PHPBB and ravennuke security

New Member Joined: May 03, 2007 Posts: 6

Hi all and thanks for your support. I have some questions about Forums security.

I have read the HowToInstall files, it has a specific info about phpbb and a further reading to [ Only registered users can see links on this board! Get registered or login! ] wich I have also read.
1) But is this because the rn.htaccess in forums/admin is not enogh? Do I need to use a CGIAuth too?
2) And just to make shure does the rn.htaccess in the forums/admin also need to be cmoded to 777 or is 644 suficient?
3) Im also concerned about the phpbb version, is phpbb in RavenNuke_v2.10.00 up to date security wise? Do I need to update phpbb?

I have two additional questions that are related ...
4) I have added the forum center block does this have any security risks in the code? Is there anything one should change in the code when adding blocks?
5) Also baned emails from phpbb do not work in ravenuke, is there a way to make shure that this is done?

Posted: Mon May 07, 2007 8:09 am

hi!

I'm neither expert nor guru ... i only want to confirm you have found the right spot for the simply sweetest cms on the planet.

for security? ... sentinel rocks !

welcome

Posted: Mon May 07, 2007 8:27 am

The PHPBB in Ravennuke is up to date with the latest PHPBB as far as I know. At the very least it is up to date with the latest integration package which is done separately from Ravennuke and integrated into (integrating the integration?) once it's been tested on Ravennuke. I believe that CGIauth was set up for Forums in response to very specific attacks that took place. So it is an extra layer of security. I'm not familiar with the details of those attacks. The center blocks should not cause a problem. As to banned emails I'm not sure I understand the question.

Posted: Mon May 07, 2007 8:57 am

Thanks for the reply.

Regarding banned emails...
In the PHPBB forum administration under the "user admin - ban control", you can ban emails, for example *@rambler.ru I find this useful since I was hacked one year ago, and the suspected hackers used specific emails to signup, they created over 100 accounts with the same 7 email domains. Banning these would make it less confortable and more time consumming for them.

However even though PHPBB can ban these emails and no signups are posible with them through the PHPBB registration, the nuke registration lets them through.

Is there away that it may check the banned emails from database, meaby using the phpbb registration instead of nuke?

Posted: Mon May 07, 2007 9:26 am

You can use the string blocker in Sentinel to block those email addresses.

Posted: Mon May 07, 2007 9:59 am

And we should put this feature on our (now) long list for enhancements to Your Account.

Posted: Mon May 07, 2007 11:31 am

The string blocker explanation says "Provided to allow webmasters to block queries containing strings that they enter from visiting the site." as I understand it, this means browser queries.

But if I want to block a user using for example *@rambler.ru how do I write this in the stringblocker?

Posted: Mon May 07, 2007 7:40 pm

Just ADD the string in the string blocker exactly as shown below:

@rambler.ru

I would also recommend:

@mail.ru

What will happen is that when the "user" tries to submit the new user registration which includes that string in the email address field, NukeSentinel will block them according to the settings that you have set for the String Blocker. If you ban them permanently, that IP address will never be able to access your site again unless you clear the block(s).