homepage Welcome to WebmasterWorld Guest from 54.166.122.86
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
Forum Library, Charter, Moderators: rogerd

Community Building and User Generated Content Forum

    
phpBB Security Best Practices
A few ideas for keeping your forum secure
encyclo

WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



 
Msg#: 274 posted 7:43 pm on Dec 16, 2004 (gmt 0)

phpBB is one of the best forum packages around: it is completely free, open source, has tons of built-in features, even more available as mods, and has a thriving community supporting the product. However, such ubiquity creates other challenges, particularly in terms of public scrutiny and hacking attempts.

This recent thread [webmasterworld.com] gives an idea of what can happen if you don't keep your forum installation secure and up to date. But security is not just protecting your forum against specific hacks, but also reducing or eliminating other menaces - not just to the software, but also the personal data and information contained within, as well as the integrity of your community and member list. Problems include email address harvesting, automated signups, dropping links, member list abuses and other such annoyances which take up valuable moderator and admin time.

So, what are the most important steps you should be taking as a forum administrator when securing your installation? Here are a few ideas:

1. Installation Security

1.1 Keeping informed

The first important step to take is to make sure your installation is fully patched and up to date at all times. To do this, you need to subscribe to the appropriate phpBB mailing lists, as well as monitor the phpbb.com [phpbb.com] site as well as the phpBB Sourceforge page [sourceforge.net].

Currently, although there is a "phpbb-announce" mailing list at Sourceforge, it is unused by the developers - which is very unfortunate. The current recommended way of getting notifications of new releases is to to use the "Monitoring" feature at Sourceforge. According to the phpbb.com site, the notification process is going to be improved in the near future - which will be a very good thing, as the current method is clearly insufficient.

1.2 Installing the updates

The phpBB documentation is excellent in this regard, so there is very little to add. There are always three different versions available for each update - Full Version, Changed Files Only and a patch file. The names are self-explanatory, but make sure you fully read and understand the documentation before you go ahead. The patch file is the most powerful of the three, especially if you have a heavily-modified board, but you will need command-line access to your server as well as some knowledge of using Unix commands.

The key to a successful update is documentation. When you modify your board, it is vital to document every change you make, however minor. That means, when it comes to update time, if you have to rebuild your board from scratch by reapplying the mods to the basic board, you will be able to do so much more easily.

2. Mods

2.1 Choosing the right mods

Choosing mods from unreliable sources, or using untested or unverified mods can be dangerous: unless you are an expert in PHP you can't be sure of their reliability, security or even whether there are backdoors intentionally inserted by the mod developers. Unless you are sure of the source or you really know what you are doing, you should stick to the mods listed in the phpbb.com mod database [phpbb.com] - in particular, those mods which have been reviewed and approved by the phpBB Security Team. Bear in mind that even approved mods might still contain security holes, and these are not patched within the main reease - so make sure you regularly check the database for new versions of the mods you use, and if possible, sign up to the mod developer's mailing list if they have one.

2.2 Don't over-modify

Every mod you add to your basic installation, the more complex becomes the update process. So, along with choosing your mods carefully, only use mods that you need rather than adding everything including the kitchen sink.

I should also mention style templates: usually, style templates don't pose a security risk in themselves (although there are a lot of pre-built templates which are of poor quality, with broken markup and incorrect image paths). However, the more templates you have, the longer it takes to do an update - it is a pain to manually alter a dozen template files with every update. Stick to the minimum number you feel is required for your board.

3. Modifications you can make

There are some changes you can make to your phpBB installation to better secure it against attack by spambots, automated signups, etc. This is not a comprehensive list:

3.1 CAPTCHA image verification

phpBB version 2.0.11 onwards uses the CAPTCHA image verification system which requires a new member to enter a set of letters and numbers from a generated image before being able to sign up. Switch it on in the Admin Control Panel under in the Configuration menu (thanks to androidtech for the reminder). If and only if you have a significant membership comprising the visually-disabled, then there are mods available to slightly alter the signup process enough to fool most bots. This will kill automated signups stone dead. You will still have the problem of manual spam signups, but we're getting to that... ;)

3.2 memberlist.php

The standard phpBB installation includes a file called "memberlist.php" which (guess what!) provides a full list of the members of the board. By default, this is readable by all (not just members).

