Securing The Newly created Forum

Old Lynx · November 23, 2007, 05:28:04 PM

Hi guys

I have just finished creating my SMF based Forum (as some of you know allready

) and now before I started posting the goodies, I want to be 100% sure that I have taken all the steps necessary to make my forum as secure as possible from hackers and "bad do-ers"

So can you please tell me all the steps to securing my forum

Thanks

babjusi · November 23, 2007, 05:44:32 PM

Smf is pretty secure right out of the box. For your piece of mind here are some tips how you can tighten more the security

Keep your SMF forum installation current and install any new updates that come along no matter how small. Pick secure username and password's for your admin account.

The less admin accounts you have the better too. Try and keep it down to just you or a trusted co-admin.

Most exploits often are server related where someone has managed to access your forum install from an insecure script someone else has installed on the server. The other most popular method comes from not running the most recent version of your forum software.

You can also lock down permissions. Make everything except the attachments and avatars directory have permissions of 444 or 440. This will prevent most exploits from being able to write to any of your files. Please note that installing new smilies, themes, and mods will not work then, and if you make the permission changes to Settings.php, you won't be able to adjust the items in the Server Settings admin section

And have a look here as well

http://docs.simplemachines.org/index.php?topic=463

Old Lynx · November 23, 2007, 05:48:09 PM

I'm gonna be the ONLY admin so that is OK

As for the passwords, how do I force the guy registering to have a password with at least one capital letter and at least one number ??

babjusi · November 23, 2007, 05:51:28 PM

It is more about your passwords that must be secure Ciwan. But to answer your question you can find the option you asked for at the acp of your forum-Registration-Settings-Required strength for user passwords. here you can choose from 3 options, low, medium and high

Old Lynx · November 23, 2007, 05:55:17 PM

Cool thanks babjusi

Yeah I know you meant my own password (cause I'm the admin) but i think my password is strong enough

I want everyone else's password to be strong too.

And about locking down everything by changin the premissions, do I do that from my FTP programe ? and I change every single file ?? or jus the folders ?? (doing every single file will take a YEAR ) and I don't do that to the Settings.php right ?

babjusi · November 23, 2007, 05:58:01 PM

You can chmodd the folders via a ftp client or even through file manager at the cp of your host.
And just the folders and files that I mentioned above will do

Old Lynx · November 23, 2007, 06:27:30 PM

Right I've just been to public html > forum > and changed the premissions for all the folders (not what's within them though) to 444 except for Attachments and avatars.

is that better yeah ?? Do I have to change the presmissions for what's inside the folders ? and what about the files that are in the forum folder (e.g. SSI.php ..etc) do I change their premissions to?? (I know I must include the settings.php)

Old Lynx · November 23, 2007, 06:32:32 PM

Ohhhh something is not right !!

my forum has lots of little squares with red crosses for images !!! have I don't something wrong?

babjusi · November 23, 2007, 06:52:49 PM

Maybe your images got corrupted, re-upload again the images directory of that theme that you are using and choose for the overwrite option.

About the security it is most the server that you should worry about as most exploits happen that way. Myself I have installed a script that protects the server and the databases from mysql injections, worm attacks and from spam too. I find it very useful. It is called ctracker and you can check it out here

http://www.ctxtra.de/download

Old Lynx · November 23, 2007, 07:04:03 PM

OK I just dragged the images folder from default (on my PC) to the same folder Default but on the server (I hit overwrite for everything)

I hope that fixes it, we shall see

Old Lynx · November 23, 2007, 07:21:03 PM

it didn't work

my site is still the same

Old Lynx · November 23, 2007, 07:25:11 PM

I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

Old Lynx · November 23, 2007, 07:46:59 PM

I wonder why things go wrong, even though you haven't touched a single thing !!!! it so......makes me angry

Ol' Wombat · November 23, 2007, 08:35:16 PM

Quote from: Ciwan on November 23, 2007, 07:25:11 PM
I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

If you used an FTP client to change file permissions then it might be an compatibility problem with your web host - wise idea to ask him which ftp clients are safe to use on their servers. I faced such a problem a long while ago.

Herman's Mixen · November 23, 2007, 09:08:47 PM

Quote from: Ciwan on November 23, 2007, 07:25:11 PM
I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

http://docs.simplemachines.org/index.php?topic=5

this are the defaults for de smf folders and files but you can give it 755 if ya doubt the permissions
444 gives all read access and no execution so thats why the page looks so weird

Old Lynx · November 24, 2007, 04:45:07 AM

Good Morning Guys

Right it would seem Ol' Wombat was right, the FTP programe I was using was not working with Site5 correctley. So I used Site5's own file manager, and I changed the premissions for all folder except (Attachments and Avatars). .......Now I 've got a bigger problem

here is what I get when I go to my site:

[Warning: main(/home/kurdport/public_html/forum/Sources/QueryString.php) [function.main]: failed to open stream: Permission denied in /home/kurdport/public_html/forum/index.php on line 49

Fatal error: main() [function.require]: Failed opening required '/home/kurdport/public_html/forum/Sources/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/kurdport/public_html/forum/index.php on line 49]

Someone please help !! what have I done wrong

Old Lynx · November 24, 2007, 04:50:37 AM

I've just been checking the premissions again, and I spotted that the premissions for the [index.php] is set to 644, is this OK or should I change that to something else ??

Herman's Mixen · November 24, 2007, 07:18:06 AM

set index.php to 755

Old Lynx · November 25, 2007, 12:01:04 PM

Hello

Sorry I haven't been at home for the past two days (I went to visit cousins in sheffield), that is why I have been quite.

Right .... Burglar I set the premissions for [index.php] to 775 but still I get that message:

[Warning: main(/home/kurdport/public_html/forum/Sources/QueryString.php) [function.main]: failed to open stream: Permission denied in /home/kurdport/public_html/forum/index.php on line 49

Fatal error: main() [function.require]: Failed opening required '/home/kurdport/public_html/forum/Sources/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/kurdport/public_html/forum/index.php on line 49]

Help Please

DaveV · November 25, 2007, 01:55:51 PM

Ciwan,
Download and open your index.php in a text reader and see what's on line 49.

I just tried locking down my settings as described here and it shut me out of a lot of things giving similar errors. In my case, changing settings.php and the Themes folder was the culprit.

News:

Securing The Newly created Forum

babjusi

babjusi

babjusi

babjusi