bitweaver
Wiki
wiki Home
List Pages
wiki Books
Orphan Pages
wiki Rankings
Photos
List Galleries
Forums
Browse forums
Files
List Galleries
Categories
List Categories
Sign In
Message Boards
»
07. Support - 3rd party apps
Newest
Oldest
Threaded
5
10
20
50
100
All
Messages
phpBB Security
Post Reply
Southpaw
Joined: 10 Nov 2004
phpBB Security
Posted:06 Jun 2005 (09:12 UTC)
Kozuch
Joined: 06 Mar 2006
Posted:27 Mar 2006 (23:24 UTC)
Dazz
Joined: 30 Mar 2007
Posted:30 Mar 2007 (00:09 UTC)
Post Reply
Page 1 of 1
1
Post
Title
Login
If you are already registered, please enter your login credentials.
Your Name
Anonymous Post
Content Format
Tiki Wiki Syntax
Allow HTML
{quote format_guid="bbcode" comment_id="7568" user="Southpaw"}Yes, we know phpBB is under constant attack. I suggest you install this on to your current board to prevent against future hacks. It's a mod called phpBB security: http://phpbb-tweaks.com/downloads.php?mode=sub&cid=916 I realise that the version on that page says it's only compatible with phpBB 2.0.5-2.0.13, but I assure you it's compatible with 2.0.15 also. Here is the feature list: [quote:a3fdda91ae]#==== #==== v1.0.0 #==== -> Extra login box on admin panel, so even if you have admin access, you still can not access the admin panel to delete users, delete posts, rename things, etc.. This is controled by a .htaccess file & a .phpbbsecurty file holding the info. There is no way in this mod for admins to change this info, that would make it pointless & allow for some admins to lock other admins out etc. Please read the bottom of the install for instructions on how to setup your username & password. -> Limit amount of tries an account can be failed. Meaning inputting the wrong username & password on an account. The amount is set by the admin. If this number is exceeded, the account is locked. -> Added a security question and answer to the users table. Every user will have to add this. It is built into the script to redirect anyone who has not added this info to their profile so they can update it. -> Force a user to unlock their account with the security question and answer provided. If the account is locked, when they try to login, they will be informed its locked & given a link to unlock it. From there they have to input the username & email on account to see the security question. Then they have to answer the question. The answers are stored as an MD5 hash so no one can see what peoples answers are. Security purposes. If they get it right, the account becomes unlocked & they can then login. -> Admin notification feature. If an account becomes locked, the mod will dispatch a PM to an admin, which who it is sent to is configured in the acp. This feature has an off switch, so if you dont care to know when accounts get locked, switch this off. You will also reveive an email notice regarding this as well. -> For security purposes, users can not change their security question or answer. If they wish to change it, they need to contact an admin and have the admin reset their SQ info. -> Added some blocking features, this mod will try to help block attacks such as DDoS, Clike, UNION & SQL Injection attacks. -> Admins have the capability to lock or unlock anyones account in the User Management admin. They can also reset a users SQ & SA info from there. -> Auto ban IP's that are caught trying to use UNION, SQL Injection, Clike or DDoS tricks. Admin chooses to use this feature or not. -> Keep sessions table rows under a certain amount. Admins can choose this amount in the ACP. If the sessions table exceeds this amount of sessions, the oldest ones will be deleted until its under the set amount. -> Keeps track of who all attemps to attack your site. These are stored in a table so they can be viewed. It tracks what they try to do, what time, and how many times they tried to do it. You can choose to display these results if you like. -> Block unadded admins. The board owner will set up a field, the field name is chosen by them, so a script kiddie can not retrieve it as it will not be a dynamic field name. Then the board owner will choose a number (the number of admins on the board). Any admins that exceed this number will be blocked from the site. So if you have 4 admins, you set the number to 4, and a kid comes along, injects him an admin account into the DB, this script will keep him out, as you allow 4 & he makes 5. This feature can be enabled or disabled only by the oldest admin on the board. -> Same thing as the above but for moderators. #==== #==== V1.0.1 #==== -> Added protection against fopen(), so people can not remote open files. -> Added protection against fwrite(), so people can not remote write to files. -> Added protection against system(), which appears to let people execute pearl scripts. -> Added protection against the CBACK Worm including: rush=echo%20_START_ %20cd%20 %20wget and many others this worm uses to get into sites. -> Added the ability to use any/all of the features via ACP. Also with this is the option to auto ban, block or ignore any of them. -> Added the ability to pm or email the admin to be notified, or neither. -> Added the ability to allow users to change their sq info, acp contoled to allow this, not recomended. -> Added pagination to the caught page, also added the link they used when they were caught. #==== #==== V1.0.2 #==== -> Added sessions/cookie protection so no one can manipulate the auto login in any way. This ensures & checks the cookied password to match the cookied user id, since phpBB its self doesn't do it when it needs to be done. -> Added a configuration option for how many entires per page to show on the caught page since some people where being timed out or loading 404 pages from having to many per page. -> Removed the edits to the Configuration section & added a seperate admin section. -> Added the ability for the oldest board admin to allow other admins to modify the special fields. -> Added the ability to block users based on user agent. -> Added the ability to block users based on their referer. -> Added user level protection, so every refresh it is reset, this way no user can manipulate the board to pass off as a mod or admin. -> Added a link to users profiles when they have to add a SQ & Answer, this was neglected in past versions. -> Fixed an insecure line of code, where & what wont be mentioned, but its fixed never the less. -> Added the proper check to make sure the include file is being included from your site * not being included from an offsite script. -> Added 3 levels of DDoS protection, since the current is a bit strong for some users. -> Removed the version number, by popular request. But by doing this, you will now be asked everytime you post for support what version you are using. -> Fixed the counter so it now adds multiple exploits again. With 1.0.1 the counter only added one per IP even if they did try over & over on the same IP. -> Added a message to the "phpBB Security Thinks You Should Go Away" for each reason someone is reading it, so they will now know WHY they have been blocked & be given the boards email to contact the admins if there was a mistake. -> Added a quick "Member Tries" screen, so it will display any users who have posted & also tried to exploit your site. It will also display what they did to be banned. -> Added a "Quick Search" so if someone complains about being banned, you can input their IP and find out why they where banned & optionally unban them from the same screen. This also comes with a wildcard (partial match) or exact match choice. -> Added an automated database backup system. So every day at a preset time (by the admins) the database will be backed-up & saved to your FTP. This is on/off switchable in the ACP incase you dont have the space to spare for this feature. But my suggestion is you leave it on & just delete the old ones every couple days, this way you always have a good copy of your database.[/quote:a3fdda91ae] Yes I know, it's a long list ;) If you have any troubles with this mod, here is their support forum: http://phpbb-tweaks.com/forums.html-f-8 Hopefully this will increase the security of your site, and prevent against future attacks.{/quote}
Recent Page Changes
welcome to bitweaver.org
Bitweaver Overview
ReleaseTwo Schema Changelog 2006
PressReleaseOne
Spider's Web
Press Release Two
BitcommercePackage
InfiniBand vs Ethernet Performance
InfiniBand for Dummies
Show More…