Hi,
I'm an novice mybb user and I've a forum that's going to be open within a week, I want to make sure it's 99% secure before launching.
I couldn't afford to buy a VPS so I'm using a shared hosting, I'm aware of symlinking attacks than can be used to hack my site with compromising another site in my IP range.
question is simple , How can I protect my forum against Symlinking attacks ??
Or make it hell hard to symlink ?
Thank you,
Have a nice day.
As you're on shared hosting it's out of your hands. You should take issues such as that up with your web host.
I heard that we can turn on PHP safe mode or something like to make it hard.
Well most offshore hosts don't allow symbolic linking. Some onshore hosts don't allow it either, just find a host that doesn't allow it.
Some hosts does provide scripts like "site lock (or some diff name)" which locks all files and disallows any uploads or changes to any file being made. That is useful only if you're not allowing any file uploads such as attachments, avatars, etc on your forum.
iPage offers Sitelock as "free" but it only scans 25 pages of your entire site. The same as their $9.99/mo Basic plan. On most forum software that not much. Other hosts may have different arrangements I'm not sure I just dealt with the iPage host provided Sitelock. Just make sure you know the details of what your coverage is.
a good host, even for shared, will jail your account, php safe mode is deprecated as of v5.3 of PHP. A good host should be using things like SuExec, open_basedir, Suhosin, etc. Sure it is more work for them, but it is more secure.
(2013-01-21, 12:36 AM)Altered Wrote: [ -> ]iPage offers Sitelock as "free" but it only scans 25 pages of your entire site. The same as their $9.99/mo Basic plan. On most forum software that not much. Other hosts may have different arrangements I'm not sure I just dealt with the iPage host provided Sitelock. Just make sure you know the details of what your coverage is.
You're maybe confusing with my quoted word as "Sitelock". By that, I didn't meant the official sitelock site. The official sitelock thingy doesn't help much anyway. The thing which I stated is some sort of feature that most hosts adopt, or if not, should adopt. For example on one of the shared hosts that I use, has such feature which you can turn on/off in one click. Doing so will not allow anyone to upload/edit or delete any file from your site, even owner. So that's a good thing. However, it has some cons that I mentioned in my above post.
SAFE_MODE isn't only deprecated, it can also make your life Hell when working with some scripts like SMF.
Very helpful discussion, I appreciate this
