Nukey
30th June 2005, 06:07 AM
Securing vBulletinSecurity is a hot topic these days, and securing your forum is very important. These are just a couple of precautions to take, and procedures to follow, to keep your forum secure.
1. Secure Your ServerEnsure that your FTP, SSH, cPanel, Plesk, MySQL, etc. passwords are secure. vBulletin, in general, is secure to current knowledge, but no matter how secure any software is, if those passwords can be guessed (brute forced), then the software’s security is circumvented. You are only as secure as your weakest password. If at all possible, use randomly generated passwords.
If you run your own dedicated server, also ensure that your versions of PHP, MySQL and other software are up to date, and that you have a firewall installed. If there are known security issues for software you are running, you should fix those issues as soon as possible to avoid exploits.
2. Securing vBulletinThere are a few extra procedures you can take to ensure that your admincp/ (Admin Control Panel) and/or modcp/ (Moderator Control Panel) are secure from intruders.
The first thing you should do is secure your Admin and Moderator passwords just as you have your server passwords (use different passwords!). If you access your forum from an insecure, public location, you could even consider creating an account for yourself, seperate from your administrator account, with less privileges, that you can use to access your forum.
You can also use .htaccess to further secure your AdminCP and ModCP.
(.htaccess helps you password protect your directories, an additional security layer)
There are two basic ways you can restrict access with .htaccess.
A) Restrict by IP AddressIf you don’t have a lot of users accessing your AdminCP, and you have a static IP (or a dynamic IP that rarely changes) you can restrict access to your AdminCP by IP Address. To do so, create a file named .htaccess in your admincp, and if you wish, modcp, folder(s).
Inside this file put the following:
<Limit GET>
order deny,allow
deny from all
allow from YOURIPADDRESS
</Limit>
This will allow only the IP Addresses you specify to access the folder. If you want to add multiple IP Addresses, just add more allow from IP statements.
Save the file and upload it to the appropiate directory.
B) Restrict by Username/PasswordIf you can’t limit by IP Address but would still like an extra layer of security, you can restrict access by username and password.
To do this, create a file named .htaccess in the admincp/ and, if you wish, modcp/ Directories.
Inside the file insert the following text:
AuthUserFile /otherdirectory/.htpasswd
AuthType Basic
AuthName "Authorized Users Only"
<LIMIT GET POST>
require valid-user
</LIMIT>
You must replace /otherdirectory/.htpasswd with the path to where your .htpasswd file will be. I’ll show you how to configure that in just a minute. The location for that file must be outside of your publicly accessible web directory. If you wish, you can also replace the “Authorized Users Only” text.
Save the file and upload it to the appropiate directory.
Now navigate outside of your publicly accessible web directory to the path you specified in the .htaccess file and make a file called .htpasswd
In this file you will list the usernames and passwords of those who you want to give access to the directories. Each entry will be in the format username : password. If you don’t have access to SSH to generate an encrypted password, you can use a page such as this one: http://www.engr.sjsu.edu/daluu/scripts/htpasswd.php to do it for you. Just copy and paste the results in to your .htpasswd file (separate line for each user) and save!
Note: Make sure you don't use the same passwords as you do for the forum, that would render this process pointless. :)
Those are a couple of steps you can take to secure your vBulletin installation. I hope this has helped you out :)
1. Secure Your ServerEnsure that your FTP, SSH, cPanel, Plesk, MySQL, etc. passwords are secure. vBulletin, in general, is secure to current knowledge, but no matter how secure any software is, if those passwords can be guessed (brute forced), then the software’s security is circumvented. You are only as secure as your weakest password. If at all possible, use randomly generated passwords.
If you run your own dedicated server, also ensure that your versions of PHP, MySQL and other software are up to date, and that you have a firewall installed. If there are known security issues for software you are running, you should fix those issues as soon as possible to avoid exploits.
2. Securing vBulletinThere are a few extra procedures you can take to ensure that your admincp/ (Admin Control Panel) and/or modcp/ (Moderator Control Panel) are secure from intruders.
The first thing you should do is secure your Admin and Moderator passwords just as you have your server passwords (use different passwords!). If you access your forum from an insecure, public location, you could even consider creating an account for yourself, seperate from your administrator account, with less privileges, that you can use to access your forum.
You can also use .htaccess to further secure your AdminCP and ModCP.
(.htaccess helps you password protect your directories, an additional security layer)
There are two basic ways you can restrict access with .htaccess.
A) Restrict by IP AddressIf you don’t have a lot of users accessing your AdminCP, and you have a static IP (or a dynamic IP that rarely changes) you can restrict access to your AdminCP by IP Address. To do so, create a file named .htaccess in your admincp, and if you wish, modcp, folder(s).
Inside this file put the following:
<Limit GET>
order deny,allow
deny from all
allow from YOURIPADDRESS
</Limit>
This will allow only the IP Addresses you specify to access the folder. If you want to add multiple IP Addresses, just add more allow from IP statements.
Save the file and upload it to the appropiate directory.
B) Restrict by Username/PasswordIf you can’t limit by IP Address but would still like an extra layer of security, you can restrict access by username and password.
To do this, create a file named .htaccess in the admincp/ and, if you wish, modcp/ Directories.
Inside the file insert the following text:
AuthUserFile /otherdirectory/.htpasswd
AuthType Basic
AuthName "Authorized Users Only"
<LIMIT GET POST>
require valid-user
</LIMIT>
You must replace /otherdirectory/.htpasswd with the path to where your .htpasswd file will be. I’ll show you how to configure that in just a minute. The location for that file must be outside of your publicly accessible web directory. If you wish, you can also replace the “Authorized Users Only” text.
Save the file and upload it to the appropiate directory.
Now navigate outside of your publicly accessible web directory to the path you specified in the .htaccess file and make a file called .htpasswd
In this file you will list the usernames and passwords of those who you want to give access to the directories. Each entry will be in the format username : password. If you don’t have access to SSH to generate an encrypted password, you can use a page such as this one: http://www.engr.sjsu.edu/daluu/scripts/htpasswd.php to do it for you. Just copy and paste the results in to your .htpasswd file (separate line for each user) and save!
Note: Make sure you don't use the same passwords as you do for the forum, that would render this process pointless. :)
Those are a couple of steps you can take to secure your vBulletin installation. I hope this has helped you out :)