The presence of this page is one of the big motivators for spam signups: the page is a great way for the unscrupulous to get a load of backlinks to their site(s) via the link in the member profile which is displayed on this page. Often, the signups will use names starting with exclamation marks so as to get on the first page of the list.

Rather than modifying or hiding this page, I propose simply to get rid of it altogether. Once you have more than about 50 members, the page is unusable by real visitors - it is just too inefficient for finding information. On a busy board, it is a total waste of bandwidth, and only serves as spam-bait. What's more, your member list is precious information - why give it away to anyone? Your real users can still get at all the information they want for another user by viewing that member's profile via the link next to one of their posts. Of course, if anyone signs up and doesn't post, their profile is unlinked - so even if they have put a link to their site in their profile, it is not visible.

Here's how to get rid of it simply:

1. Install the "User List" mod from the phpBB mod database. This will give the forum administrators a full member list within the admin control panel for easy maintenance.
2. Edit the template file
overall_header.tpl and remove the link and image for the member list.
3. Delete memberlist.php from your server, burn all copies, ban it in robots.txt and if you are feeling so inclined, replace it with a spider trap.

If for some unfathomable reason, you are getting referrals directly to your memberlist.php page from the SEs, then redirect it to a more appropriate page, or the forum index.

3.3 Basic settings

The following modifications don't directly affect the real, direct security of the forum, but will help the admins as well as the users.

  • Disallow all HTML at all times. No exceptions, ever.

  • Disallow remote avatars.

  • Require user email address verification before being able to sign in.

  • Edit overall_footer.tpl and remove the version number (as suggested by webwit). Make sure, however, that you always fully respect the license requirements for the software by leaving at least the minumum required link to the phpBB site: it's a minuscule price to pay for the forum software and it is respectful to the developers. The version number will still display at the foot of the pages in the admin control panel.

    3.4 Editing templates

    You should edit the style templates to reduce the information displayed by default when a user is not logged in to the system. You should make the following available only to those who are logged in:

    1. Members currently online
    2. Newest member
    3. Search
    4. All member avatars and signatures
    5. All member profiles

    On my board, the only header links are for the FAQ, Register and Login.

    Using some of the SEO mods not only greatly improve usability (as well as spiderability), they can help in other ways too. On new boards (ie. boards which have not been indexed yet), then you should look at using mod_rewrite to change the default file names. Why? Want a good list of phpBB forums on which to try out your 7337 haxor skills? Do a Google search for "viewtopic.php".

    4. Conclusion

    This list is primarily aimed at phpBB users, but much of it applies to users of other boards too. The basic rules are: keep things updated, keep thigs simple, put barriers to spamming and hacking attempts and reduce the level of interest for your board to anyone other than your intended audience.

    As I said, these are simply a few ideas. What would you add to the list?

  •  

    vkaryl

    WebmasterWorld Senior Member 10+ Year Member



     
    Msg#: 274 posted 7:55 pm on Dec 16, 2004 (gmt 0)

    That's a priceless list, encyclo! You don't even get THAT kind of real info in any given spot on the phpBB fora! (Which is REALLY too bad....)

    I would add that one should opt for the tightest registration process possible depending on the type of fora one runs. For my fora (all private, with new members by ref from current members only), I have opted for admin approval ONLY. For people who run public fora, that's obviously not workable....

    rogerd

    WebmasterWorld Administrator rogerd us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 1:57 pm on Dec 17, 2004 (gmt 0)

    Great post, encyclo - operators of just about any kind of forum, not just phpBB, will find good advice in there.

    Webwork

    WebmasterWorld Administrator webwork us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 3:25 pm on Dec 17, 2004 (gmt 0)

    Thank-you Encyclo. Posts such as yours are a gift.

    Now, while we're on a topic that I'm not expert in, would anyone else care to pitch in? Any other hard earned (from experience) security tips, any special techniques you created, any security techniques you have heard about, any additional security tips or techniques you went out and researched today after reading this that you'd like to report back on?

    Threads like these go from great to things of beauty when people exhaust the topic by pitching in whatever they have to share. You never know when your little gem saves someone else's day. In my case, being totally clueless, this post is like a day's meal for a starving man.

    Of course, for all I know, Encyclo nailed every known issue. ;0)

    Dave_Palmer

    10+ Year Member



     
    Msg#: 274 posted 4:55 pm on Dec 17, 2004 (gmt 0)

    Encyclo's summary is great! Thanks so much for posting that!

