Tips for protecting the forum vBulletin
If you keep your forum, then sooner or later you have to think about protecting your forum - after all, the attackers are not asleep! In this topic, I (with the help of habrauzer ReaM ) compiled a list of tips to increase the security of your forum. Interested? Welcome under habrakat :)
So, let's begin:
')
Description: No comments
Why ?: Jelsoft constantly closes pop-up vulnerabilities. No one wants to work on last year's leaping forum, right?
Description: We rename the admin panel, but in no way do we write the path to our renamed admin panel in the configuration. We also rename the moderator, but it can already be registered in the configuration (although it is also undesirable), since it is less vulnerable. See for yourself :)
Why ?: If you rename the admin panel and do not specify the path in the configuration, it will be much more difficult to find it and therefore apply XSS or something worse. There are downsides: - Editing a profile and adding moderators will stop working without manual editing of links.
Description:
a) if ip is static, then
b) Also put an additional password:
We follow the link: _http: //vbsupport.org/htaccess.php, fill in the fields and add the instructions to our htaccess file.
Why ?: Additional admin passwords will never hurt.
Description:
a) Delete the files:
/validator.php (if available)
/checksum.md5 (if available)
b) Delete the folders:
/ install /
Why ?: Insecure files from null versions may give you the opportunity to view the list of files, as well as the install folder is very harmful =)
Description:
Go to the admin area, then:
a) Attachments -> Attachment Storage Method
Attachments must be stored in the database.
b) Avatars -> Type of user image storage
Avatars must be stored in the database.
Why? : The 3.5 ruler, if my memory serves me, gave direct links to the pictures - that if the hosting was configured incorrectly, it gave a chance to fill the shell.
Description: If item 5 is executed, then now feel free to set permissions on custom_ * 644 folders, since we no longer need them (or you can delete them). Further, if you installed vBulletin according to the instructions, you should have all the rights in the / (root) folder 644. Check this, if not, then set the rights 644.
Why ?: Making it difficult for the hacker to fill the shell.
Description: No comments. Why would anyone need HTML?
Why ?: Possibility of XSS attacks when the feature is on.
Description : Put .htaccess on the folder includes the following:
Why?:
Description:
Why ?: Scripts with the specified extensions can no longer be used within the directory with such htaccess.
Description: /includes/config.php. Just enter the administrators id, after having made all the necessary changes to the profile.
Why ?: There is no need for anyone to change the profiles of administrators, even by themselves. It will take - remove the ID from the file, change, return it back. Safety comes first! :)
Description: No comments
Why ?: Why do you need extra files on the server? There is no need ...
Description: No comments
Why ?: They will be available for download to anyone who finds out the name of the backup. Of course, you can tighten the htaccess, but still, for the sake of security, take backups beyond the reach of the web server.
Description (quote):
Download from vbsupport.org
Why ?: An indispensable thing in the search for shells on the site, but you need to put it in advance.
It is rather difficult to get access to the admin panel - hence, pour the shell through the admin panel too. You can pour the shell through the vB vulnerabilities, but if you pour into / includes (there are files for some hacks that require 777), then we have deny from all on the includes folder - the shell simply will not be accessible from the outside!
You can set 644 rights to other folders, if you have done all the points - then it will be difficult enough to fill in, especially if the chroot is properly configured. And finally, we added protection from the admins themselves, who climb where they don’t fall, thereby putting themselves on XSS and Trojans.
Actually, that's all ... This is my first topic on Habré, so please don't kick much :)
UPD: Transferred to "Information Security".
So, let's begin:
')
1) Update to the very end of our line (3.5.x, 3.6.x, 3.7.x)
Description: No comments
Why ?: Jelsoft constantly closes pop-up vulnerabilities. No one wants to work on last year's leaping forum, right?
2) Rename admin panel and modernize
Description: We rename the admin panel, but in no way do we write the path to our renamed admin panel in the configuration. We also rename the moderator, but it can already be registered in the configuration (although it is also undesirable), since it is less vulnerable. See for yourself :)
Why ?: If you rename the admin panel and do not specify the path in the configuration, it will be much more difficult to find it and therefore apply XSS or something worse. There are downsides: - Editing a profile and adding moderators will stop working without manual editing of links.
3) Put .htaccess on admin panel:
Description:
a) if ip is static, then
order allow, deny
deny from all
allow from %_IP%
b) Also put an additional password:
We follow the link: _http: //vbsupport.org/htaccess.php, fill in the fields and add the instructions to our htaccess file.
Why ?: Additional admin passwords will never hurt.
