phpBB & ασφάλεια...

Μια περιοχή για το phpBB, την δημοφιλή δωρεάν πλατφόρμα για forums

Συντονιστές: WebDev Moderators, Super-Moderators, PHP Moderators

Απάντηση
Άβαταρ μέλους
elavd
Δημοσιεύσεις: 323
Εγγραφή: 16 Σεπ 2004 00:04
Τοποθεσία: Ιωάννινα

phpBB & ασφάλεια...

Δημοσίευση από elavd » 10 Φεβ 2006 16:37

Παιδιά επειδή στήνω ένα forum βασισμένο σε phpBB, θα ήθελα να ρωτήσω τους πιο έμπειρους, αν υπάρχουν 2-3 βασικά πράγματα που πρέπει να να προσέξω για την όσο το δυνατόν πιο ασφαλή και ομαλή λειτουργία του Forum.

Υπάρχουν δηλαδή κάποια MODS που πρέπει να περαστούν για να μη πολυ-φοβάμαι hack-εμα?
Ξέρω βέβαια ότι αμα θέλει κάποιος να σου κάνει ζημιά ... μπορεί, αλλά τουλάχιστον δε θέλω να το αφήσω "ξεφραγο αμπέλι"!!!

Περιμένω τις συμβουλές σας :D

Άβαταρ μέλους
Basilakis
PHP Moderator
Δημοσιεύσεις: 8574
Εγγραφή: 17 Νοέμ 2003 13:03
Τοποθεσία: Womans' Brain
Επικοινωνία:

phpBB & ασφάλεια...

Δημοσίευση από Basilakis » 11 Φεβ 2006 17:20

Vasiak egkatesthse to ctracker.
Poly kalo kai mplokarei arketa attacks.
Prosexe ton kwdiko pou exeis ston admin kai na kaneis syxna updates.
Ean ta aglika sou einai kala diavase kai afto pou exw alla den thimame thn pygh. Tha to metafrasw syntoma.
phpBB is one of the most popular forums around, without a doubt. Because it's free, and because it's opensource. It attracts heavy usage because of the $0 price tag, and because it can be modified easily to provide enhancements.

This comes at a cost though - because the code is 'there' for everyone to see, and the average person installing php probably doesn't know phpBB too well, it is often and easily exploited.

There are things you can do to limit how 'exploitable' your phpBB forum is.

Update it, every time a new version comes out
You MUST update your phpBB so you are always running the newest, most recent version. Why? Because each new release addresses security issues. You can't NOT update it if you expect to stay around. Every version that gets released that you don't install leaves you susceptible to all the vulnerabilities identified and publicised before that version was released.

Pick your mods carefully
If you don't know php, how are you going to know whether a mod is good or bad? You can't just judge it by what it appears to be doing, you have to know what it's really doing. If you're unsure about whether a mod is good or bad, go to the phpBB website and ASK. Researching your options properly and thoroughly can save you a lot of headaches.

Document all the modifications you install, so that if you have to rebuild a new version, a record of everything you added / changed is sitting there.

Be wary of all mods - even 'safe' mods can introduce vulnerabilities. Limit the mods you install to a select few, rather than 'everything you could find'.

Make sure CAPTCHA is on
This will prevent spammers and bots from registering on your forum and polluting it with garbage posts about their crappy sites.

Remove or rename your memberlists.php
Once you've got a busy forum nobody's going to dig through a members directry, except spammers. Spammers will and do join just to be 'linked' from this page.

To remove it:
- install the user list mod in your admin
- remove the link and image from overall_header.tpl
- delete (or rename) the memberlist.php file

Safe input from users
If you disallow html input from users, there's very little they can do to deface your site. If you have html allowed then you're allowing them to enter 'presentation' text. Text that affects the 'presentation' of your site. Make sure it's SAFE too. That means it's not susceptible to 'sql injection'.

Disallow remote avatars
Remote avatars are evil and should be banned. Why? Because how do you know that remote avatar is really just an image? It could just as easy be a script which *outputs* an image, but does some screwey stuff before it gets around to it.

Make users verify their email address before being able to sign in
Fairly obvious. If they don't give a real email address, they can't post on your board. The benefits are limited though, since it's not difficult to get a 'throw away' account.

Conceal the version number
Edit overall_footer.tpl and remove the version number. Why? Because if you advertise you're running x.xx, a spammer or script kiddy knows whether or not their exploits will work.

Limit what 'public' information is displayed
1. Members currently online
2. Newest member
3. Search
4. All member avatars and signatures
5. All member profiles

Why hide these from the 'public'? Because it's not critical to browsing your forum, and it makes them commit a (maybe) real email address before they have full functionality. Why would Joe Schmoe want to see your members profiles anyway? Why provide him with a link to every online member so they can leech email addresses etc. from their profiles?

Disable uploads
Why? Because the easiest way to screw someones site up is to upload a script that deletes, modifies or whatever everything else. Guess what? It's not that hard to make an upload script thing it's an image or a zip or any other type of file too. If you must have uploading, do this:
- user uploads to some directory OUTSIDE of the site
- try and OPEN the file with something that'd normally be able to do it. php has gdi libraries, see if you can measure 'i_hacked_your_site.jpg' and get its width and height. If it's not really a jpg then it's going to cause an error, so you can delete it. You can do this with php, so you don't need to 'physically' fetch and open the file. It can all be automated.
- LEAVE the files in the temporary directory till you, an adminstrator or a moderator can review it and see if it's 'safe'

If you upload to a folder that's publicly available, and it's really a script that screws up your site then you have a page sitting there waiting to be accessed on your site that'll screw up your site.

