Thread Rating:
  • 6 Vote(s) - 4.33 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Guide to Tightening MyBB Forum Security
#1
Information 
NOTICE BEFORE READING:
This is not a guide to making your forum completely secure and untouchable but this is a guide to the many different things that one can do to tighen up security. I would also like to note that the latest version of MyBB is very secure even out of the box. Also note that i'm no expert on this, I've never even had a public MyBB forum but i'm hoping to start one soon. This is mostly about securing MyBB itself, look elsewhere for information on securing any other web applications that you are hosting

The key points

#1 Keep your forum as up to date as possible
It is very important you keep everything up to date, this includes plugins.
Make sure to manually check for updates in the Admin CP often and/or frequent the downloads section of mybb.com


#2 Check before installing plugins
Plugins have the potential to bring down your whole forum if they are insecure/intentionally backdoor-ed. Google is your friend with plugins so ensure you check through any posts/advisories on the plugin and any other sources of the plugin that could are more likely to be secure. Don't use cracked/nulled plugins. If you can understand PhP then look through the code. If the code is encrypted/obfuscated etc.. and the plugin is not commercial then be very careful. Look into the plugin author and their credibility as well. Using a plugin that is used on HF and made by labrocca for example is a much better idea then some random thing you found dumped on the net.

#3 Use secure and unique passwords
Ensure the passwords to all powerful accounts are different, unique, long and use a large array of chars.

*ndEyd7_-38Dne3dhy3(8ednYe}&[email protected](jNPKNBGgdue
^ Is the type of thing you are going to want as a password to any account with powers that could damage the forum. Don't use passwords that you use on other forums because they could be easily tracked down. If you can't remember the password store it in an encrypted vault such as a keepass vault.

#3 Deny access to directories
There are a number of directories in MyBB that contain files that never need to be accessed from browser. It's a good idea to deny access to these.

Directories to protect
{root}/inc
{root}/install (whenever not needed)
{root}/{admincpdir}/inc
{root}/{admincpdir}/modules
As there is no legit reason to access this stuff it's best to create a .htaccess file in the root of these directories containing the following.
deny from all

Another way to add to security to the files is the add to/create a .htaccess file in the forum root containing
Options -Indexes
To stop anyone browsing folders without an index.

Another thing one can do is the rename the Admin Directory, to do this open
{root}/inc/config.php
and edit the
$config['admin_dir']
to whatever you want your new directory to be then rename the actual directory from 'admin' to whatever you specified in the config.php. --- This does not give much extra security unless you set the
$config['hide_admin_links']
to 1 (note you will need to access the adminCP from a stored link rather than from a link on the front end if this is enabled)


#4 Obscure, obscure, obscure
It's a great idea to make it as hard as possible for a potential attacker to get correct information on your forum.

Change the default table prefix (this can be done easily upon when installing a fresh install of MyBB in the installation wizard) This can also be done in the
config.php
but only people who know what they are doing should attempt to change it after MyBB has been installed also note that a few plugins are broken by non-default table prefixes. This can make it harder for ub3r el1te SQLI masters to attack your DB Wink

Other things you can do include giving your main account (the one you post with) super mod perms and giving super-admin to another extremely secure account that has a normal usergroup as it's primary.


#5 Lock down the AdminCP

It's very important to implement extra security on the admin cp to prevent unwanted access.

Here are a few things you can do.

Add extra auth with .htpasswd

http://www.htaccesstools.com/htpasswd-generator/
http://www.htaccesstools.com/htaccess-authentication/
^ The above links can be used to generate the files needed to do this.
Once done simple place the .htpasswd and .htaccess files in the adminCP directory for some extra security. Make sure the user/pass is different to the Admin password.

Add an ip whitelist to the AdminCP

You can use .htaccess to permit only those with a certain ip to access the AdminCP, this is very secure! (It's not a very good idea to do this if you have a dynamic IP though because you might find your self locked out one day. Just put/add to a .htaccess file in the admincp root containing the following.


Order Allow,Deny
Allow from Your.static.ip.adress

Add a pin to the Admin Cp

This pretty much does the same thing as .htpasswd but can look a little better. There are plenty of tutorials on this so just make a search.

Remove the backup system from the AdminCp

If someone was to gain unauthorized access to the admin cp they could easily dump all the SQL info using the built in backup feature. It's a good idea to disable this if you are not going to use it.

Simply go to
{root}/{admincpdir}/modules/tools/backupdp.php
And add a the following after the
 <?php

die('Backups Disabled');
If you want to use this module then simply comment out the addition and uncomment it when you are done.

These are the key points. After this i will just put a few simple extra tips and some links for more info
  • Run MyBB with a database user that is not used with anything else on your website to prevent one failure leading to another
  • Restrict the database user that MyBB uses to only be able to do what it needs and nothing more
  • Restrict PHP to only be able to execute functions that are needed and nothing more
  • Remove any features you don't need (don't use the portal?. then remove it, don't use the calendar? then disable it etc)
  • Make sure you don't have scrutinize IP enabled unless you really, really, really know what you are doing
  • Search through forums/exploit DB's for potential exploits often
  • If you are starting a forum from scratch change how passwords are salted and hashed for some extra obscurity in the event your DB is leaked
  • If you've left anything in Areas the public can access such as a plugin zip file or a phpinfo.php then be sure to remove.
  • If something is suspicious... CHECK IT OUT!
Some websites to check out.

http://www.mybbsecurity.net/

This tutorial has been written by Opening as a thanks for the help I have received
Mods feel free to edit/addto/stick or whatever.

(41ae19b2c0f15c84f216759e13119036)
#2
This is a good post, this should be a sticky. I will use this for my forum. Smile
#3
Thanks so much for your kind advice, I would like to implement some of this stuff, however I need to understand what you mean by:
Quote:create a .htaccess file

As I see with most of it you need to do this, when I understand that then I can put this stuff into action. I do really want to further secure my forum you see and have just added an Admin pin etc...





#4
Very helpful guide. I already know most of the points, but for some they can be quite useful. Also, I think you should remove the colours.
[Image: MaDuhur.png]
by Dukhor, IcyBoards Community Forums
#5
This is extremely good information! Thank you so much.
#6
Pretty decent guide. You should also address key issues in administrator judgement (ie leaving the /merge/ directory after performing one).
#7
Thanks for this post on how to secure my forum. Ran through the list and did as you explained.
#8
Keep in mind guys: If you have a dynamic IP and want to IP-protect your admin directory, you can still do so, IF you have another way to access your site files (e.g. SSH or a control panel such as cPanel).
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)


Forum Jump:


Users browsing this thread: 1 Guest(s)