Guys, I just purchased my Vbulletin and I'm so pleased. The install went through like a charm. Now I need some help with stuff that I'm sure have been asked a thousand times in the past. How do I secure Mysql 4? I read somewhere that there are multiple default accounts that need to have their passwords changed. I lost the link for it. I created a default account, so what are the other accounts that need to have their passwords changed? Also, how do I keep a user from going back a level and viewing my files? I'm sure you have to use .htaccess file for this, but no clue how to do it.

example:

http://myip/forum/index.php is the forum

How do I keep them from going back to http://myip/forum/

and viewing the files? I would like to give a custom error page for that, but I'll settle for a forbidden now :) Anything else I need to do to secure the site that I don't know about? Thanks for the help guys and I'm very excited about getting this whole Vbulletin thing set up.

I'm sure you guys are tired of answering this question, so I understand. Could you point me to some links at least or tell me some terms to search for on the forum for answers to these questions? I searched the forum before I posted and I didn't find anything. Maybe I overlooked it. Thanks guys.

Sorry but I know nothing about securing MySQL. However if the web server is set up correctly, then http://myip/forum/ should automatically parse either index.php or index.html. You should provide some details about your web server.

Thanks for the reply Steve. Well I'm running Windows 2003 Server with Apache 2.0.48. PHP 4.3.4, MYSQL 4.0.18, and Vbulletin 3.0 RC4. As of right now Vbulletin is running without any issues whatsoever, but I just want to make sure my site is secure. I could have sworn that there are a few accounts in MYSQL's default setup that they encourage you change the passwords for after installing. Also, as I stated before, if I go back a level in my url I can see all the files in my forum directory.

http://myip/vbforum/ shows all the contents of the directory other than giving a forbidden.

I haven't changed anything from the default httpd.conf in Apache except for the requirements like listen port, serverroot, and so on. If you need me to post it I will.

Is the restricting of listing access to the vbforum directory done with httpd.conf and not .htaccess? Am I making any sense now? :)

Add index.php to the document root in httpd.conf - that is what you have missing which is why /forums/ brings up a 404

Disable all running services that you don't need (leave task scheduler running, it is required for prefetching which speeds up boots and application starts), install a firewall, install an antivirus and configure the server to patch itself nightly. You should also change the root password of MySQL to something unguessable.

Add index.php to the document root in httpd.conf - that is what you have missing which is why /forums/ brings up a 404 Thanks for the replies guys. Regarding the quote above I'm not getting a 404 when I go back a level in the heiarchy, but the actual contents of the directory. I found some info on the web to help me out regarding the one matter.

Stop A Directory Index From Being Shown

Sometimes, for one reason or another, you will have no index file in your directory. This will, of course, mean that if someone types the directory name into their browser, a full listing of all the files in that directory will be shown. This could be a security risk for your site.

To prevent against this (without creating lots of new 'index' files, you can enter a command into your .htaccess file to stop the directory list from being shown:
Options-Indexes

Thanks for the help.

One quick way to secure is to disable mysql networking or bind to the local ip address.

Might want to check their articles for securing php,apache,mysql.
It is a bit of work utilizing the chrooted environment, but there are
other tidbits for security as well.

http://www.securityfocus.com/infocus/1726

I've been able to accomplish this on both freebsd and linux.
Gives you some ideas anyhow...