How To Maintain A Secure Forum

[Former Member]

Say a GMOD can modify profiles, make sure that anyone higher than GMOD(Administrators, Managers, etc.) has their name included in the Protect Accounts code. I had someone edit an Administrator's profile, change their password, get in to that account and delete all my boards and categories . But I did learned from that mistake. Now all my staff are included in the Protect Accounts code so no one can get into their account.

Remember, choose your staff wisely and don't give anyone too much power. I remember someone (ConqueringWolf?) saying that their MODs can not delete threads or posts. They can simply move any inappropriate content to a staff board so an administrator can delete it. I now do that. Only my administrators can delete posts. Just follow mine and the other security tips and your forum will be safe from people seeking to destroy it.

[DDude]

If you have a friend over, always log out, simple short and sweet advice.. because i had a friend over and i usually stay logged in forever, and my friend went into my account and made him an admin and raised hell on my forum for a bit. So be mindful of where you are logged in and always keep an eye on that stuff. It can save your forum (potentially).

[daniel]

One thing that some admins might not be aware of:

Disallow gmods the ability to change membergroups.

This one place I was a gmod at(not here), the admin had not done that so I was able to promote myself to admin and then demote his admin account(since he didn't use the main admin account.

An admin should disable that authority except only to the main admin, or other admins if at a minimum. Gmods should not have the ability to promote or demote themselves or others as that can invite all kinds of other problems.

[Peter]

Increasing the length of your password, using special characters, trusting staff etc etc. This is all good, but it can also be totally useless.

Why?

How many of you use codes from databases from various forums?

How many of you use codes that embed a remote Javascript file?

There are quite a few codes that embed a Javascript file into the forum. The creators intentions is to keep things nice and tidy for you and to be able to fix bugs for all forums that link to the file, which is all well and good, but how do you know what the creators intentions are? As soon as you add that code to your forum, you open it up for attack.

Attack?? What do you mean? My forum is totally safe foo

Ok, let's say I am a malicious coder, I want to bring down your forum, my main aim is to take over any staff accounts I can, main goal would be taking over the admin account. No one knows who I am, i'm kinda of new to ProBoards, but know Javascript inside and out. I think about what code people really want....then it hits me, an RPG hack, it is most likely one of the most requested codes, and usually due to the size of them a Javascript file would be needed, so that will fool you into thinking everything is hunky-dory.

So, I create the code and submit it to as many code databases as possible. I wait until I know people are using it, I wait and wait, now over 100 forums are using my RPG hack that links to the Javascript file on a host I have access too. Right, now it's time for me to move in and attack all the forums using the code, I decide that I want to change the password and the email address for all admins. With around 4 lines of code, I can take control of an admin account, woah, 100 forums using my code, I would have access to 100 admin accounts, look at the emails come in, all I have to do now is activate the accounts, and then i'm in. Hmmmm, what shall we do...delete the threads? Nah, too much work, lets delete the forum.

How is that possible?

Magic.

Ok, not quite. But it is really simple, a few lines of code can take over a forum. The problem is that any Javascript file that is embedded into your forum via a code that you have added to your headers or footers will have access to the pages forms and cookies. The code only has to wait until the main admin goes to modify his / her account, and then BANG, change the 2 password fields and the email field, and then automatically submit the form, there isn't a thing the main admin can do, as other staff cannot edit the main admins details, so things get tricky.

I'm now worried, I have a few codes that have Javascript files

A lot of coders are known, and can be trusted, and won't even think about doing anything malicious. But there are a few out there that are unknown, and can't be trusted, so if you are in doubt, ask someone before using the code.

Have a read of "Read before using any codes" thread.

---

Anyway, the main point I was trying to get across is that just because you want a really cool forum with loads of nice codes for your members, don't just stick anything into your headers / footers because it looks and sounds cool. A lot of people won't have a clue as they don't know how to code, so they don't think about things like this, but it is a serious issue.

If in doubt, ask.

[Freckles]

I don't use any codes at all. (Gasp!) Its just that my forum is best the way it is. But know I know to be careful about what codes I put in. On a forum I once went on there was a spammer that kept coming back after being deleting (He kept doing that.) He was threatening everyone that he could Hack into member's accounts

It's just better to be safe then sorry. NEVER GIVE OUT YOUR PASSWORD!!! I did that once (Years ago, not on proboards, heck, it was on Neopets!) And some guy messed the whole thing up and deleted the account. Don't even give it to a family member.