Use mod_rewrite
Familiarise yourself with mod_rewrite for two reasons. The number one reason being viewtopic.php?id=1234 is a crappy thing for a search engine to see. The number two reason is anyone looking for a phpBB board to run their script kiddie toos on can find one nice and simply by searching for ..... 'viewtopic.php'.

Mod_rewrite will allow you to conceal the filenames and ditch the id=1234 crap.

Finally
Back your ****ing database and site up. Why do phpBB forums 'die' once their database gets killed by some kid with a script? Because you're not managing your data. If you do a weekly or daily backup (depending on how busy you are you'll know which is more appropriate) then it's a minor setback if someone hacks your board. You lose a few days worth of stuff, instead of all your hard-earned members and posts.

If you do get hacked - don't just re-upload your board straight away. Find out how they did it. Dig into your web servers log files, and look at what was happening just before everything got screwed. You'll be able to tell what page they were on and their ip address. Block the ip address (also in mod_rewrite), and disable that page till you or someone who knows php can have a look at it, or you can get a newer version of phpBB.

Got more suggestions? Put a comment and share them.

Άβαταρ μέλους
elavd
Δημοσιεύσεις: 323
Εγγραφή: 16 Σεπ 2004 00:04
Τοποθεσία: Ιωάννινα

phpBB & ασφάλεια...

Δημοσίευση από elavd » 11 Φεβ 2006 18:01

Σε ευχαριστώ!!! Θα το διαβάσω και αν έχω απορία σε ξαναρωτάω ;)
Εικόνα

mat_
Δημοσιεύσεις: 121
Εγγραφή: 09 Απρ 2004 02:01

phpBB & ασφάλεια...

Δημοσίευση από mat_ » 12 Φεβ 2006 19:53

Ναι όντως το CTracker είναι πολύ καλό.

Cracker Tracker Professional 2nd Edition

Επίσης σ'αυτή τη σελίδα θα βρεις και άλλα ωραία πράγματα σχετικά με το phpBB. ;)

Άβαταρ μέλους
elavd
Δημοσιεύσεις: 323
Εγγραφή: 16 Σεπ 2004 00:04
Τοποθεσία: Ιωάννινα

phpBB & ασφάλεια...

Δημοσίευση από elavd » 12 Φεβ 2006 19:54

Thanks!!! ;)
Εικόνα

Άβαταρ μέλους
ThyClub
Honorary Member
Δημοσιεύσεις: 5312
Εγγραφή: 17 Νοέμ 2003 00:21
Τοποθεσία: Hell's Kitchen
Επικοινωνία:

phpBB & ασφάλεια...

Δημοσίευση από ThyClub » 12 Φεβ 2006 23:14

@mat_

Θα σε παρακαλούσα να αφαιρέσεις τα links απο την υπογραφή σου μιας και οδηγούν σε σελίδα με παράνομο περιεχόμενο.

Μπορεί να μην αναφέρεται καθαρά στους όρους χρήσης του freestuff αλλά το θεωρώ αυτονόητο.

Αν κάνω κάποιο λάθος θα παρακαλούσα τον Γιάννη να με διορθώσει :roll:

mat_
Δημοσιεύσεις: 121
Εγγραφή: 09 Απρ 2004 02:01

phpBB & ασφάλεια...

Δημοσίευση από mat_ » 12 Φεβ 2006 23:26

Όντως γράφει ότι απαγορεύονται οι σύνδεσμοι για παράνομο υλικό και γι αυτό τους βγάζω.

Offtopic βέβαια και γι αυτό θα ήταν πιο σωστό μέσω πμ αλλά δεν πειράζει... ;)

Άβαταρ μέλους
elavd
Δημοσιεύσεις: 323
Εγγραφή: 16 Σεπ 2004 00:04
Τοποθεσία: Ιωάννινα

phpBB & ασφάλεια...

Δημοσίευση από elavd » 13 Φεβ 2006 12:18

mat_ έγραψε:Ναι όντως το CTracker είναι πολύ καλό.

Cracker Tracker Professional 2nd Edition

Επίσης σ'αυτή τη σελίδα θα βρεις και άλλα ωραία πράγματα σχετικά με το phpBB. ;)
To κακό είναι ότι είναι στα Γερμανικά ... :-?

mat_
Δημοσιεύσεις: 121
Εγγραφή: 09 Απρ 2004 02:01

phpBB & ασφάλεια...

Δημοσίευση από mat_ » 13 Φεβ 2006 15:51

Κατέβασέ το, έχει και οδηγίες και στα αγγλικά μέσα.

Άβαταρ μέλους
elavd
Δημοσιεύσεις: 323
Εγγραφή: 16 Σεπ 2004 00:04
Τοποθεσία: Ιωάννινα

phpBB & ασφάλεια...

Δημοσίευση από elavd » 13 Φεβ 2006 16:26

ok ;)
Εικόνα

Απάντηση

Επιστροφή στο “phpBB”

Μέλη σε σύνδεση

Μέλη σε αυτήν τη Δ. Συζήτηση: Δεν υπάρχουν εγγεγραμμένα μέλη και 1 επισκέπτης