IPB [IPBoard / Invision Power Board] Security Guide

[amazinghorse]

Security Guide

TIPS

---

In this section of the tutorial you will find several tips how to improve the security of your Invision Power Board.
1. Do not allow HTML for your board except for user groups that you can fully trust. When creating a forum you can choose not to allow HTML code to be posted in various sections for the board. You can disallow HTML code in all of the areas listed below:
To disable HTML in signatures and the about me section for members go to System tab-> System Settings -> Members tab -> User Profiles.



To disable HTML in personal messages between users go to System tab -> System Settings -> Members tab -> Personal Message Set-up



To disable the HTML in posts for specific user groups go to Members tab -> Manage User Groups -> Edit for the group -> Global tab




2. For the lost password recovery it is best to use the email random password option.
This option can be altered via the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy.



Note that it is highly advisable to email the new password instead of letting the user enter it manually as it is much less likely that the user account email address is compromised.
3. Setup a limited amount of failed login attempts. If the number is reached the user is locked out of the forum for a set time.
This option can be altered via your the IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Brute-force Account Locking section.



The other two options below allows you to define if blocked accounts will be automatically unlocked and if so after how many minutes.
4. Use secure mail form for member to member communication. This way it will not be possible to get the emails of your board users and use them for spam and other fraudulent activities.
You can enable secure form email for member to member communication via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Use secure mail form for member to member mails



5. Remove the admincp link from your board and modify the name of the administrator directory to something else.
The link to the admin panel that is by default included on your forum index can be removed. This is highly advisable along with renaming the admincp folder to something else. The option can be altered via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Remove the ACP link from the board



6. It is highly advisable to manually approve new accounts registration as well as leave the option to verify the registration via email.
This option might not be suitable for very popular forums that have lots of new user registrations on a daily basis. However, for closed communities it is best if you have all new user registrations manually approved by forum administrators. This way you can prevent spam bots and unauthorized users from posting on your forum with 100% success.
The highest possible security is forcing users to first verify the new account registration via the email address they provided upon registering the new account. Once the new account registration is verified via email it is queued for approval via the board administrator. This option can be chosen via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> New registration email validation.



You might want to take some time and also adjust the options below to your convenience.
7. Force user login before the board is viewed. This way only registered users can view and post on your online board. Note that in this case guests on your online board won't be able to view any of the forums. The option is available at IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Force guests to log in before allowing access to the board



The alternative is to set specific permissions for each forum and thus allow some general purpose forums to be viewable for Guest users. For example you might want to make news and forum rules viewable for everyone so they can check them prior to registering.
To achieve this all you need to do is use the permissions matrix when creating a new forum or category. Do not add permissions for the group that guest users are automatically assigned to. This way none of your forums will be accessible for users that are not registered and logged in except for forums you explicitly add permissions to. It is highly advisable to set only Show Forum and Read Topics permissions in such cases.



8. Do not display the version of IPB you are running. Otherwise it will be much easier to search for possible exploits for the specific version if one is trying to compromise your board.
Displaying the IPBoard version can be turned off via IPBoard admincp -> System -> System Settings -> System Tab -> Security and Privacy -> Privacy section -> Display IPB version on your site.



There are various options you can manage for your IPBoard. Most of the other features that can be a security issue are set to the highest possible security by default. Bear in mind that you should carefully read and understand what each option does prior to making changes in order to avoid any issues with your online board.

Thanks for this valuable material goes to: http://www.siteground.com/tutorials/ipb/ipb-security.htm

HACKS

---

I want to show you a few important things, that many of you may know, but others wont.

So lets start with the server and permissions:

• Never - and really never - set 777 permission on ANY directory/file. That would allow malicious users to execute/delete/move/edit your files easily.
• Do not make .htaccess files readable - they could leak important data.

How to set permissions: chmod xxx -R /dir/to/files

Secure phpmyadmin - there are several ways to do so, but a simple .htaccess file should be enough.

