YaBB SE Community

English User Help => FAQ => Topic started by: andrea on December 14, 2002, 01:24:06 AM

Title: FAQ: HowTo make the board safer against hacker attacks
Post by: andrea on December 14, 2002, 01:24:06 AM
Important for the security is to care for security updates in the board software such as
http://www.yabbse.org/community/index.php?board=9;action=display;threadid=17919 (http://www.yabbse.org/community/index.php?board=9;action=display;threadid=17919)

Furthermore there are some general security considerations you can follow as are listed below.

Have restored my board now..

What can i do to make it safer??
  • First of all: change your passwords (probably you already did). And make sure the following 3 passwords are all *different*:

- ftp password
- phpmyadmin password
- db access password (the one that is in the file "Settings.php")
The most important is that the password that is written in the file "Settings.php" is *not* equal to either of your ftp password or your phpMyAdmin password.
Furthermore make sure that the passwords are hard to be guessed.
  • backup frequently, make sure you know how to restore (db data and html data)
  • check the file protections in your board, reduce them to the minimum that is required to keep the board running
  • delete install files such as install.php, archive.ya, converter.php etc.
  • make sure that your YaBB SE admin user password is hard to guess and again different from the passwords above. The same for other admin members in your board.
  • clean the YaBB SE error log (in the admin menu) after each login failure with your YaBB SE admin user

attachment and flash are also critical!!

    [0]Donīt allow guests to upload anything[0]Donīt allow script or txtfiles to upload![0]deactivate the flash-thing

Minimal chmod settings for a live board (restrictive security settings):

These are the minimal settings which are required to keep the board working for the public. This is written under the assumption that the admin setup work is finished. That means neither template nor settings can be changed with the admin menu nor packages can be installed with the package manager if these permissions are activated. If you love to play permanently around with your board installation then you should not use those restrictive security settings. These very restrictive security settings are for webmasters only who do not daily use the package manager or daily change the board settings or the template.

file permissions
file permissions (all files such as *.php *.gif etc.)644 (recursively, in all directory tree, in all subfolders)
directory permissions
yabbse755
yabbse/attachments777 if attachments are enabled, 755 if not enabled
yabbse/Sources711
yabbse/Packages755
yabbse/YaBBImages711
yabbse/YaBBImages/avatars755
yabbse/YaBBImages/english711
yabbse/YaBBImages/german711
yabbse/YaBBImages/any-other-subdir711
yabbse/YaBBHelp711
yabbse/YaBBHelp/any-subdir711
yabbse/any-subdir-not-listed-above711
special permissions
Settings.php, Settings_bak.phpchange temporarily to 666 for modifications with the admin menu option, change back to 644 asap after work is done
template.phpif you need to modify with the admin menu option then change to 666, change back to 644 asap after work is done
ftp programsBe aware that ftp programs might change file permissions. Check the file and directory permissions whenever you re-uploaded a file or a directory.
Title: Re:FAQ: HowTo make the board safer against hacker attacks
Post by: andrea on December 14, 2002, 01:25:58 AM
Can this be moved into the FAQ board?

Question:
Is this to be added: upgrade to 1.5 when this version is out. There should be solved some security issues in that version, right?
Title: Re:FAQ: HowTo make the board safer against hacker attacks
Post by: David on December 14, 2002, 01:28:59 AM
Other thing to remember is passwords over 8 characters are useless.  password and passwords are the same to the login system.
Title: Re:FAQ: HowTo make the board safer against hacker attacks
Post by: Omar Bazavilvazo on December 14, 2002, 02:26:00 AM

Is this to be added: upgrade to 1.5 when this version is out. There should be solved some security issues in that version, right?


Indeed.

It will, Christian Land security fixes for all know exploits :)

ja ne!