Forum Bulletin Board Security & Site Security

[tunafish]

I wrote this a while back April 2006, it still is very useful

Security 101

Security 101

The aim of this document is to provide you with knowledge of marinating security in your forum software and site security. This document is written in an attempt to help people keep their bulletin board software secure and stop hack attempts. I have made this document into little chapters; this information will be easy to "digest".

Password Security 101 - The basics

The first thing you should always do when setting up forum software and creating accounts is to make sure your password is secure. You can do this by means of 3 simple rules.

1) No words in the dictionary should be used

2) Use numbers and letters

3) Use CAPTIAL and lower case letters

Here is an example of an easy to hack password that MOST people use QWERTY. You should never use passwords that are in the dictionary as if someone wants to hack a password all they need to do is setup brute force and use a dictionary file.

If you are going to use a password I suggest you use a password something like this N4j0[a. As you can see it contains 6 characters, CAPITAL letters, lowercase letters, numbers and a symbol. But if for some reason you can?t use passwords like this and need to use common words I suggest you do something like this QweRty2. The longer the better. Passwords under 5 words long are not to be used, over 6 would be more secure and a better password overall.

Also the password you use for your forum should not be used anywhere else and the same goes for another password you use, it SHOULD NOT be repeated anywhere else. This will increase security and should be common practice.

Using Secure Connections (https)

If you have a server that supports https I suggest you route your forums login file to use it. So if you have http://www.yoursite.com/forum/login.php I suggest you route it over https. The reason for this is, if people type in passwords and send them they are sent unsecured over http. They could be intercepted and stolen. But if you use https this increases security because it encrypts the data. I know it?s not common to see this but if you want to be safe and your site is a kind of online trading community were people sell and purchase stuff I recommend you use this.

Security 101

Database Encryption

All the major bulletin boards use MD5. But if you are very paranoid you can change this to use SHA-1. This works on a higher encryption rate and ensures data is secure. Again another use that the average user might not need but its there if you want it. If you are unsure find out if the company has a SHA-1 add-on for the forum software you use. The only down side of this is it will slightly increase the file size of the database due to the higher encryption method.

MD5 - QWERTY

d8578edf8458ce06fbc5bb76a58c5ca4

SHA-1 QWERTY

b1b3773a05c0ed0176787a4f1574ff0075f7521e

Keeping the software updated

This is very important! Your bulletin board software should always be kept unto date. Most bulletin board software comes with an update checker. This will always make sure you have the latest version, if not it will ask you to download it and install it. As software is no were near 100% secure and bugs are found nearly everyday. The reason why you should keep unto date is because their could be security holes that allow people to see information in your database, make them self?s an admin or delete all data.

Securing admin panel

Admin panels are always secured by default. These use the same user id and password as your forum account, again another security risk.

What I suggest you do is create an .htaccess file in the admin folder. If you?re unsure on how to setup an .htaccess file read this (http://www.javascriptkit.com/howto/htaccess3.shtml)

Anyway back to the .htaccess information. An .htaccess file acts as another password box. This is loaded before the admin login. So if you set this up any user who tries and access the admin folder will be prompted to enter a different password. Here is an example of what I mean.

Load up admin panel

Prompt to enter username and password from .htaccess (note this is different from forum login and can only be set by the site admin)

Then you will have access to enter forum admin details.

Login with forum admin details

This is useful as it will increase security as if someone has an exploit for a file in the admin folder they can?t run it as the .htaccess folder needs verification first.

Forum Settings

If your forum software has support for login attempts turn it on. What this does is after a failed login from any account it will log the user id and ip address. After 3 failed logins it will lock the account, this is useful as it will stop most automated hack attempts. Also if your forum supports it turn on visual confirmation for registering. What this does is prompts the user to enter a unique key before they can register. This will stop robots from automatically creating accounts and flooding your database with useless information.

Also setting a time delay of say 10 seconds between the users being allowed to post. This will also stop spam posts posting stuff over and over again, as they will have to wait 10 seconds before they can post again, also if your forum software supports it, you can get an add-on that will automatically block a user who has posted say 5 posts in 10 seconds. The block could be anywhere from 2 mines to 2 days.

HTML Support

Most bulletin boards come with HTML support. I recommend you DEACTIVATE this. The reason for this is because HTML can be used to create nasty scripts that can cause damage to the bulletin board. Most bulletin boards have it deactivated by default. I really do suggest you don?t use it, as it could be used to steal your session id and they could gain access to your forum.

General Site Safety Tips

If you have a large site makes DAILY backups of your database, or if not daily do it every 2 days. You can do a file backup every week but the database is more important as it holds user information and the files don?t change unless you change them.

Never give out your username and password - companies will never ask you for this information!

Always logout of your admin account when finished, this is important if the pc you are using is NOT your own

If possible change your password monthly. If you think someone might know it change it right away!

[Stokkolm]

Very informative and some good tips.

You should probably go over it for grammar and spelling though. You use "unto" when I think you mean to use "upto" in a lot of spots. There are several other minor grammar problems also.

[tunafish]

i wrote it on a PDA on a long train journy home :)