[转载]如何保护你的phpBB论坛
<P>原始连接:<A href="http://www.in-my-opinion.org/in-my-opinion-3734.html">[url]http://www.in-my-opinion.org/in-my-opinion-3734.html[/url]</A><BR><BR>This is a description how to make it harder for an attacker to harm your phpBB discussion board or to gain control over it, should a new security issue be found. <BR><BR>Please also see my other phpBB mods at </P><DIV width="1%"><A title=http://www.1-4a.com href="http://www.1-4a.com/" target=_blank>1-4a.com</A><BR><BR>and the backup suite at <SPAN style="WHITE-SPACE: nowrap"><A title=http://www.in-my-opinion.org/in-my-opinion-4529.html href="http://www.in-my-opinion.org/in-my-opinion-4529.html" target=_blank>IMO→PhpBB mod (freeware): Backup database and files</A></SPAN> <BR><BR>My tips will help you to protect your phpBB no matter what future bugs or security issues will be found. And no matter what current security issues exist. <BR><BR>Let's see the history of critical (= very serious) security issues: <BR>phpBB critical update to 2.0.11: My tips would have protected your forum <BR>phpBB critical update to 2.0.13: My tips would have protected your forum <BR>phpBB critical update to 2.0.15: My tips would have protected your forum <BR>phpBB critical update to 2.0.16: My tips would have protected your forum <BR>phpBB critical update to 2.0.17: My tips would have protected your forum <BR>phpBB critical update to 2.0.18: My tips would have protected your forum <BR><BR>Unfortunately, the creators of phpBB take the fixing of security issues not serious enough.
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They have no list of all security issues</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>If you have modded your forum a lot (= installed/changed/reprogrammed your forum) you have no chance to update it to the newest (= most secure) state. The automatic updates won't work.</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They have no step by step guide how to fix each one of them. For example if your version is 2.0.5 then what do you do to manually update it to fix all security issues fast?</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They have no "security checking programs" which you could run and which would report all open security holes found.</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They have obviously no picture of an ideal scene. Their programming is designed to fix issues that arise instead of starting a "once-for-all-secure" plan. Cobblers.</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They are unpolite: When I mentioned that they either a) treat security issues not seriously OR b) modding not seriously then my topic was locked and I was warned.</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>They even refused to fix a security bug (they claimed it was no security issue) that later caused the deletion of whole websites (see below: %2527 bug).</SPAN></TD></TR></TBODY></TABLE><BR><BR>But whatever: This is NOT a description how to fix known bugs in phpBB anyway. <BR><BR>Moreover <SPAN style="FONT-WEIGHT: bold">it's NOT ENOUGH to fix the currently known bugs.</SPAN>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>Especially if you use mods (= third party software for your forum) you are at risk, since these mods may contain security bugs themselves.</SPAN></TD></TR></TBODY></TABLE>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border=0>
<TBODY>
<TR>
<TD vAlign=top noWrap width="1%">•</TD>
<TD width="99%"><SPAN class=postbody>Some exploits are so serious that every minute counts. But take the fixing of 2.0.16 for example: It took phpBB approx. 14 days to fix a serious exploit.</SPAN></TD></TR></TBODY></TABLE><BR><BR>Right now, while I write this, phpbb.com itself is under attack. Their site is unavailable except for the text:<BR><BR>At present phpbb.com is offline due to a group of politically motivated hackers. <BR>... <BR>A third party application looks to have been the problem. <BR>... <BR>Please do not ask us...we simply cannot comment at this time without having further information ourselves. Just as soon as we have a clearer picture, which depending on the condition of our server may be impossible to obtain, we will update the community. <BR>... <BR>We are working to recover the server. <BR>... <BR>The persons who attacked the site <SPAN style="FONT-WEIGHT: bold">deleted all web access logs, all system logs and the root user log. Other critical system folders/files were also deleted<BR><BR>The following tips will prevent 99% of cracks, since most of cracks are done by <A style="BORDER-BOTTOM: 0px; font-decoration: none" href="http://www.google.com/search?num=100&q=script%20kiddies" target=_blank alt="Search for with Google">script kiddies</A>who will not waste a lot of time with a single forum. <BR><BR>Some of the tips also apply to other than phpBB software, so you should read them, even if you don't use phpBB. <BR><BR><SPAN class=name>posted by <SPAN class=fakelink onmouseover="this.style.cursor='pointer'" title="View user's profile" style="CURSOR: pointer" onclick="window.open('profile.php?mode=viewprofile&u=2&sid=5eb8238f13d14b0efd7930eac02aaae8')">knn</SPAN></SPAN></SPAN></DIV> 我觉得好一点的网站管理远都应该改动了日志的位置,不是那么轻易就可以删除的到日志的哦. deleted all web access logs, all system logs and the root user log. 要是动了serv-u,那这个日志怎么删.着日志网管都会自己定义.serv-u的日志自定义后怎么找啊???
页:
[1]