secure the Settings.php file

[Am']

Hi,


someone knows how to secure the Settings.php file?

e.g. rename and move it to the /Sources folder ...

is it possible?

Thank you in advance

[Chas Large]

This should be safe to leave where it is as it's protected by your forum's .htaccess file.

[Arantor]

Can I ask what you hope to achieve by it?

Apart from the fact you will need to modify multiple places in SMF, and the file needs to be writable at times for handling changes like maintenance mode, there is a larger problem.

It contains your passwords, sure enough. But the user Apache runs as must be able to read the files. That means it has to be accessible by Apache, along with all the other files. No matter where you move it to, it's still potentially going to be available to any other user on a shared server - it's not avoidable, unless the host has properly locked everything down, in which case moving it still doesn't really benefit you.

[Son of Man]

What I would like to know is if the info contained in that file can be used by a hacker to modifiy, damage, or delete the forum. 

[Chas Large]

Potentially yes, BUT only if they could gain access to it. They would need to get past the .htaccess file if they were just browsing or as Arantor stated, they would need to have root access to a shared server if the forum was hosted on a shared server.

If it was at all doubtful about the security of this file then there would be no SMF forums working anywhere, they'd all be hacked.

There is no need to worry about it.

[Arantor]

Potentially yes, BUT only if they could gain access to it. They would need to get past the .htaccess file if they were just browsing or as Arantor stated, they would need to have root access to a shared server if the forum was hosted on a shared server.

If it was at all doubtful about the security of this file then there would be no SMF forums working anywhere, they'd all be hacked.

There is no need to worry about it.

No, I think you misunderstand me.

On a *badly configured* host, it is a RAMPANT problem. The bulk of sites that get "hacked" are because the host hasn't secured the server properly so anyone can read/write the files in SMF and inject malicious code. To be fair some shared servers are OK. Some really aren't, and the worst oversellers tend to be in this category.

Funnily enough, Settings.php tends to get ignored because it's easier to modify user visible files to spread malicious payload.

Properly configured hosts lock down who can read/write files, meaning two users on the same system can't read each other's files.

[Son of Man]

There is no need to worry about it.

Thanks, Chas!  : )

[Son of Man]

A guy named Steve told me that when SMF crashes, backups up these files are created and that anyone who knows where to look will be able to find and read them.  For example, the Settings.php file is off-limits to visitors of the forum, but Settings.php~ backup file can be viewed by anyone.  The impression that I've got so far is that if i found a forum with a viewable to anyone Settings.php~ backup file, then it's no problem, right??? 

Also, does SMF have a setting to keep that file from being generated?

[busterone]

Not on a correctly set up host, it will not display to anyone via http. You need ftp access and the right credentials to view that file.

[Son of Man]

Then it looks like his host is not set up correctly, because I can read the backup of that file.  It contains his database name, database username, and database password. 

Thanks for all the help, guys.  : )

[busterone]

Definitely set up wrong. His site is a hacker's paradise waiting to be taken over.

[Kays]

For example, the Settings.php file is off-limits to visitors of the forum, but Settings.php~ backup file can be viewed by anyone.  The impression that I've got so far is that if i found a forum with a viewable to anyone Settings.php~ backup file, then it's no problem, right???

A file with a tide "~" after it is created as a backup by a mod. The standard Settings backup file is called Settings_bak.php and should not be accessible. There should not be a Settings.php~ file at the root of one's forums.

[Am']

how protect settings.php and settings_back.php with a htacces ? What are the risks (operating smf) if I do that?

[Kays]

That should work. Create an .htaccess file add the following to it and place it at the root of your forums.

Code Select Expand


Options -indexes

<Files Settings.php>
order allow,deny
deny from all
</Files>

<Files Settings_bak.php>
order allow,deny
deny from all
</Files>


[Am']

ok thx

why "Options -indexes" ?

[Kays]

If there's no index file in a folder, it will display the file and folder listing if people access it directly. This will prevent people from browsing folders without an index file. Just an extra precaution I like to take

[Am']

ok

it should be placed by default in the all package smf ....

[Kays]

Place it at the root of your forums. The same place as Settings.php.

[Am']

Place it at the root of your forums. The same place as Settings.php.

yes i  know

it's a proposition for a Feature Requests 

[Arantor]

Firstly, Settings.php~ can only be created if either a) a mod changes Settings.php directly (which it shouldn't, ever) or b) a user edits it manually (whereupon most hosts create the file automatically)

If the host is properly configured, browsing Settings.php or Settings_bak.php will achieve nothing. The *only* circumstance where it would is if the server is drastically misconfigured and isn't processing PHP at all. In which case you've probably got bigger things to worry about anyway.