Securing The Newly created Forum

Started by Old Lynx, November 23, 2007, 05:28:04 PM

Previous topic - Next topic

Old Lynx

Hi guys

I have just finished creating my SMF based Forum (as some of you know allready ;)) and now before I started posting the goodies, I want to be 100% sure that I have taken all the steps necessary to make my forum as secure as possible from hackers and "bad do-ers"

So can you please tell me all the steps to securing my forum

Thanks  :)

babjusi

Smf is pretty secure right out of the box. For your piece of mind here are some tips how you can tighten more the security

Keep your SMF forum installation current and install any new updates that come along no matter how small. Pick secure username and password's for your admin account.

The less admin accounts you have the better too. Try and keep it down to just you or a trusted co-admin.

Most exploits often are server related where someone has managed to access your forum install from an insecure script someone else has installed on the server. The other most popular method comes from not running the most recent version of your forum software.


You can also lock down permissions. Make everything except the attachments and avatars directory have permissions of 444 or 440. This will prevent most exploits from being able to write to any of your files. Please note that installing new smilies, themes, and mods will not work then, and if you make the permission changes to Settings.php, you won't be able to adjust the items in the Server Settings admin section

And have a look here as well

http://docs.simplemachines.org/index.php?topic=463

Old Lynx

I'm gonna be the ONLY admin so that is OK

As for the passwords, how do I force the guy registering to have a password with at least one capital letter and at least one number ??

babjusi

It is more about your passwords that must be secure Ciwan. But to answer your question you can find the option you asked for at the acp of your forum-Registration-Settings-Required strength for user passwords. here you can choose from 3 options, low, medium and high

Old Lynx

Cool thanks babjusi

Yeah I know you meant my own password (cause I'm the admin) but i think my password is strong enough ;) I want everyone else's password to be strong too.

And about locking down everything by changin the premissions, do I do that from my FTP programe ? and I change every single file ?? or jus the folders ?? (doing every single file will take a YEAR ) and I don't do that to the Settings.php right ?

babjusi

You can chmodd the folders via a ftp client or even through file manager at the cp of your host.
And just the folders and files that I mentioned above will do

Old Lynx

Right I've just been to public html > forum > and changed the premissions for all the folders (not what's within them though) to 444 except for Attachments and avatars.

is that better yeah ?? Do I have to change the presmissions for what's inside the folders ? and what about the files that are in the forum folder (e.g. SSI.php ..etc) do I change their premissions to?? (I know I must include the settings.php)

Old Lynx

#7
Ohhhh something is not right !!


my forum has lots of little squares with red crosses for images !!! have I don't something wrong???? :(

babjusi

Maybe your images got corrupted, re-upload again the images directory of that theme that you are using and choose for the overwrite option.

About the security it is most the server that you should worry about as most exploits happen that way. Myself I have installed a script that protects the server and the databases from mysql injections, worm attacks and from spam too. I find it very useful. It is called ctracker and you can check it out here

http://www.ctxtra.de/download

Old Lynx

OK I just dragged the images folder from default (on my PC) to the same folder Default but on the server (I hit overwrite for everything)

I hope that fixes it, we shall see :)

Old Lynx

it didn't work  :( :( my site is still the same  :'(

Old Lynx

I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

Old Lynx

I wonder why things go wrong, even though you haven't touched a single thing !!!! it so......makes me angry :(

Ol' Wombat

#13
Quote from: Ciwan on November 23, 2007, 07:25:11 PM
I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

If you used an FTP client to change file permissions then it might be an compatibility problem with your web host - wise idea to ask him which ftp clients are safe to use on their servers. I faced such a problem a long while ago.

Herman's Mixen

Quote from: Ciwan on November 23, 2007, 07:25:11 PM
I've just spotted something strange !! you know earlier I changed the premissions on the folders (Packages, Smilyes, Sources and Themes) to 444, now they are back at 775 again !!! what's going on?? I thought they were suppose to change to 444 and remain on that !!

http://docs.simplemachines.org/index.php?topic=5

this are the defaults for de smf folders and files but you can give it 755 if ya doubt the permissions
444 gives all read access and no execution so thats why the page looks so weird
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Good Morning Guys

Right it would seem Ol' Wombat was right, the FTP programe I was using was not working with Site5 correctley. So I used Site5's own file manager, and I changed the premissions for all folder except (Attachments and Avatars). .......Now I 've got a bigger problem :(:(:( here is what I get when I go to my site:

[Warning: main(/home/kurdport/public_html/forum/Sources/QueryString.php) [function.main]: failed to open stream: Permission denied in /home/kurdport/public_html/forum/index.php on line 49

Fatal error: main() [function.require]: Failed opening required '/home/kurdport/public_html/forum/Sources/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/kurdport/public_html/forum/index.php on line 49]

Someone please help !! what have I done wrong ??? :(:(

Old Lynx

I've just been checking the premissions again, and I spotted that the premissions for the [index.php] is set to 644, is this OK or should I change that to something else ??

