Securing your vBulletin Forums (Part 1)

Collapse
X
Collapse
 

  • Wayne Luke
    started a blog post Securing your vBulletin Forums (Part 1)

    Securing your vBulletin Forums (Part 1)

    As time passes on, websites and the software behind them get more complex and intertwined. It really wasn’t long ago that a websites consisted of a series of static webpages with minimal user interaction. Today’s websites however are all about user interaction and user submitted content. When you allows users to post content on your website, it starts to get complicated. I am going to write a series of articles to help you secure your portion of the World Wide Web and limit malicious intent on your website.

    Note: Please note the following primarily covers Linux, Unix and derivative systems. Windows handles file permissions differently.


    File Permissions

    Out of the box vBulletin doesn’t really care about file permissions that much. The software is configured to store everything in your database and works with the web server’s default permissions. However you can tighten this up a little to protect yourself and the users that visit your website.


    typicalstructure.png
    The image above shows what a typical website directory looks like when you first connect. If you look at the columns on the right, you will see the permissions and ownership of the files.

    The basics
    When we talk about File Permissions, you’ll hear a lot of numbers. It is sometimes confusing to understand what these numbers mean. You might see something like chmod 777 or chmod 755. These can be confusing.
    These numbers refer to three permissions: read, write and execute.

    Execute 1
    Write 2
    Read 4


    When you add up the values, you get the number that you should assign. So if the value is 7, then all three permissions are granted.
    The numbers are given to three different groups of users as well. Those groups are: Owner, Group, Public/World. They are represented in that order. Naturally the owner should have the most permissions and the Public should have the fewest. These are shown in respective order from left to right.

    Here is what a basic vBulletin installation might look like:
    basicpermissions.png


    777 – grants Read, Write and Execute permission to Owner, Group and Public.
    755 – grants Read, Write Execute to the Owner plus Read and Execute permissions to the Group and Public.
    644 – grants Read and Write to the Owner plus Read permissions to the Group and Public.



    So what should you do?
    Of course you want the most secure permissions possible but still want to allow your site to work. In this case, you want to use the 644 permissions on your PHP files if you can. This means you can write to your files, via FTP, SCP or SFTP, but others cannot. It means you can read your files. The Group and World can read the files, which allows them to work properly on most systems. Your directories will probably need a minimum of 755 to work properly. More about this later.
    Unfortunately, some hosting providers do not allow this permission to be used due to their setup. They may require 755 which adds in the Execute permission in order for PHP scripts to work properly. If you change your PHP scripts to the 644 permission and your site breaks, you will need to change them back to the 755 permission.

    File Directories
    File Directories are special in that they need to be “Executed” to be opened, get directory listings and find files in them. This is why they need at least the 755 Permission. If you are storing attachments, custom avatars or other uploads in the file system, the directories that you are using to store these items need to have full permissions 777. The reason for this is that the web server can run under a user that is different from the user that you manage files with. A lot of times the web server us handled by a background user named ‘nobody’. Though this isn’t always the case. Unfortunately, we can’t go over every type of server configuration here.


    How to Change Permissions
    chmod is a command-line utility. Unfortunately unless you’re on a Dedicated or Virtual Private Server (VPS), you probably do not have access to the command line to use it. Luckily for us, the FTP protocol allows us to change file permissions as well. In most FTP clients, you can pull up a context menu that gives you various actions to take on an item. You can access the context menu by right-clicking your mouse or click-hovering your mouse over the item. The item you’re looking for is permissions. Selecting this will allow you to change the permission for the selected item(s).

    Here is an example of what the context menu might look like:

    contextmenu.png




    If you do have shell or command line access, then you can use a command like:
    chmod 644 *.php
    chmod 644 *.js

    chmod644.png


    The desired permissions are:
    Files – 644 then 755 if required by your hosting provider.
    Directories – 755
    User Upload Directories – 777

    Next Time
    Part II will cover securing your directories to make access more difficult for trouble makers. Future installments will cover secure attachment storage in the file system and how to make sure your plugins are safe.

    • rootsxrocks
      #11
      rootsxrocks commented
      Editing a comment
      Thank you for this I look forward to the next piece myself

    • Ruushmore
      #12
      Ruushmore commented
      Editing a comment
      very Good, I never read abou these permissions....

    • dahamsta
      #13
      dahamsta commented
      Editing a comment
      No images on this post, attachments are white-screening,
    Posting comments is disabled.

Related Topics

Collapse

Working...