BECAREFUL WITH STAFF POWERS! Take my friend for example. She is just starting out on forums, she barely knows what to do. She could give the mods the same powers as the admins. (Maybe even more...) On a forum I am on, mods have the same powers as the members, only bearing the rank.

Those are only a couple ways to be safe.

[kelendria]

I regularly encourage (& do myself) to change passwords, don't reveal private information to anyone & keeping staff privileges to a minimum.
Only give jobs to those you trust & keep something someone has trusted you with to yourself unless you fell it needs to be dealt with.
Nobody likes hackers or don't necessarily encourage them, keep an eye on your forum if you don't want to lose it.

[Admiral Refuge]

I made this awhile ago for my forum

How to Prevent your forum from being taken out

Everywhere you look, if you are looking, you will find a forum that get cracked and destroyed. There are ways to prevent and stop this. You just need to know where to look and what to do.

How do they do it?

One day you log onto your forum. You put your username: admin and your password ********. Wait! It doesn't work!
"Have I been hacked?" "Did one of the admins I thought I trusted betray me?" Allot of things are going through your head right now I bet. Well, let me tell you something; you’ve been cracked. “Cracked? No I’ve been Hacked” Is that what you thought it was? Your wrong.

First let me go through the difference between hacks and cracks. When someone hacks your forum, they run scripts on it to gain FTP access. But when they crack your forum, they somehow get your password and take over your account. You can crack someone’s account without even knowing one thing about hacking. There is a big difference.

Passwords

Okay, we know what they do but the real question is how they can do it. It’s usually one out of two cases. One, your administrators or global moderators did it; we will cover that later, or 2 your password was found out by a someone else, and your account taken over. Let’s think for a minute. Your password was found out. Why? Was it a good password? Where did you go wrong? Lets find out.

Ask yourselves these questions:

• Was your password your birthday?
  
• Was it just 5-6 letters?
  
• Did it begin with a vowel?
  
• Was it just numbers?
  
• Was it just letters?
  
• Was a a type of word, something that made sence what so ever?
  
• Was it your pet, something in someone close to you could guess, or part of your name?
  

Have a few gasps? If any of those questions were yes, that is why you were cracked. If not, the password was still simple enough to be cracked with a cracker.

How to crack a password?
It’s not really that hard. All to need is the right tools: Some brains, knowledge of the person you are trying to crack, and a good password cracker.

We already went over knowing the person, but what’s a password cracker? There are 3 types: A Brute Force Wordlist, Brute Force Password Generator, and a Dictionary Cracker.

The Brute Force Wordlist Cracker has a word list with hundreds if not thousands of words on it. Most of the time the Brute Force is used to crack numeral passwords, but it does just fine with words. It try’s to login under your name quietly using all of the passwords on the word list.

The next one is the Dictionary Cracker. It try’s to login using all the words in the dictionary. NEVER use a word in the dictionary in your password.

And last is the Brute Force Password Generator. This one is the worst and most dangerous. It starts with 4 letter words. Using AAAA then AAAB then AAAC and so on. After 5 or 6 hours it might just get your password if it tomw tomx “tomy”. It If it fails in the 4 letter words, once it gets to ZZZZ it will reboot going to 5 letter words: AAAAA, AAAAB, and so on.
It also eventually cracks your password if it’s a number password too.

“Well what do I do?” “Am I not safe?” “This thing will always crack my password!” No it will not always crack your password. You will eventually be safe with enough work. Only if you are willing to go through with it.

How can you prevent your password from being cracked?

It’s not that hard, just painstaking. Your password should use numbers and letters, have lower case and capital, and have “~!@#$%^&*()_+” in them(If you can that is).

If you really want your password to be safe make it about 14 characters if allowed. If not allowed, make it as many characters as it will allow.

What you can also do, is use a Password Generator. This will generate a password using the strangth you choose(I suggest you use 14 or 20).

Try out your password with a Password Meter. It will tell you weather it is strong or not.
Hotmail has a great one here: accountservices.passport.net/reg.srf?id=2&sl=1&lc=1033
Go there to test out your password.

A good password will take months to crack, so juse remember to change your password every 2-3 weeks.

Admins and G-Mods

It wasn’t the password, it’s you most trusted(or maybe not that trusted) Administrator or Global Moderator. What do you do? You can try to get another Administrator on your forum to get your password back, other then that there is not that much you can do. But you can prevent it.

