how i protect my forum from hackers

[hossam_2009_2008]

hi
iam new user smf i make a forum for my web hosting company and it will be target of some arabic hackers and i need to protect it.
just give some ways to protect my forum from hackers please.
other question
after i installed smf 2 it was work perfect after some minutes >> hxxp:ma3hd.el5olfaa.com/index.php [nonactive]

[akc42]

Only my opinion - and with relatively limited experience in this, but ...

I think there are three main attacks

1) Trying to login as Admin

Keep the password difficult to guess and changed frequently
Monitor the logs for unusual attempts to guess it

2) Accessing the database

Ensure Settings.php is only readable by you and the web server (I hope you hosting account runs the web server for you as you as the user.  Set the permissions on that file to 600

Make sure the database password is difficult to guess.  Best to generate a random one and use that.

3) Getting into your hosting account

Keep the password difficult to guess and changed frequently.

From my experience - I have a FAR WORSE experience with forum spam.  People try and sign up and then leave links, images, posts about pornography or viagra or whatever.  I use "Stop Forum Spam" to checkout all new members before they sign in, and if their ip address is used in spam I add it to the ban list. Stop Forum Spam is at http://www.stopforumspam.com

[cicka]

The most important thing in my opinion is to make sure that you have always the latest version of the forum.
Additionally, please have a look here too. It has some very good tips.

http://docs.simplemachines.org/index.php?topic=463

[hossam_2009_2008]

thanks akc42 for reply all things you told me is done
but now have problem just minutes after install forum wonot work!!
ma3hd.el5olfaa.com/index.php

[kat]

If you changed passwords relating to your database/CPanel, you'll need to change them in Settings.php, too.


Try this: http://www.simplemachines.org/community/index.php?topic=18096.0

[searchgr]

Ensure Settings.php is only readable by you and the web server (I hope you hosting account runs the web server for you as you as the user.  Set the permissions on that file to 600

Someone to confirm please. My settings.php file permissions is 0755.

[akc42]

Ensure Settings.php is only readable by you and the web server (I hope you hosting account runs the web server for you as you as the user.  Set the permissions on that file to 600

Someone to confirm please. My settings.php file permissions is 0755.

I can't be definitive unless I know what "user" your web server runs at.  What those permissions (755) say is that you (ie the user you are logged in as) can read and write the Settings.php, and anyone in the same group can read the file and the whole world can read the file.  Since Settings.php contains your database name, database user name and database users password,  anyone (even someone with another account on the same computer) can get your database password, and therefore log on to it and change things.

If your web server runs as you - you can change the permissions to 600 which means only you can see the file.  If it runs as another user (typically www-data) then the best approach would be to change the "group owner" of the file to www-data and set the permissions to 660.  (the 7 is the execute bit added to 6 and as far as I know is irrelevent).

Don't forget Settings_bak.php either. The same applies

[waruna]

Ensure Settings.php is only readable by you and the web server (I hope you hosting account runs the web server for you as you as the user.  Set the permissions on that file to 600

Someone to confirm please. My settings.php file permissions is 0755.

I can't be definitive unless I know what "user" your web server runs at.  What those permissions (755) say is that you (ie the user you are logged in as) can read and write the Settings.php, and anyone in the same group can read the file and the whole world can read the file.  Since Settings.php contains your database name, database user name and database users password,  anyone (even someone with another account on the same computer) can get your database password, and therefore log on to it and change things.

If your web server runs as you - you can change the permissions to 600 which means only you can see the file.  If it runs as another user (typically www-data) then the best approach would be to change the "group owner" of the file to www-data and set the permissions to 660.  (the 7 is the execute bit added to 6 and as far as I know is irrelevent).

Don't forget Settings_bak.php either. The same applies

Hye there. Sorry for interrupting. I tried to change the permission of those 2 files (Settings.php and Settings_bak.php) from 777 to 600. But seems like an error come out when accessing my forum.

[searchgr]

Someone from the smf team to advice?

[Narheru]

Ensure Settings.php is only readable by you and the web server (I hope you hosting account runs the web server for you as you as the user.  Set the permissions on that file to 600

Someone to confirm please. My settings.php file permissions is 0755.

I can't be definitive unless I know what "user" your web server runs at.  What those permissions (755) say is that you (ie the user you are logged in as) can read and write the Settings.php, and anyone in the same group can read the file and the whole world can read the file.  Since Settings.php contains your database name, database user name and database users password,  anyone (even someone with another account on the same computer) can get your database password, and therefore log on to it and change things.

If your web server runs as you - you can change the permissions to 600 which means only you can see the file.  If it runs as another user (typically www-data) then the best approach would be to change the "group owner" of the file to www-data and set the permissions to 660.  (the 7 is the execute bit added to 6 and as far as I know is irrelevent).

Don't forget Settings_bak.php either. The same applies

Hye there. Sorry for interrupting. I tried to change the permission of those 2 files (Settings.php and Settings_bak.php) from 777 to 600. But seems like an error come out when accessing my forum.

With 600 the script can't execute the file. You have to set on 700. If it doesn't work try to set 711

[akc42]

yes, my apologies, I was forgetting it was a script that was run and not just a file that was read. 700 rather than 600

[searchgr]

ok, changed to 700. Let's see....

[searchgr]

Since i have changed it i get the following error message:

[Thu Jul 15 11:58:15 2010] [error] [client xxxxxxxx] (13)Permission denied: file permissions deny server access: /home/xxxx/public_html/404.shtml, referer: http://www.xxxxxx.net/index.php?action=post2

[akc42]

Since i have changed it i get the following error message:

[Thu Jul 15 11:58:15 2010] [error] [client xxxxxxxx] (13)Permission denied: file permissions deny server access: /home/xxxx/public_html/404.shtml, referer: http://www.xxxxxx.net/index.php?action=post2

It probably means that the web server is running under its own user rather than using the permissions of user xxxx.

You will need to make sure the web server can read it.  Unfortunately without more details of how far you know how to get into the system I can't give you an easy recipe to fix.  If you know what you are doing then setting the group to that of the web server and setting permissions to 750 is one way.