Herman's Mixen

Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Hello

Sorry I haven't been at home for the past two days (I went to visit cousins in sheffield), that is why I have been quite.

Right .... Burglar I set the premissions for [index.php] to 775 but still I get that message:

[Warning: main(/home/kurdport/public_html/forum/Sources/QueryString.php) [function.main]: failed to open stream: Permission denied in /home/kurdport/public_html/forum/index.php on line 49

Fatal error: main() [function.require]: Failed opening required '/home/kurdport/public_html/forum/Sources/QueryString.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/kurdport/public_html/forum/index.php on line 49]

Help Please :(:(

DaveV

Ciwan,
Download and open your index.php in a text reader and see what's on line 49.

I just tried locking down my settings as described here and it shut me out of a lot of things giving similar errors. In my case, changing settings.php and the Themes folder was the culprit.

Old Lynx

OK I'll do that now, I'll let you know what's on line 49 :)

Old Lynx

#21
Hi again

Right I downloaded the index.php and opened it in wordpad, and then I put my curser at the top of the document (1st line) then started pressing down the [Down Arrow] and counting until I got to 49 (that would be line 49 right ?)...

here is what is on that line and stuff around it:

$forum_version = 'SMF 1.1.4';

// Get everything started up...
define('SMF', 1);
@set_magic_quotes_runtime(0);
error_reporting(E_ALL);
$time_start = microtime();

// Load the settings...
require_once(dirname(__FILE__) . '/Settings.php');

// And important includes.
require_once($sourcedir . '/QueryString.php');
require_once($sourcedir . '/Subs.php');
require_once($sourcedir . '/Errors.php');
require_once($sourcedir . '/Load.php');
require_once($sourcedir . '/Security.php');

// Using an old version of PHP?
if (@version_compare(PHP_VERSION, '4.2.3') != 1)
   require_once($sourcedir . '/Subs-Compat.php');


Help Please :(:(

DaveV

Not sure which one was line 49, but I'd suspect settings.php

That's the one that messed me up. If the program can't access it, you'll get that message. Increase your permissions until it starts working again, 644 worked for me. You can crank it all the way up to 777 to prove it's the culprit and then reduce it down from there.

Old Lynx

I just changed the premissions on Settings.php to 777 and still ... I get the same message :( :( :(

DaveV

Well, you now know as much as I do. Check other things around line 49, or count again. Check out other folders that you changed recently. It take a bit of exploring and e-detective work, but you're on the right track.

Old Lynx

I just went and changed the presmissions for every single folder to (755) and it is still the same :'(

Old Lynx

Something is seriuosly wrong :(

arrrgh why is that always things go wrong with my stuff :'(

babjusi

@Ciwan, upload via ftp the file Settings_bak.php from the forum folder to your pc and rename it Settings.php and then re-upload it back choosing for the overwriting option, and see if that would help

Old Lynx

OK Babjusi, I'll do that now and I'll let you know how if it worked

Thanks Pal :)

babjusi

Quote from: Ciwan on November 25, 2007, 02:44:43 PM
OK Babjusi, I'll do that now and I'll let you know how if it worked

Thanks Pal :)

You are welcome, let me know how it will go

Old Lynx

Hi again

No it didn't work :( I get the same message again :'(

Old Lynx

Should I remove everything from the [forum] folder and start all over again, by loading the SMF script from scratch ??? :(

Herman's Mixen

welll permission denied is most likely that the file is or  has no execute permssions set it to 777 in this cas right now...
so we can acces it .... :P
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Hi guys

Right I just re-installed everything, and the forum is working now.....Now I want to make it secure !!

What should I do ?? (I've deleted install.php by the way, but there is another {install_mysql} or something similar, should I delete that too ?? or should that be left alone

What do I do to make my forum secure ???   :'(

Thanks

Old Lynx

The Most important thing to me is not loosing the posts.....can someone please tell me how to back up all the posts that have been posted !

