Convert SMF to PHPBB

Started by engrz, May 08, 2012, 10:56:32 AM

Previous topic - Next topic

engrz

Hello Team

I have a SMF forum www.engrz.com ,  Im felling that it is not secure, and im receiving continuous complaints from my webhosting company that my forum uses 100% of server because it is heavy.
now i want to know that may i convert it from smf to phpbb with all present data and users?



Regards
admin
www.engrz.com

Suki

Hi engrz.

If you want to convert from SMF to phpbb, then you should talk with the phpbb team/community as they know much more about converting any forum software to their own software.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

BoxingChaos

#2
Quote from: engrz on May 08, 2012, 10:56:32 AM
Hello Team

I have a SMF forum www.engrz.com ,  Im felling that it is not secure, and im receiving continuous complaints from my webhosting company that my forum uses 100% of server because it is heavy.
now i want to know that may i convert it from smf to phpbb with all present data and users?



Regards
admin
www.engrz.com

Hello, worry not.

I did a site the other day and it turns out that FacebookSlide and Twitter Slide MODs were hoggin bandwidth big time according to the HostGator complaint. Once I remove those two, all was good.

SMF is very secure. I have had about twenty SMF forums and not one was ever hacked or compromised.

Here are two examples of my latest forums I made.

http://boxingsquad.com/forum/

http://tbtbc.comze.com


Now, IMO. I do not recommend phpbb due to the fact that it's not user friendly. Ever since they released the 3.0 version, it takes me about 4 days to make a forum in phpbb, in what it takes me one night, to make an SMF Forum. Another thing is, phpbb is a large SPAM magnet, I am not saying SMF is not but SMF has some great MODS to stop all spammers in their tracks with MODS like
httpBL MOD
Bad_Behavior MOD
SFS StopForumSpam MOD

There is even a Forum Firewall MOD
Which is over kill IMO

If you need anything, you can reply here or PM me and I will be more than happy to assist you.

Danny.

PS. I see you have facebook slide mod.

Also post what other MODS you have in the package manager, so I can further advise or assist.


One more thing, your host provider should be giving you a list of what is going on at your site. Ask them to give you a detailed list of where the bandwidth is going. HostGator was able to give me a list and I was able to pin point the culprits right away.

And last but not least, I started using phpbb first many, many years ago, I started with PHPNUKE, move to phpbb, to SMF, to phpbb 3.0 and for ever with SMF 2.0 now. So I have tried and tested lot's of CMS' and many more. SMF is truly the best despite the fact there is no bridge :( any more.

www.BoxingSquad.com/forum

engrz

QuoteI have had about twenty SMF forums and not one was ever hacked or compromised.

I have two SMF forums, and both were hacked. i dont knot why?


BoxingChaos

Well, it is recommended that ADMINS in smf have strong PASSWORDS, I think this is the main ingredient to start with. I mean there are many methods of attacks. I don't know what to tell you, since I don't know anything about your situation. Having strong passwords and not having using the same password in the database as you would use in the Admin section of the forum. Again, I don't know what MODS you are using but I myself have never been hacked. I will admit that the test forum I just made is not very protected pass-strength wise. I really don't know any SMF exploits and I have had every edition of SMF forums outdated and all and the forums still stood strong. Being key-logged, is a good way to get hacked too. Like I said, I don't know your situation, I am just sharing with you my experiences.

www.BoxingSquad.com/forum

Storman™

Also, consider using something like CrawlProtect. That will also give you an additional line of defence and is good at keeping the bad guys out.

Arantor

The biggest reason of being hacked is not because of a vulnerability in the software but because you make all files writable for mod installation and don't make them unwritable after. (phpBB has exactly the same problem.)

engrz

it means phpbb is also not secure???

Storman™

Arantor means that people don't go back and ensure that their files are unwrittable after installing a mod. Thats the same with both SMF and phpBB.

Arantor

That's exactly it. Going to phpBB won't magically make you any more secure. Making sure you reset permissions after installing mods is what will make you more secure - though in any case you're still vulnerable whenever you upload plugins or mods without using FTP.

engrz

can you please provide me the file permission list? so that i can check in my SMF forum

Arantor

All PHP files should generally be 644, most folders should be 755, with the exception of the attachments folder that should be 777 as a folder but the files in it probably should be 644.

You can reset this in Admin > Packages > Options.

I would point out, though, that you're still screwed if you ever installed anything via the admin panel, like themes, or mods that added their own files, it doesn't matter too much what permissions they are because they're owned by the web server itself and as such are still accessible from any other process on the web server.