This is what you need to do, first of all, chose your Admins and G-Mods carefully. That is one of the biggest mistakes. Only let a member be an admin if you know them personally. Next a G-Mod is a Global Moderator. They should not have power to edit headers and footers, mass administration or anything like that. They are just like Moderators but can moderate all the boards. Are you giving a Moderator the powers you are giving to G-Mods? If you want, give the G-Mods the power you want, but don’t let them edit profiles, or atlaset change member-groups. Your best bet is not letting Administrators edit member-groups either.

[~<^^>~Lance Caper~<^^>~]

undeaddeadguy said:

How to keep your forum safe - by a paranoid admin (aka undeaddeadguy)

Step one: Administration passwords are to be long and need to contain numbers or symbols.

• I recommend a password ~10 characters long. That's 4 more than the required 6 characters.
  
  
• Do not use the number '666' in your password. It's too predictable and does not make you a punk.
  
  
• Make sure you remember your password. Don't make it a bunch of random numbers and letters and do not write it anywhere on your computer. This helps if you ever get spyware. Speaking of spyware...
  
  
• If you ever get spyware, remove it. Then immediately change your passwords for both the admin account and your email.
  

Step two: Staff members

• [glow=red,2,300]Never assign an administration position to someone you do not know offline. Close friends should only be considered for these positions.[/glow]
  
  
• Remember to set powers for GMods. There are default options which you do not want them to have, but then again this is a personal opinion matter.
  
  
• Never give a staff position to someone on another forum which is exactly like yours. They're the competition and will try to sabotage you.
  

Step three: Dealing with your forum

• You must check your forum at least twice a day.
  
  
• Make sure you know the proboards TOS.
  
  
• Be careful of flamers or arrogant members. They are the ones who will pull something crazy.
  

I have to disagree with the part I highlighted.

Some people have known others on the internet for years.. Most of the staff, mainly admins, on Proboards that I've made have been friends on the internet, not in real life.

People on the internet CAN be trusted if you've known them long enough.

[Black Angel]

Well, there has been a series of IPB and IF board crackings, and all from the same person.. what this person does is he guesses the admin's password, or he 'tricks' the admin into giving him ACP access.. and does his damage that way, and/or he uses a trojan.. and does his damage that way.. after he has destroyed the board, he then puts a link to the trojan on the forums index, that way, when unsuspecting members go to the forum, their browser automatically downloads the trojan.. we look up information about them, and we stay on top of our research, and see if there has been updates about or new attacks from this person.

Our members don't know about this, and we don't talk about it on the forum.. because we don't want to attract the attention of the people we are trying to avoid.

So what i do is i emphasize the importance of having an antivirus program on your computer as well as a software firewall.. i posted links to the freeware versions of AVG, and Zone Alarm, for those who didn't have antivirus, or firewall software.. (either because they didn't know where to get it, or couldn't afford it..) i advise members and fellow staff not to open links in pms, or links unless they know exactly what it is.. i also advise them to get a safe, and secure browser.. and then provided links to Opera, and Firefox.. which have been credited as the safest browsers on the web today..

After all that, I then go on to explain the importance of picking a good, STRONG, password, changing it frequently, and then emphatically explaining that we will NEVER ask them for their passwords..

As an added security measure, we have:

Made it so you HAVE to login to see the forum.

Turned on email validation.. (so, if someone were to register with a fake email, they would not be able to access their account.. in other words they'd have to register with real email address..)

Made it so that anyone who is in the groups that are lower than the members group, (such as validating, have yet to post, etc..) cannot change their profile.. this keeps potential troublesome members, from escaping punishment.. After all, if we have new members who are serious about the community then that should not bother them.. and it doesn't..

When we ban someone.. we do wildcard bans..

so if we have someone like:

Username: You Suck
Email: me@mail.com
IP: 123.456.789.012

we will ban the name, and then for the email and ip, we will ban like this:

me@*.*
123.456.*.*

We also have banned all AOL ips.. so anyone signing up to the forum would have to use a non-AOL ip.

Profiles can only be seen, by staff only.. the members can still email, im, and pm each other from the board.. all they have to do is click the buttons beneath their post. This was done for a few reasons:

1. Because we had a member who was randomly spamming his website link by emailing everyone with the link.

2. We had a member who played im pranks by taking the members screennames, and then using the im prank thing on ebaums world..