    Here's a quick tip to help tighten up your board against the spammers. It seems the phpBB visual confirmation doesn't catch ALL spammers ... so a number of them will slip through the registration process and attempt to display spam URLs in the memberlist.

    In order to help prevent this, and also to keep your board membership less available to those outside of your target audience, you can modify the email banning in phpBB to ban partial domains and even whole top-level domains. More info is at: [phpbb.com...] Basically, it allows you to ban *@*.tld email addresses.

    This mod (in addition to visual confirm, of course!) took care of the annoying .biz spammers for my board.

    -Dave

    chadmg

    10+ Year Member



     
    Msg#: 274 posted 5:24 pm on Dec 17, 2004 (gmt 0)

    Another great post encyclo. Very encyclodedic of you. Har. I just have some additions/questions/comments.

    Make sure you back up your database. Save it to CD or something too. So if god forbid you lose everything, you can restore it to at least to your last backup point.

    Removing features for non-members may not work for everyone. If you use avatars and signatures but diable them for non-members, visitors who are not members but who are attracted to such things may not be inspired to sign up for membership. In fact showing these things to non-members may inspire them to become a member so that they may remove them. :) I also wouldn't disable searching for non-members either. I know a forum who disables searching for non-paying members. Bad idea. Almost every post is a repeat of a question just asked. You may save on bandwidth, but do you gain anything in security?

    encyclo

    WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 6:55 pm on Dec 17, 2004 (gmt 0)

    chadmg, you have some very valid and interesting comments. All I can say is that there is no "one size fits all" approach: I prefer removing all the avatars and signatures when logged out, but as you said, that does depend on the kind of forum you have. I'm particularly interested in how other forum administrators handle things - even if not using phpBB.

    Also for your excellent recommendation to do frequent and multiple backups of the database: I would add that the option in the phpBB control panel apparently does not back up database tables which are not in the standard installation, so if you have any mods which use the database, you should use phpMyAdmin instead in your hosting company's control panel to do the full backup. If you are handy with the command line again, then you can do a cron job to make regular backups for you.

    Another mod that I would like to see is one where the view profile page uses the member name rather than the numerical ID. The current URL looks like this:

    example.com/profile.php?mode=viewprofile&u=[b]2[/b]

    It is trivial for a bot to build a list of URLs with consecutive user IDs and get the entire member list. If the function worked only with URLs like this:

    example.com/profile.php?mode=viewprofile&u=[b]membername[/b]

    It would protect the member information much better. Unfortunately, this is way beyond my pitiful PHP skills, and I haven't found a mod that does this yet. (Note that WebmasterWorld shows profiles this way).

    Finally, even with all the protection added to your phpBB install, there can still be problems elsewhere: for example, there has been a new release of PHP4 this week [webmasterworld.com] (4.3.10) which corrects a major security problem. So, let's add to the list to check the PHP version number in your hosting company's control panel, and if lower than 4.3.10, send an email to support asking whether they have patched their installation or are planning to update real soon.

    squallions

    10+ Year Member



     
    Msg#: 274 posted 7:04 pm on Dec 17, 2004 (gmt 0)

    Excellent article encyclo. :)

    Security tip: .htaccess- password protection for your admin folder, and supermod folder if you have supermod installed.

    SEO:
    Instead of unlink member profile for guest, link it to the link that show all posts of that member (search.php?search_author=membername). That will let spiders crawl more topics and forums. :)

    monkeythumpa

    10+ Year Member



     
    Msg#: 274 posted 12:41 am on Dec 18, 2004 (gmt 0)

    Is there a good mod to make "mailto:" links hidden to spiders? I have seen it on certain pages but not for the entire forum.

    encyclo

    WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 12:51 pm on Dec 18, 2004 (gmt 0)

    Is there a good mod to make "mailto:" links hidden to spiders?

    Try the "Posted email JS" mod from the Security section [phpbb.com] of the phpbb.com mod database.

    There are quite a few very useful mods in that list which you might find useful - but like I said in my first post, it's best not to over-modify unless you have a specific need.

    BesigedB

    5+ Year Member



     
    Msg#: 274 posted 5:12 pm on Dec 18, 2004 (gmt 0)

    Thanks! I'll bear that all in mind.

    henry0

    WebmasterWorld Senior Member henry0 us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 12:27 pm on Dec 19, 2004 (gmt 0)

    Thanks Encyclo
    Great post
    I have used and still use PHPBB on a few sites since quite a while
    However I always keep my modif to the very minimum

    I think that the point of a forum is to be "a forum"
    What matters is the content the rest is irrelevant
    and do not worth modification time and effort.

    A few weeks ago a post was made on PHPBB new discovered security problem
    I notified my host and as direct result all clients were updated Ėglad I work with a great host-

    Henry

    robjones

    10+ Year Member



     
    Msg#: 274 posted 4:19 am on Dec 20, 2004 (gmt 0)

    Nice post encyclo; I'm just wondering about disallowing remote avatars, is this just a measure to prevent 404 images for the mods etc, or are there any security risks with it?

    buksida

    10+ Year Member



     
    Msg#: 274 posted 7:14 am on Dec 20, 2004 (gmt 0)

    Great summary there encyclo.

    Was just wondering, I'd like to disable the memberlist.php from all members except Admin and Moderators. I've downloaded the MOD from phpBB but it seems to be for version 2.0.2, I'm wondering if it would work for my version (2.0.11) as there seemed to be a few bugs posted on the phpBB forum.

    max_mill

    5+ Year Member



     
    Msg#: 274 posted 5:39 am on Dec 21, 2004 (gmt 0)


    Security tip: .htaccess- password protection for your admin folder, and supermod folder if you have supermod installed.

    Just wanted to add, use a different password (.htaccess) from the password you use for your forum admin account.

    And don't forget to check for any new admins or modertors you don't know about and hide in your DB.

    Double check for suspicious files in your cgi directory. If your forum was already hacked chances are that the hacker left a backdoor installed somewhere on your server, check files modifications dates to quickly locate the culprit.

    Change your ftp password, and donít use the same passwords, use different passwords for the forum admin account, site ftp account, and .htaccess forum admin folder.

    And one more, check your forums description text. Some hackers left a trojan hidden as a javascript within the forum description text. It will try to install itself on your viewers machines upon them visiting the forum index page. It was done on my forum. Luckily i had MacAfee installed on my system which alerted me to the fact when I visited my forum. Took me awhile to locate the javascript which was planted within one of my forum's description text (forum index page).

    mr_wobble

    5+ Year Member



     
    Msg#: 274 posted 10:03 am on Dec 28, 2004 (gmt 0)

    Hi all,

    If your forum is being hammered by attacks of the santy or the howdark [phpbb.com] exploit variety, then add these lines to your .htaccess file (if using apache). It will redirect the traffic to an error 403.

    RewriteEngine On
    RewriteCond %{QUERY_STRING} ^(.*)wget\%20 [OR]
    RewriteCond %{QUERY_STRING} ^(.*)echr(.*) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)esystem(.*) [OR]
    RewriteCond %{QUERY_STRING} ^(.*)highlight=\%2527

    RewriteRule ^.*$ - [F,L]

    Hope this helps.

    encyclo

    WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 1:14 pm on Jan 2, 2005 (gmt 0)

    Just to add to this thread - I complained in my original message about the poor state of security announcements for phpBB. Well, there's some good news: the phpBB team have launched a mailing list for release announcements:

    [phpbb.com...]

    I would strongly recommend to all phpBB forum administrators to sign up now! It's the quickest and best way of getting notifications of new patches and security releases.

    Ajan

    10+ Year Member



     
    Msg#: 274 posted 5:44 pm on Jan 3, 2005 (gmt 0)

    I can't find answer to my question anywhere and since it is a security matter perhaps someone here sould help me?

    I've created a separate ftp account for my forum and gave access to several trusted people. However I don't trust them so much as to give them mysql access so I put config.php in different directory above my forum directory (where they do not have access by ftp). Everything's ok, forum sees config.php, login, database name, password, evertything. But administration panel doesn't see it. I receive error which says that my config file cannot be found while few moments ago the main page of my forum used information from config.php without any problems.
    I wanted to change config.php in two ways. First I erased the content of config.php and put there line
    include('../config.php');

    The second method was to place the same line in common.php in phpbb_root.
    In both exaples the result is the same - administration panel doesn't see config.php.

    Anyone got any idea? phpbb.com didn't help me much with that problem. Or perhaps a better way to hidden config.php?

    jasonlambert

    10+ Year Member



     
    Msg#: 274 posted 10:19 pm on Jan 4, 2005 (gmt 0)

    Ajan, If you dont trust them, dont give them FTP access. Simple.

