Announcement

Collapse
No announcement yet.

Securing your vBulletin Forums (Part 2)

Collapse
X
Collapse
 

  • Wayne Luke
    started a blog post Securing your vBulletin Forums (Part 2)

    Securing your vBulletin Forums (Part 2)

    Securing your vBulletin Files.
    Access to your vBulletin files should only come through a web browser in most instances. However sometimes someone will start poking around on your server and you don't want them entering directories that should be secure. You can prevent this using server configuration files such as .htaccess or web.config. These files let you control who has access to your directories.

    Securing the admincp, modcp, and install directories.
    These three directories often require access by staff for the maintanence and running of your forums. Should someone's account get compromised, they may provide a way into the system for further malicious mischief. Especially the admincp. The general premise is that anyone with access to the admincp can do very bad things including disabling your forums, hijacking other accounts, installing plugins that log, redirect or do other malicious things to users and so forth. Securing these directories should be on the security conscious admin's mind from the beginning. To do this you would use .htaccess to ask for a secondary username and password. Ideally each person should have their own.

    To do this you will find instructions here:
    .htaccess - http://www.javascriptkit.com/howto/htaccess3.shtml
    web.config - http://support.microsoft.com/kb/815151

    Restrict Access via IP Address
    Alternatively, if you're the only one who requires access to these directories, you can restrict that access to your IP Address. Doing so requires a static IP Address from your internet service provider.

    .htaccess:
    Code:
    order deny,allow
    deny from all
    # allow the admin
    allow from 83.116.19.53
    # allow moderator:
    allow from 83.116.19.59
    
    #for all the xxx.xxx.xxx.xxx put in an ip-addres, or ip-range
    web.config:
    [code]
    Code:
    <security>
        <ipSecurity allowUnlisted="false">    <!-- this line blocks everybody, except those listed below -->                
            <clear/> <!-- removes all upstream restrictions -->
            <add ipAddress="127.0.0.1" allowed="true"/>    <!-- allow requests from the local machine -->
            <add ipAddress="83.116.19.53" allowed="true"/>   <!-- allow the specific IP of 83.116.19.53  -->                
            <add ipAddress="83.116.119.0" subnetMask="255.255.255.0" allowed="true"/>   <!--allow network 83.116.119.0 to 83.116.119.255-->                
            <add ipAddress="83.116.0.0" subnetMask="255.255.0.0" allowed="true"/>   <!--allow network 83.116.0.0 to 83.116.255.255-->                
            <add ipAddress="83.0.0.0" subnetMask="255.0.0.0" allowed="true"/>   <!--allow entire /8 network of 83.0.0.0 to 83.255.255.255-->                
        </ipSecurity>
    </security>
    Renaming your Admincp and Modcp directories
    For a bit of security through obscurity you can also rename these directories inside your config.php file. Then when someone tries to access the original names, they will get an error. Though, I recommend leaving empty directories named with admincp and modcp and a deny from all .htaccess within. To rename these directories look for this section in the config.php file:
    Code:
        //    ****** PATH TO ADMIN & MODERATOR CONTROL PANELS ******
        //    This setting allows you to change the name of the folders that the admin and
        //    moderator control panels reside in. You may wish to do this for security purposes.
        //    Please note that if you change the name of the directory here, you will still need
        //    to manually change the name of the directory on the server.
    $config['Misc']['admincpdir'] = 'admincp';
    $config['Misc']['modcpdir'] = 'modcp';
    If you do this, you need to remember to rename the appropriate folders every time you upgrade vbulletin as well.

    Other Directories - includes, packages and vb
    No one should need direct access to these directories at any time. However I feel these should be secured nonetheless. They contain the inner workings of your vBulletin system. To secure these you should include a deny from all directive in the .htaccess for each directory. To do this create a .htaccess file with the single following line in it:
    Code:
    deny from all
    Upload that file to the three directories.

    Warning
    There is one fatal caveat to securing directories and files via .htaccess or web.config files. If the attacker has access to the server via FTP or other means, they can possibly delete these files and remove any security they provide.

    • TheLastSuperman
      #7
      TheLastSuperman commented
      Editing a comment
      Originally posted by PitchouneN64ngc;bt11649
      The /install/ directory is needed if you need to import master styles/language/etc. if you have a problem related.
      Originally posted by Paul M;bt11658
      You dont need it for day to day running.

      Either remove it, and just upload it when needed, or rename it to something obscure, and rename it back when needed.
      I only upload it on a site where some issue has come up and you need to run tools.php because it won't function properly w/o the install directory in place.

      Originally posted by Wayne Luke;bt11662
      Sure if you want... Security by obfuscation isn't really security.

      If an adminstrator or moderator account is compromised, they'll just click the link and get directed to the new path anyway. Or they can look in the config.php file if they have access to it.

      vBulletin is going to look for the config.php file in the includes directory so you'll need to leave a stub redirecting to it. If someone gets into the stub, they know where your config.php file is. If you prevent browsing in the directory, then they won't get to it in the first place so why move it?
      Well the first part of your statement is true however considering many are script kiddies who read or view video tutorials it's not like they know all the in's and out's like we do yet all the info they need is readily available online :erm:. Point being you can even go so far as to rename your config.php via the class_core.php and leaving a fake admincp and modcp and config.php in place to fool the initial idiots but someone will eventually come along who knows what to look for so the best thing to do is keep your site updated including any form of other third party software (openx, wordpress, joomla, cart systems etc!) on your server and ensuring you have strong passwords (20+ characters) because even rainbow cracking has limits atm - http://www.ethicalhacker.net/content/view/94/24/ but here I go running off on slightly related tangents but long story short members - stay current!


    • richpal
      #8
      richpal commented
      Editing a comment
      Hi Wayne,

      Excellent information - have a question regarding your code.

      Code:
      order deny,allow
      deny from all
      # allow the admin
      allow from 83.116.19.53
      # allow moderator:
      allow from 83.116.19.59
      
      #for all the xxx.xxx.xxx.xxx put in an ip-addres, or ip-range
      If I want to access the forum from say home and work which have different IP addresses do I leave a gap between the IP addresses or use a comma, an example might be good - I don't want to accidentally block myself

    • Maurd
      #9
      Maurd commented
      Editing a comment
      Originally posted by PitchouneN64ngc;bt11649
      The /install/ directory is needed if you need to import master styles/language/etc. if you have a problem related.
      Originally posted by Paul M;bt11658
      You dont need it for day to day running.Either remove it, and just upload it when needed, or rename it to something obscure, and rename it back when needed.
      Thought so. I've been completely removing it since 3.7.
    Posting comments is disabled.

Related Topics

Collapse

Working...
X