3. Members' email addresses were getting spammed, by spam bots.

4. We had members who were emailing, and iming us with stupid questions, or questions about my brother's flash, despite being told not to..

5. We had a member who would send malicious links, and links to trojans, and viruses to those on his buddylist.. he took the screennames he got from the forum..

So we made the decision to not allow profiles to be seen by anyone except staff.

We also remain active on the support boards, and so, if and when someone posts info about a cracker, and then posts the ip, username, and email address, we copy the info (before a mod removes it, otherwise, we will pm the person who originally posted it), and then add it to our list of banned emails, ips, and usernames..

We have a list or more than 100 suspicious ips, crackers ips, and spambot ips (such as the ones who advertise porn, warez, viagra, cialis, phentermine, as well as those who post those links that look like gibberish.. <= although they are usually on proboards..) they are all wildcard banned from our forum..

We have a back up forum, with the accounts, of our active users, that way if, in the event that, something happens, we can email the members from the backup informing them of what happened.. we intend on using the back up until we can get the forum restored, as if nothing had happened.

We also cloak our url.. this way, we can hide the url provided by our host.. so that our domain, will replace the all of the [IF] domains.. on all of the pages.. push come to shove, we can always change our [IF] url, by swapping it with one of our test boards, in an effort to throw off our attacker.. and then use a completely different domain altogether..

That is what we do to protect our board..

[Kathelyne]

refuge said:

Try out your password with a Password Meter. It will tell you weather it is strong or not.
Hotmail has a great one here: accountservices.passport.net/reg.srf?id=2&sl=1&lc=1033
Go there to test out your password.

.

According to that myname with a 1 on the end is strong...
Thats because its picking up the capital letter, lowercase and number.

Having the same paswords for several places does help you to remember, but it also means that if one is cracked, others are too.
Also, email passwords are very important, but din't forget some emails have ways for you to gain access to your account. Hotmail has the secret question, and it is easy to get that information.
I proved this to a friend once, who said her password for an account (non proboards) was so hard I'd never be able to crack her account. Well, I went there, used the 'I forgot my password function' and went to her hotmaill and answered her secret question and changer her password and got into her email and got the password that way.
This was while she was sitting beside me, I might add, so she wasn't locked out or anything, it was just to show her what could be done.

And ofcourse, you have to make sure your staff are as careful as you.

[Molly Weasley]

Just another password tip: If you use computers in a public place (a library for example) then be sure no one is watching when you type in your password. It's like shoulder surfing while you enter your pin. It's too easy. For example I used a public computer a while back and saw a person next to me enter a runescape, BBC and their email password!

My new board will now be safer than ever now I've seen all your tips. I use codes from the database but only those made by Ross, for he is trusted.

Thanks for all the tips,

Missy X

[zgustaff]

I had some problems with staff members leaving their account open, and then I was on (thankfully) and shut down the site before they did aything major (aside from deleting three bords)... and they they got mad at me and started posting... well lets just call it what it was, gay cow porn, so I shut down guest posting, then they made new acounts and started once more, so I ended up baning half of the school, and then one of my freinds did somthing which I will not discuss in anymore detail then nessacrcary, lets just say that he found there email accounts and...
but we finaly made it so that we were safe once more, so...

[lukehopkins]

I know this is the wrong place to post but i need urgent help. My friend registered on my forum and i made him an admin, but he cannot access his admin panel. Why is this?

[Snakeair]

lukehopkins said:

I know this is the wrong place to post but i need urgent help. My friend registered on my forum and i made him an admin, but he cannot access his admin panel. Why is this?

Please post in the support board for questions like this. Please read the rules for this board. You'll get help over there.

[Timothy]

enchant said:

Security on forums seems to be an issue for a lot of members. I often am getting PMs from members who are concerned that their forum keeps getting cracked, how can they prevent spammers from violating their forum or a number of other issues that seem to evolve when maintaining a community. So, hopefully this thread will be able to give you some insight to other members experiences and their solutions. It is my hope that you will receive the guidance needed in maintaining a more secure and happy forum.

^ There's no such thing as absolute security, but you can deter most would-be hackers from damaging the site. I used to have spammers up the wazoo (how they got there, I have no idea ;D ), and so I eventually disabled posting for guests throughout the entire site. I did, however, leave the option of guests to view the entire site (minus the staff boards for obvious reasons), to help give them a proverbial feel of how the site works...