How secure are your forums?

Discussion in 'Security and Legal' started by Michael, Sep 20, 2009.

  1. Michael

    Michael Regular Member

    Joined:
    Jan 18, 2004
    Messages:
    166
    Likes Received:
    35
    Have you taken all needed steps to better secure your forum whether it be vbulletin, phpbb etc?

    On ours we have done all I have read for example changing the admincp directory name, using very strong random generated passwords and different passwords for everything, making the admincp directory IP locked to one IP as well as the includes directory as well as a few other things.
     
  2. Chani

    Chani Grand Master

    Joined:
    Sep 1, 2009
    Messages:
    884
    Likes Received:
    54
    First Name:
    Chani
    I'm not sure I'd go as far as an IP specific access restriction on folders like the admin folder...what if you're not at your common IP and you need to do something in an emergency?

    I suppose you could change it from the backend...never mind.

    I change ALL of my forums' admin folders to....wait, never mind. :p But I do change them.

    I do try to secure my forums, but I'm sure I haven't done everything I should do.
     
  3. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    I secure the admincp, modcp, install and includes folders with .htaccess. These have 18 digit randomly generated passwords that include upper and lower case letters, numbers and punctuation. I don't even remember what they are and have them stored on a thumb drive.

    I don't allow unsecure email or FTP access to my server either. You need to access them with encryption on. Also have to make sure to turn off anonymous FTP.
     
  4. Michael

    Michael Regular Member

    Joined:
    Jan 18, 2004
    Messages:
    166
    Likes Received:
    35
    How do you use secure FTP Wayne? :D
     
  5. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    It is called SFTP or FTP over SSH. Basically it is built on top of the SSH protocol which allows you to make secure email and FTP connections which are encrypted with a public-private key combination. It is a little slower than standard FTP but I use Filezilla which opens a new connection for each file transfer. So I just open it up, drag my files and let it go while I drink a coffee.

    The problem with FTP and email is that passwords are not always encoded and often transmitted in plain text. This means that if someone is watching the packets to your site, they can easily get your password. With the end-to-end encryption of SSH using SSL technologies, you can prevent that.
     
    3 people like this.
  6. Michael

    Michael Regular Member

    Joined:
    Jan 18, 2004
    Messages:
    166
    Likes Received:
    35
    I am VERY interested in using this, do you know of any guide available for how to do this step by step if you have WHM access etc?
     
  7. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    With WHM, go to Service Configuration. Then click on FTP Service Configuration.

    Set TLS Encryption Support to Required.
    Set Allow Anonymous Users to No.
    Set Allow Anonymous Uploads to No.
    Set Allow login with Root password to No.

    Save.

    You'll have to use encryption and probably port 22 instead of port 21. In your FTP client (Again I use Filezilla), set your protocol to SFTP - SSH File Transfer Protocol. Should take care of the encryption and the port. If you're really paranoid, you can change the SSH port to something else as long as you don't use a reserved port. Ports 21, 22, 25, 80, 110, 443, 3306 are among the important ones as far as the basic web goes.
     
    4 people like this.
  8. Michael

    Michael Regular Member

    Joined:
    Jan 18, 2004
    Messages:
    166
    Likes Received:
    35
    Thanks for that Wayne, very helpful. I like using SSL connections as often as possible when dealing with sensitive data like this. Going to set this up right away :)
     
  9. kev

    kev Regular Member

    Joined:
    Mar 9, 2009
    Messages:
    1,224
    Likes Received:
    61
    If your hosting provider was serious about security, SFTP should be the default setting on your hosting package. If the hosting provider allows sensitive information to be transmitted to the server in clear text, maybe its time to find a different host.

    ---------

    A lot of the security for my sites was setup by the host. Brute force protection was installed, SFTP is default, the server has a firewall blocking certain ports of incoming and outgoing traffic, no anonymous ftp traffic,,,,,

    All of the sites are run under their own non-root account.

    I ask the hosting provider to do a security audit of the server 3 - 4 times a year. They are asked to make sure that mysql, apache, email server, and the server OS are all up to date,,,, and anything else they can think of.

    And various other little odds and ends.
     
  10. FullMetalBabe

    FullMetalBabe Zealot

    Joined:
    May 30, 2009
    Messages:
    2,912
    Likes Received:
    339
  11. Wayne Luke

    Wayne Luke Regular Member

    Joined:
    Apr 2, 2009
    Messages:
    992
    Likes Received:
    276
    You can specify the names of your admincp and modcp directories in vBulletin's config.php. Then just rename the directory. That has been pretty standard since 2003.
     
  12. bucket

    bucket Addict

    Joined:
    Nov 16, 2009
    Messages:
    110
    Likes Received:
    18
    is there an easy way to set up secure login for the admincp ?
     
  13. Nick

    Nick Regular Member

    Joined:
    Jul 27, 2008
    Messages:
    7,444
    Likes Received:
    219
  14. bucket

    bucket Addict

    Joined:
    Nov 16, 2009
    Messages:
    110
    Likes Received:
    18
    no, but thanks for the links.


    I mean httpS: ..... secure socket layer (SSL) login, like what you expect at an ecommerce site.
     

Share This Page