4) Delete files and folders:
Description:
a) Delete the files:
/validator.php (if available)
/checksum.md5 (if available)
b) Delete the folders:
/ install /
Why ?: Insecure files from null versions may give you the opportunity to view the list of files, as well as the install folder is very harmful =)
5) Move attachments and avatars
Description:
Go to the admin area, then:
a) Attachments -> Attachment Storage Method
Attachments must be stored in the database.
b) Avatars -> Type of user image storage
Avatars must be stored in the database.
Why? : The 3.5 ruler, if my memory serves me, gave direct links to the pictures - that if the hosting was configured incorrectly, it gave a chance to fill the shell.
6) We set the rights to folders
Description: If item 5 is executed, then now feel free to set permissions on custom_ * 644 folders, since we no longer need them (or you can delete them). Further, if you installed vBulletin according to the instructions, you should have all the rights in the / (root) folder 644. Check this, if not, then set the rights 644.
Why ?: Making it difficult for the hacker to fill the shell.
7) Nowhere, never, do not we turn on the option 'Allow html' to anyone.
Description: No comments. Why would anyone need HTML?
Why ?: Possibility of XSS attacks when the feature is on.
8) We put .htaccess on the includes folder
Description : Put .htaccess on the folder includes the following:
order allow, deny
deny from allWhy?:
- if a shell is poured in there in any way, they will not be able to enter it.
- if you are asked to do it, then the option is possible when the php interpreter falls off and only the apache remains - and the apache already allows you to read the php files - hence you can read all the files from the / includes / folder - the same config.php, which is not very good.
9) Push into the directory with the files on which the attributes 0777 are .htaccess:
© kerk _http: //vbsupport.org/forum/member.php? U = 30
Description:
RemoveHandler .phtml
RemoveHandler .php
RemoveHandler .php3
RemoveHandler .php4
RemoveHandler .php5
RemoveHandler .cgi
RemoveHandler .exe
RemoveHandler .pl
RemoveHandler .asp
RemoveHandler .aspx
RemoveHandler .shtml
<Files ~ "\.php|\.phtml|\.cgi|\.exe|\.pl|\.asp|\.aspx|\.shtml">
Order allow,deny
Deny from all
Why ?: Scripts with the specified extensions can no longer be used within the directory with such htaccess.
10) Edit the config.php, enter the id of the administrators in the undeletable user field.
Description: /includes/config.php. Just enter the administrators id, after having made all the necessary changes to the profile.
Why ?: There is no need for anyone to change the profiles of administrators, even by themselves. It will take - remove the ID from the file, change, return it back. Safety comes first! :)
11) After removing the mods / hacks do not forget to delete the files that you uploaded with them.
Description: No comments
Why ?: Why do you need extra files on the server? There is no need ...
12) Never save backups within the availability of a web server.
Description: No comments
Why ?: They will be available for download to anyone who finds out the name of the backup. Of course, you can tighten the htaccess, but still, for the sake of security, take backups beyond the reach of the web server.
13) Install the file inspector plugin.
The author is Ghost (http://www.vbsupport.org/forum/member.php?u=38422)
Description (quote):
Climbing on their old scripts, ran into this product - File Inspector. These are several modules for vBulletin, with which you can save a list of existing files in the database and check from time to time whether any of them have changed (size, owner and access rights are preserved for each file) - the built-in cron task will notify the administrator by mail about discrepancies found. You can save several different copies (revisions) of file lists in the database for comparison (automatic check with email notification is checked only with the latest revision). Appearance and available settings can be viewed in the screenshots.
INSTALL: To install, you need to upload two PHP files from the archive to the server and import the product from the product-gfi.xml file.
UPDATE: Updating of versions is not provided, so to install a new one it is recommended to first uninstall the previous version.
ZY The product has successfully worked on all versions from 3.6.8 to 3.8.1 inclusive. True, the link to the drop-down menu in the navigation pane was added to different places, but these are trifles.
Download from vbsupport.org
Why ?: An indispensable thing in the search for shells on the site, but you need to put it in advance.
Total:
It is rather difficult to get access to the admin panel - hence, pour the shell through the admin panel too. You can pour the shell through the vB vulnerabilities, but if you pour into / includes (there are files for some hacks that require 777), then we have deny from all on the includes folder - the shell simply will not be accessible from the outside!
You can set 644 rights to other folders, if you have done all the points - then it will be difficult enough to fill in, especially if the chroot is properly configured. And finally, we added protection from the admins themselves, who climb where they don’t fall, thereby putting themselves on XSS and Trojans.
Actually, that's all ... This is my first topic on Habré, so please don't kick much :)
UPD: Transferred to "Information Security".
Source: https://habr.com/ru/post/78503/
All Articles