Thanks

Ol' Wombat

Linux server? cPanel

or

in forum's admin panel under maintenance is a backup option too

Old Lynx

Hi there

Thanks for the quick reply

Right I just went to maintenance in Admin CP and Downloaded "all important data" but it was only 25KB.....is this right ?? I mean I have somthing like 200 posts !!!

I know the thing is zipped, but 25KB seems very small to me ?? so it this normal ?? do I have all the posts I've posted backedup on my HDD now ?

Old Lynx

Also can you please teach me how I can enable Avatars ?

Thanks :)

Ol' Wombat

#38
Quote from: Ciwan on November 25, 2007, 07:38:31 PM
Hi there

Thanks for the quick reply

Right I just went to maintenance in Admin CP and Downloaded "all important data" but it was only 25KB.....is this right ?? I mean I have somthing like 200 posts !!!


I know the thing is zipped, but 25KB seems very small to me ?? so it this normal ?? do I have all the posts I've posted backedup on my HDD now ?

if those are short text postings without images then it looks OK to me. However, do the backup with table structures checked just to be more complete. unzip the file to see its true size :)


Quote from: Ciwan on November 25, 2007, 07:42:40 PM
Also can you please teach me how I can enable Avatars ?

Thanks :)

it is enabled by default - if you want to install your own avatars just upload your custom avatar folder into the Forum/Avatar folder and it should show up in the profile.


Old Lynx

When I go to [My profile] I can't find anything that says [Avatar] !! there should be something there shouldn't there ??

Herman's Mixen

Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Ohh right, thanks :)

Now onto something a little harder

How do I re-size my forum ??? I don't want it to take the whole width of my monitor !!!

Herman's Mixen

well in the default theme look into style.css and search for this code

/* The main body of the entire forum. */
body
{
background-color: #E5E5E8;
margin: 0px;
padding: 12px 30px 4px 30px;
}


the value 30 is for the left and right positions set them too 100 or someting and you see  ;D
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Ol' Wombat

there is another mod which works in IE as well


index.template.php solutions for any theme

To set your % width for any of the three packaged themes (taking IE 5 and 5.5 into account), add this straight after the <body> tag in the relevant index.template.php:

Code:

<div style="text-align: center;"><div style="width: 70%; margin: auto; text-align: left;">



And this just before the </body> tag:

Code:

</div></div>

Old Lynx

The Burglar's Method of re-sizing seemed easier so I went with that, and it WORKED !!

Thanks a lot Burglar :)

Now moving onto another problem

When people go to [www.mydomain.com] I want them to be automaticly transfered to [www.mydomain.com/forum]

How do I do that ??

Old Lynx

When people go to [www.mydomain.com] they see two folders, one of these folders is called [forum] if they click on that, THEN they get into the forum. I don't want that............ I want them to be automaticly transfered to [www.mydomain.com/forum] when they go to [www.mydomain.com]

Someone please help

Old Lynx


Herman's Mixen

well make an index.php in your root with code like this

<?php
header
'Location: http://www.yoursite.com/forum' ) ;
?>

Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Cool that worked really well, Thanks Burglar

There isn't any security related issures with doing this step are there ??

Herman's Mixen

no this is pure an redirect to the location
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

Cool thanks :)

Can you please tell me what the maximum dimensions of Avatars are ??

thanks

Old Lynx

I am posting from work, and here they have 17" monitors

I go to my site and the whole thing looks so squashed :(

What do I do to make my forum take up 80% of the width of the monitor ??

Help :(

Herman's Mixen

avatar dimensions i should say maximum of 100x100 px....

don't know wich browsers u are using there but best way to check with firefox/opera and as personal opinion avoid IE  ;D
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Old Lynx

but I like IE :(

What do I do to make my browser take up 80% of the width of the monitor (on all sizes of monitors). so if a guy has a 17" monitor, my forum will still take 80% of the monitor width

Help please

Herman's Mixen

in that case you need to play along with these values in my previous post so i said make value's 30px about 100px so try 125 or 150px for each 30px  ;D
Met vriendelijke groet, The Burglar!

 House Mixes | Mixcloud | Any Intelligent fool can make things bigger, more complex, and more violent.
It takes a touch of genius - and a lot of courage - to move in the opposite direction. - Albert Einstein

Former Godfather of our dutch community ;)

Advertisement: