12:22 Tips for protecting Forum vbulletin | |
| If you keep your forum, then sooner or later have to think about protecting your forum - because attackers are not asleep! In this topic, I (with habrayuzera ReaM) compiled a list of tips to increase the security of your forum. Interested? Welcome to a habrakat:) So ... here we go: 1) Update to the end of their line (3.5.h, 3.6.h, 3.7.h)Description: No Comments Why?: Jelsoft permanently close the pop vulnerability. Nobody wants to work at last year's forum full of holes, right? 2) Rename the admin and moderkuDescription: Rename the admin panel, but in the configuration in any case do not write the way to our renamed the admin area. Also rename moderku, but it is already possible to register in the configuration (although also not desirable), since it is less vulnerable. See for yourself:) Why?: If you rename the admin panel and not specify a path in the configuration, it will be much harder to find it and therefore use XSS or even worse. There are disadvantages: - edit profile and add the moderators will cease to work without manual editing options. 3) Put the. Htaccess in the admin:Description: a) if the ip is static, then order allow, deny deny from all allow from vash_IP%% b) Also, put an additional password: Go to link: _http: / / vbsupport.org / htaccess.php, fill the field and appends to the instructions in our file htaccess. Why?: Additional admin password protection never hurts. 4) delete files and folders:Description: a) Delete files: / validator.php (if any) / checksum.md5 (if available) b) delete the folder: / install / Why?: unsafe files from nulenyh versions may provide an opportunity to view a list of files and folder install very unhealthy =) 5) Move the attachments and avatarsDescription: Go to admin panel, then: a) Attachments -> Attachment Storage Method Attachments should be stored in the database b) Avatars -> type of image storage user Avatars should be stored in the database Why?: Ruler 3.5 if I remember correctly, gave direct links to the pictures - that irregular configuration hosting, gave a chance to fill the shell. 6) expose the rights to the folderDescription: If the item 5, it is now safely put the right folders custom_ * 644, since they are no longer needed (or you can remove them). Next, if you installed vBulletin on the instructions, you have all the folders in the / (root) must have the right 644. Check it out, if not, then set the right 644. Why?: Hampers hacker fill shell. 7) Nowhere, never, never turn on the option 'Allow html'.Description: No comment. Why would someone HTML? Why?: The possibility of XSS attacks when activated. 8) Put the. Htaccess in the folder includesDescription: Install. Htaccess in the folder includes the following lines: order allow, deny deny from all Why?:
9) Shove in a directory with the files, which are attributes of a 0777. Htaccess:© kerk _http: / / vbsupport.org / forum / member.php? U = 30Description: RemoveHandler. phtml RemoveHandler. php RemoveHandler. php3 RemoveHandler. php4 RemoveHandler. php5 RemoveHandler. cgi RemoveHandler. exe RemoveHandler. pl RemoveHandler. asp RemoveHandler. aspx RemoveHandler. shtml <Files ~ "\. php | \. phtml | \. cgi | \. exe | \. pl | \. asp | \. aspx | \. shtml "> Order allow, deny Deny from all Why?: Scripts with specified extensions can no longer be used within the directory with the htaccess. 10) Edit config.php, enter the id of administrators in the field undeletable user (non-removable / non-editable users).Description: / includes / config.php. Simply enter the id administrators, after which made all the necessary changes in the profile. Why?: There is no need once again to someone to change the profiles of administrators, even to themselves. Need - to remove the ID from the file system, to come back. Security - above all! :) 11) After removal of the mods / hacks do not forget to delete the files you uploaded with them.Description: No comments Why?: Why do you need extra files on the server? Needless ... 12) Never keep backups within the available Web server.Description: No Comment Why?: They will be available for download to anyone who knows the name of the backup. Of course, you can tie htaccess, but still, for the sake of security, to make backup outside access the web server. 13) Install the plug-in "Inspector files.Author - Ghost (http://www.vbsupport.org/forum/member.php?u=38422)Description (quote): climbing on his old scripts that run into this Product - Inspector files. This multiple modules for vBulletin, in which you can store in a database list of existing files and from time to time to check, did not change whether there are (for each file size is stored, the owner and permissions) - Built-in cron-task notifies the administrator by e-mail on the discrepancies found. Can be stored in a database several different copies (revisions), list of files to compare (with automatic checking email notification is checked only with the latest revision). Appearance and settings available you can see in the screenshots. INSTALL: To install the need to fill two PHP-file from the archive to the server and import the product from a file «product-gfi.xml». UPDATE: Updated versions are not provided, so it is recommended to install a new, first uninstall the previous version. Ps The product has successfully worked on all versions from 3.6.8 to 3.8.1 inclusive. True link in the drop-down menu in the navigation bar was added in different places, but that's trivia. Download vbsupport.org Why?: Indispensable thing in the search for shells on the site, but to put her to advance. Result:Access to admin area to get quite complicated - so to fill a shell through the admin panel too. You can put a shell through the vulnerability of vB, but if you pour in / includes (there are hacks for some files, which require 777), we have the folder includes costs deny from all - just a shell will not be accessible from the outside! To other folders you can put 644, if done all the settlements - if enough would be difficult to fill, especially when properly configured chroot. Finally, we have added protection from themselves admins who climb with no falling, thereby planting himself on XSS'ki and Trojans. Actually, that's it ... This is my first topic on Habre, so please do not kick much:) UPD: transferred to "information security." | |
|
| |
| Total comments: 364 | 1 2 3 ... 36 37 » | ||||||||||
| |||||||||||
| 1-10 11-20 21-30 ... 351-360 361-364 | |||||||||||
