security

[nasr]

i looked all over the forums but couldnt find a forum for security related issues.

I wanted to see what some webmasters do to better protect their websites.

I have a vbulletin forum. I put a .httaccess on the admin control panel. But, I was told it would be better to change the forum permission to 111 instead of the 777. Is this a good idea? what about th www subfolder, can someone use it to find exploits in the site?

i need some suggestions on better protecting my site and what to avoid?

thank you everyone.

[WelshTom]

All of your files should be chmodded to 755 and no higher. Some forums may ask you to chmod config files etc to 644 and this is not a problem. However, vBulletin has it's own admin restriction so you do not need to implement your own form of security.

[Site]

I have most permissions at 444 no need for anything else unless required

[Qube]

Some vBulletin addons require their specific folders to be chmodded to 777.

chmod 777 is not as nasty as some people make out. It's not some crazy security risk that means your server / forum will get hacked. To do any damage they'll need to be able to execute scripts on your sever first. If they are already at that point then I doubt permissions are going to help a great deal, especially with it's database.

As a rule of thumb, follow the vBulletin installation. chmod folders to what the instructions say. vBulletin is very secure overall and any security holes are quickly plugged so keep an eye out in the admin panel for advertised needed patches.

The biggest security threat to vBulletin is addons / plugins from 3rd parties. A badly written plugin can open vBulletin to all sort of problems. If you've added any 3rd pary plugins, keep an eye on the site (usually vbulletin.org) for news they have security holes and or patches available.

In a nutshell if you've followed the vBulletin installation guide you'll be fine.

*edit* - I will add that chmod 777 should ONLY be done on those files and folders that specifically need it and certainly not the main public_html folder. But in itself, chmod 777 does not automatically open up your server to script kiddies.

[Site]

Quote:

Originally Posted by Qube

chmod 777 is not as nasty as some people make out. It's not some crazy security risk that means your server / forum will get hacked.

I unfortunately dont agree on this quote,

Its not a matter of will, its when... I can provide examples of this if required.

[WelshTom]

What Qube said is correct, 777 is safe providing the attacker can't execute scripts on your server in the first place, which they most likely can't.

[Qube]

Quote:

I can provide examples of this if required.

Please do

I'd like to see a situation where a chmodded 777 folder in itself is a security risk. I'm not talking about exploits from scripts inside that folder as they are the problem, not the folder permissions.

[eUKhost.com]

Quote:

Originally Posted by Qube

Please do

I'd like to see a situation where a chmodded 777 folder in itself is a security risk. I'm not talking about exploits from scripts inside that folder as they are the problem, not the folder permissions.

777 permission on a folder will allow anyone to upload files in that folder. 777 permission for a specific folder is highly insecure and I have seen many exploits on servers which have such 777 permissions on folder and no additional security packages installed. If you have mod_security and if you disable some vulnerable php functions then 777 permission won't create any problems for your account or server.

[Qube]

Exactly, a chmodded 777 folder is not such an issue by itsself. It's the overall surrounding issues which are the biggest problem.

[WelshTom]

Quote:

Originally Posted by Qube

Exactly, a chmodded 777 folder is not such an issue by itsself. It's the overall surrounding issues which are the biggest problem.

I second that...