    I had a similar situation where i needed to give someone a need to upload files to a special folder on my server, but i didnt want to install an FTPd on my server (I dont like open TCP ports), so I created a seperate php page on my site for them to upload files via HTTP Post.
    --------------

    I can share with the rest of you a handful of the things I do:

    Robots.txt
    Mine is like this:
    User-agent: *
    Disallow: /forum/groupcp.php
    Disallow: /forum/memberlist.php
    Disallow: /forum/modcp.php
    Disallow: /forum/posting.php
    Disallow: /forum/profile.php
    Disallow: /forum/privmsg.php
    Disallow: /forum/viewonline.php
    Disallow: /forum/search.php

    Note 1: my forum is installed in /forum/, your's might not be. adjust your URL's accordingly.

    Note 2: If have a mod_rewrite hack installed, you can add viewtopic.php to the robots.txt list above as well if you want. HOWEVER: be careful doing this if you still have viewtopic.php pages indexed in google that you get referals from.. you could lose a lot of traffic.

    Once you've done that, I suggest you "clean up google a bit". Goto google's remove url tool and get it to de-index re-read your robots.txt and remove the old .php pages on your site:
    [services.google.com:8882...]

    PHPBB Version
    Without a doubt edit this in overall_footer.tpl. Remove the version number and the link back to phpbb (no need to give PR away free, is there?). IMO you should keep the overall copyright notice, but thats up to you.

    .htaccess
    If you have a static IP, protect your private directories with .htaccess. A sample file is below. Obviously replace x.x.x.x with your own IP address. If you dont have a static IP, get one if you can.
    order deny,allow
    allow from x.x.x.x
    deny from all

    The directories that should be added to are:
    /admin/
    /db/
    /includes/
    /language/

    faq.php
    Possibly the most pointless file in the whole phpbb package. delete it.

    MySQL version
    Belive it or not, use mysql 3 if you want more security. An exploit released some time ago (phpbb2.0.4?) only worked on mysql4 and postgres. (i've forgot what the exploit took advantage of now..).

    encyclo

    WebmasterWorld Senior Member encyclo us a WebmasterWorld Top Contributor of All Time 10+ Year Member



     
    Msg#: 274 posted 12:18 am on Jan 5, 2005 (gmt 0)

    Thanks for some great ideas, Jason. I would take issue with one point, though:

    PHPBB Version
    ... Remove ... the link back to phpbb (no need to give PR away free, is there?).

    There's also "no need" for the phpBB team to volunteer their time and give their excellent forum package away. However, they do. They simply ask for a link back to phpbb.com. Is it really that unreasonable? Are we really that obsessed by PR?

    jasonlambert

    10+ Year Member



     
    Msg#: 274 posted 12:31 am on Jan 5, 2005 (gmt 0)

    There's also "no need" for the phpBB team to volunteer their time and give their excellent forum package away. However, they do. They simply ask for a link back to phpbb.com. Is it really that unreasonable? Are we really that obsessed by PR?

    The PR bit was said half as a joke :)

    The phpbb team say that you are well within your legal right to remove the entire copyright notice in overall_footer.tpl (though they request you dont).
    My preference is to keep the copyright notice in a modified form. Some people dont make any modifications to it at all. Some people remove the entire notice.

    I suppose its all about finding a level your comfortable with.

    DaButcher

    10+ Year Member



     
    Msg#: 274 posted 12:52 pm on Jan 11, 2005 (gmt 0)

    beware:
    I ran the update script on a phpBB forum and it did not update the viewthread.php

    I then fixed it manually, like it says here:
    [phpbb.com...]

    linear

    10+ Year Member



     
    Msg#: 274 posted 8:48 pm on Feb 11, 2005 (gmt 0)

    Sorry to revive a dormant thread somewhat, but here's an additional protective measure I didn't see mentioned above:

    Don't use you account with admin rights from general browsing of your forum. Use the minimum privilege you need to get the work done, whatever level that is for you. This will make it harder for XSS exploits that hijack cookies to grab an admin-level password.

    When you need admin rights, log in as an admin, but otherwise just change your title and be a user. (Or moderator as necessary)

    *tips hat to all in this forum, which is a new one to me, but I'll be continuing to read up on all the good stuff here.

    Global Options:
     top home search open messages active posts  
     

    Home / Forums Index / WebmasterWorld / Community Building and User Generated Content
    rss feed

    All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
    Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
    WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
    © Webmaster World 1996-2014 all rights reserved