The htaccess file can look like this (i use it like this):

AuthType Basic
AuthName "Restricted Files"

AuthUserFile /path/to/passwords/.htpasswd

Require valid-user

add a file called .htaccess (it must have the . before htaccess and it needs to be in the directory you want to secure. For phpmyadmin its usually /usr/share/phpmyadmin)

Do not run apache as root - if you do so, a malicious user could use exploits to gain access to the apache2 user - that could lead to a real disaster.

use this tutorial to change your user for apache2:
http://ubuntuforums....ad.php?t=927142

• Secure php - turn off unnecessary features and set up open_basedir, it could save your server.

This should help with turning off features for php:
http://stackoverflow...erous-functions

If you use apache, use mod_antiloris
 
What does mod_antiloris do?
Well
its easy: There is a tool called slowloris. People use it to DoS a
server - that means, they attack it, so the server shuts down.

How does mod_antiloris do this?
It opens a lot of apache processes so the apache server simply cant get enough ram anymore and shuts down automatically.

Why do they use that tool?
Because it uses so little resources that it makes it really easy to bring a server down.

What does mod_antiloris do now?
Well a server understands requests like this:

SYN - ACK - SYN - ACK

Well slowloris does this:

ACK - ACK - ACK - ACK

The server opens processes and never closes them since no SYN is coming back.
mod_antiloris detects those malicious requests and closes them itself.

Note:
To install mod_antiloris, you need to look for it on google, I can not go indepth with the setup, since I only use Ubuntu as my server.

• Turn off php error reporting. No one needs to see php errors on the page. They could cause to a leak of data and in this case, there is a Full path disclosure script out there that could tell an attacker what your directory is called.

To disable it you can add:

error_reporting(0);
@ini_set('display_errors', 0);

to the end of your index file.

Now to the IPB Setup and file Setup:

• Use .htaccess for the admin directory. (Refer to the Security center for this)
• Rename the admin directory. (Referr to the Security center)
• Remove dav.php if it isnt necessary. (In terminal: rm /path/to/dav.php)
• Use hooks like StopForumSpam to prevent fraud on your forum. (Use the StopForumSpam website for more info, they have in-depth tutorials for this on their site)
• Before you install a skin, check it. The skin "Glare by Tom Christian" reveals your admin directory in the source code for example, no matter what you set it up to do.

You can do so by simply opening your source code on the index page of your forum and searching for your ACP link.

Then when you found it you can easily referr to the CSS files (Look and Feel - Edit Skin CSS - globalTemplate)

• Change your display name. Users can use bruteforce to get your password, but what if they don't know what your username is called? They can´t brute it.
• You can do so in the members tab in the ACP.
• Do not allow signatures which are too big (I know its not security related but it can slow down your site dramatically)
• This can be done within the IPB ACP (resize images)
• Follow the things written in your Security Center, IPB knows what they write.
• Use the Checkers (Whitespace Checker and so on) weekly so you see if something goes wrong.
• Remove users using odd usernames.

What do I mean with odd?

<script>alert(blabla)</script>

is surely odd and it shows that the user tried to do an XSS attack. XSS
can be used for attacks to get sensitive data or deface your website.

Other things you can do is on files that really should not be viewable via php as regardless of the request placing:

if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
        exit('Denied.');
}

After:

<?php

Result:

<?php
if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
        exit('Denied.');
}

Also adding blocks via the htaccess is also wise for things such as conf_global.php, initdata.php, and constants.php

<Files conf_global.php>
  deny from all
</Files>


<Files initdata.php>
  deny from all
</Files>


<Files constants.php>
  deny from all
</Files>

Or, you can also do this and it will work.
Rename your conf_global.php to w/e you want, make a new conf_global.php and place this in it:

<?php
if (realpath(__FILE__) == realpath($_SERVER['SCRIPT_FILENAME'])) {
        exit('Denied.');
}
@include('yournewconfigname.php');
?>

Thanks for this valuable material goes to: http://invision-virus.com/forum/index.php/topic/530-how-to-secure-your-ipb-version-properly/