The only real way around it is to not ever upload anything via the forum and always use FTP.

Storman™

engrz - if you install CrawlProtect that I mentioned above then this also lets you run a check on file permissions and warns you if any are 777 or 666.

Arantor

Trouble is there are certain things (notably attachments) that must be 777 in order to work.

Storman™

True, you need to be aware of the exceptions and ignore those.

Arantor

There are interesting side effects too - you won't be able to, for example, put the forum in maintenance mode or change its title because that's in Settings.php and that won't be writable. And you won't be able to use the in-built language editor for handling changes.

But if you had files owned by the webserver user, making them 644 doesn't save you anything at all, such that even CrawlProtect can't help you...

All we're doing here is figuring out how to put a band-aid on a much larger problem.

engrz

please visit www.engrz.com and suggest me about changes in the forum. for example title, looks, themes. i also want to change footer. there is a lot of links.

MrPhil

Quote from: Arantor on May 09, 2012, 11:31:06 AM
Trouble is there are certain things (notably attachments) that must be 777 in order to work.

Not true. All that is required is that PHP be able to write to that directory. Depending on how your server is set up, the correct permissions might be 755 (PHP is running as owner), 775 (PHP is running in your group), or even 777 (PHP is some other random user). If 777, if possible, directories requiring that should be changed back to 755 after doing any uploads, although for attachments/avatars that may be difficult to do (without members losing the ability to load attachments or avatars).

Sorry, but a blanket statement that "such and such director(ies) should be 777" is irresponsible and leads to security breaches. SMF needs to be updated to find and use the minimum necessary permissions for a directory or file, and developers should consider making everything Read-Only but temporarily Write-Enabled as necessary for file writing operations.

Arantor

Alright, if you're going to split hairs, yes, all it requires is for PHP to be able to write to that folder. On the vast majority of installs, the attachments folder will not be owned by the webserver, but by the FTP user - in which case the strong probability is that it will have to be 777. (I say this because in all standard Apache deployments, www-data or nobody is also in its own group, and PHP will be using that credential - in which case, 777 is the only thing that will work)

QuoteSorry, but a blanket statement that "such and such director(ies) should be 777" is irresponsible and leads to security breaches. SMF needs to be updated to find and use the minimum necessary permissions for a directory or file, and developers should consider making everything Read-Only but temporarily Write-Enabled as necessary for file writing operations.

Sorry, but a blanket statement that things should be lesser is also in itself irresponsible because it's also a cause of security breaches because you're only dealing with part of the problem.

So what if the folder is only 775 instead of 777? The real problem is still the fact that the web server can write to that folder. (Never mind the fact that on most shared hosts, Apache runs as www-data:www-data while users run as username:users and thus www-data won't even have group write access)

The files get saved by www-data (or nobody or whatever it is on your particular flavour), they're owned by that. Which means any other script on the server still can damage those files or write new ones. SMF is smart enough to deal with that by disallowing PHP execution on files in the attachments folder.

The cache folder, then, is a much greater risk of infection - and you can make that 775 or 755 and you're absolutely NO MORE SECURE than making it 777. Even making it read only doesn't solve the problem, it's still owned by the web server, it can still make them writable before writing.

Attachments, and cache, then have to be dealt with separately, but the single biggest security issue is the fact that files get made writable in order to install mods and then people don't change them back - and any file added by a mod that is not a standard SMF file can be made read only as much as you like, but it WILL NOT SOLVE THE PROBLEM. Especially if those files are attempted to be made 644 via FTP when they're not even owned by the FTP user.

While I appreciate where you're coming from (and believe me, I DO appreciate it where you're coming from, far more than most), if you're going to bawl people out, be thorough and explain all the consequences, not just the surface ones - if anything you're giving them a false sense of security by 'make it 755 and you'll be safe' when it really isn't true.

MrPhil

What I object to is a blanket statement to just "make it 777" and everything will be all right. In the hands of naive forum administrators, this can lead to security problems on many servers (or, 500 errors when a "world writable" object is detected on some servers, which is better because at least it's been caught). Site owners need to understand permissions and what is the minimum necessary for any actor to perform their role on their particular server setup. In general, the more restrictive permissions are (so long as the application still works), the safer they will be. Thus, 755 is usually going to be safer for them (assuming SMF still works properly) than 777 is. All I'm saying is that if 755 (the safest) doesn't work, try 775 (less safe) before trying 777 (least safe). Don't just go blindly setting directories to 777 and then express surprise when they get hacked (if not through the Web interface, then through another user sharing their server).

Advertisement: