vBulletin Forum Security

[Maz]

Hey,

Whats the best way to secure a vbulletin forum?

What kind of things do i need to look out for?

All i need is some ways to secure a vbulletin forum the best i can.

Thanks,
Maz

[Kap]

I must admit that vB has never been my strong point. But there are some more general things that might be able to help with security:

1. Password protect the admin directory using htaccess (or .conf if lighttpd)
   
   
2. Rename the admin directory to something unguessable e.g.
   
   http://www.yoursite.com/838denwujw82/index.php
   
   NOTE: Not sure how to do this in vB. But in phpBB it's simple enough, so I don't see it being a problem.
   
   
3. Strong passwords for SQL and Admin accounts. It sounds obvious but very strong passwords are the cornerstone of security. For an SQL pass I always use a minimum 20 character alphanumeric pass with symbols. For admin accounts I do something similar, but I have always been able to remember very long logicless passwords.
   
   There are any number of tools for generating them online, from a quick google I turned this up:
   
   Security Guide for Windows - Random Password Generator
   
   
4. Keep up to date. Make sure vB, and any other scripts you use is up to date, a good example of this is phpbb.com got hacked recently, not through phpbb (which was obvious as up to date as it could be) but because they we're running an old version of phpList for managing their mailing lists.
   
   
5. Secure SSH and only use sFTP. This can be slightly more complicated depending on your level or expertise. But I think there is a topic in this forum from Tippie as regards securing Linux that you should take a look at.

As I said, these are only very general and obvious things you should do, as my vB knowledge is not very good at all. So someone else would have to give you advice as to specifically securing vB.

[Maz]

Thanks for the tips! how do i do number 1? and where i get sFTP? is it easy to get the hang of to use?

[Kap]

Are you using a control panel script? Like cPanel or Directadmin?

I'll assume you are, and it is most likely cPanel, if so then all you need do is:

1. Login to cPanel with the credentials provided to you by your webhost.
   
2. If you scroll about half-way down the page you will see a group if icons called 'Security'.
   
3. Within that group is an icon called 'Password Protect Directories', click on it.
   
4. A popup will then appear asking you what root directory you want to browse the files for. Select the domain from the drop-down that you wish to protect a folder in and click 'Go'.
   
5. You will then be taken to a page that will list all of the folders in that domains public_html directory.
   
6. Select the one you want to protect by clicking on it's text name (or navigate through the folders by clicking on the icon on the left).
   
7. You'll then be taken to a page whereby you can protect that folder
   
8. At the bottom you will have to create a user account to access this protect page, if you haven't done already, very simple to do. you can also create multiple accounts for multiple people, obviously. But one is usually enough.
   
9. When the pages reloads the account you just created will be highlighted in the list box at the top bottom, if not, highlight the account.
   
10. Then click the check box at the top that says 'Password protect this directory:' next to it and give the directory a name like 'Admin Panel' or whatever else you want, it doesn't really make much difference.
    
11. Your done. Your directory should now be password protected. It will ask once a browser session to authenticate yourself.

If your using another panel script let me know, or I can tell how to do it manually.

EDIT:

sFTP is essentially just using the Secure Shell (SSH) to transfer your files, it can be done using most FTP clients. It's just a matter of setting it up. It;s done through port 22 usually (as opposed to port 21 for FTP). You login using your SSH user/pass. There are loads of guides around so I would just Google and read up on it.

[Maz]

Thanks, nah im with DirectAdmin....

Joke bet u fort ffs :P

nah im with cpanel

thanks for the help i will do it when im home and say if it went well.

...I have done some but i would like more info of this sFTP

[Luke]

Make sure you allow codes in search.php due to ddos POC, also
Make sure you fully delete the /install/ folder (older versions dont tell you this).

[Gøre]

Also, redirect the admincp and modcp to where ever you want.

[edavreda]

Also another thing is that if you use ProArcade or whatever the arcade thingyamob is for vBulletin. Make sure you dont have a bunch of games like I used to. Someone hacked my site like that.

[Denise]

Are you using a control panel script? Like cPanel or Directadmin?

I'll assume you are, and it is most likely cPanel, if so then all you need do is:

1. Login to cPanel with the credentials provided to you by your webhost.
   
2. If you scroll about half-way down the page you will see a group if icons called 'Security'.
   
3. Within that group is an icon called 'Password Protect Directories', click on it.
   
4. A popup will then appear asking you what root directory you want to browse the files for. Select the domain from the drop-down that you wish to protect a folder in and click 'Go'.
   
5. You will then be taken to a page that will list all of the folders in that domains public_html directory.
   
6. Select the one you want to protect by clicking on it's text name (or navigate through the folders by clicking on the icon on the left).
   
7. You'll then be taken to a page whereby you can protect that folder
   
8. At the bottom you will have to create a user account to access this protect page, if you haven't done already, very simple to do. you can also create multiple accounts for multiple people, obviously. But one is usually enough.
   
9. When the pages reloads the account you just created will be highlighted in the list box at the top bottom, if not, highlight the account.
   
10. Then click the check box at the top that says 'Password protect this directory:' next to it and give the directory a name like 'Admin Panel' or whatever else you want, it doesn't really make much difference.
    
11. Your done. Your directory should now be password protected. It will ask once a browser session to authenticate yourself.

If your using another panel script let me know, or I can tell how to do it manually.

EDIT:

sFTP is essentially just using the Secure Shell (SSH) to transfer your files, it can be done using most FTP clients. It's just a matter of setting it up. It;s done through port 22 usually (as opposed to port 21 for FTP). You login using your SSH user/pass. There are loads of guides around so I would just Google and read up on it.

Thanks for these tips. I did this with my forum. Hope it protects me =]

[Ben!]

Thanks, this will come in handy!