read write and excite is a bad idea.

General - For Posts, PM, Signatures never allow any code other then bbc. Allowing HTML can lead to problems. Forum Attachments should only be allowed for staff. You should also keep daily backups. You never know when your forum can go down. Your host can close at any time, or anything can happen.

Any suggestions on what I should add or fix let me know. This covers all the basics.

DeLeTeD Reviewed by DeLeTeD on 27th May 2010. Secure Your Forum Alright since i am White Hat I decided to make a tutorial on how to secure your forum. Following everything will not make your site impossible to hack as anything can be hacked however it will help cut down on script skiddies. This is not a copy and paste, I spent time writing it up so it might have some grammatical errors, so if you catch any let me know. Any changes just reply. Staff - This is one of the biggest reasons why and how sites get hacked. (little kids favorite method). Rating: 5

[TippiE]

Nice guide mate,keep it up.
My boards always got "hacked" by the first method you explained,other admins giving out their standard pass.

[anantgupta]

Really A Nice Guide Bro.

Wanted to Elaborate on second point, as many people dont know about it. I helped my fellow mates over here to secure admin section through htaccess.


Make .htaccess file in your Admin Folder

And add this to it

AuthUserFile /path along with root/.htpasswd
AuthName "Anything Can Be Written Here"
AuthType Basic
require valid-user

Then make another file .htpasswd in the same directory that you have mentioned above in .htaccess file.

In .htpasswd Add these lines

username:encryptedpassword

You can encrypt password from here :
http://www.kxs.net/support/htaccess_pw.html


Some more things you can do with .htaccess are :

If Admin Folder is not in use you can use this command
1.
# no one can login
deny from all

2.
# no hackers can enter
order deny,allow
deny from all
allow from your lan ip



3.If you want to show any html to the person whos IP is disabled :

# quick custom error "document"..
ErrorDocument 404 "<html><head><title>NO!</title></head><body><h2><tt>Fuck you Retard</tt></h2></body></html>


If you encounter any problems then get back to me regarding any security.

DeLeTeD took a nice step to make this thread.
I will also share some of my knowledge regarding security soon. Feeling bit lazy right now.Lolz..

[DeLeTeD]

Thanks anantgupta I added a link for more info. If you elaborate more on any point ill link it making it a more complete guide. There is more information that can be added I just don't have the time to add it all. Im sure others here on KWWH will post great useful stuff and ill add it on.

[Royal King]

Thanks DeLeTeD

Already knew about it but this is good for n00bs

[CyberHacK]

Forum Mods/Add ons - Be careful as to what you install. An example is the inferno shoutbox for vBulletin. Although it has great features it not only uses a lot of your servers CPU it is also exploitible. How to prevent this? Do some simple searching if the mod your installing is exploitble.

Jesus, I don't know how many noobs still think this, even though it has been assured multiple times it isn't.

INFERNO SHOUTBOX IS NOT EXPLOITABLE

There's a different mod which has inferno in it and is exploitable.

[Mr Happy]

Along with removing the install folders if (and I know most here are) using a nulled version of a script make sure you remove the validate.php or keygen.php or any other files you used to install the site. More info from Litewarez here http://www.besthostingforums.com/showthread.php?t=21057

[SalmanAbbas007]

Nice Article

[Raptile]

Great tutorial .

[Daniel]

Thanks for sharing your tut with us