How To Maintain A Secure Forum

[carry]

I have my forum completly closed for guest posts... Well I have a Death Penalty Discussion Board, and of course that invites lunatics very easily, so I enabled guest posting on every board.
I also have some boards open, some closed for guest viewing, the Death Penalty related ones are all open, as guests need to see what the board is about, how the discussion in maintained, etc... otherwise I only have general news and general crime discussion open, and the rules of the board.

Admins and mods, well I have people asigned that are either Anti Death Penalty like me, or pro's that I have know a while, that are able to bring their point accross well mannered and that are able to reasonably communicate with the other site.
I do not have staff rankings, they all have custom titles, so I put them into an individual group , which enables me to modify their access to mod functions... I can choose them for each individual staff member.. if a staff helps me with headers and fooders, they could be set that they can access those, without the others having the same ability.
I let my staff delete posts, but I made it a staff rule that they have to copy and paste the offending post and post it in the moderators area. They can not delete complete threads though...
They can ban members, but they can not delete them...
I have very good and devoted staff for the board.

[dominic95]

I think that no one should become an admin with all controls. It happend to my friend once he gave someone full controls of the board as an admin because the guy said i will get you some codes to make your board nicer if you let me become full owner of your board my friend did he came back the next day and attemped to go to his forums and it would not work thats when i recive a phone call from him saying he board was delted and i said its your fault for beliving him i did not know that he was attepming this scam offer until the phone call. All i want to say is never ever get anyone anyone ownership of your board regardless of what they say. If you dont know what your doing and dont know how to use the controls on your board simply click on help and watch the viedo or ask someone for instructions.

[carry]

dominic95 said:

I think that no one should become an admin with all controls. It happend to my friend once he gave someone full controls of the board as an admin because the guy said i will get you some codes to make your board nicer if you let me become full owner of your board my friend did he came back the next day and attemped to go to his forums and it would not work thats when i recive a phone call from him saying he board was delted and i said its your fault for beliving him i did not know that he was attepming this scam offer until the phone call. All i want to say is never ever get anyone anyone ownership of your board regardless of what they say. If you dont know what your doing and dont know how to use the controls on your board simply click on help and watch the viedo or ask someone for instructions.

Well I have a member on my board who has my log-in data... He does not want to be staff due to work commitments, but I trust him fully and talk to him outside the board a lot as well. He has it just in case that something happens to me, so he can take over, decide whoever he wants to continue the board, etc..
...

[Black Angel]

We do what ever we can to ensure that our board is secure.. Though, I believe that it would be a good idea for us to hold drills, or something, this way in the event that something should happen, we'll know what to do..

Even though, I hope that we won't get attacked, it is comforting to know that all we can get everything restored back to where it was, if we send in a support ticket.. the downside to that is that depending on how much was lost, we may have to pay, (but most of the time it would be free) and we'd have to wait for a very, very, long time to get it restored.. luckily, we have a back-up forum, that we can fall back on in case something should happen, we can use that to let everyone know what had happened, and use that board until our board is fixed..

We just hope that we are secure, and that nothing bad happens..

[kelendria]

Where there's a will there's a way, you can have the most secure forum out there but I betcha there's a code out there to hack it
The worst case scenario that's probably already been said is Admin account hacking, cos from there you can lose everything


mod note- posts deleted from above this one so deleted first line out of this post that referenced them...

[leeboggs]

Is it possible to determine if a password has been cracked?

In my case, I've been told by law enforcement that someone, at their request, obtained an IP address and the only that could have been done would have been to crack my password.

But how can I technically confirm that it was done?

I've been told that it was done, but I don't want to just accept their word for it. They won't tell me how it was done.

[myke]

leeboggs said:

Is it possible to determine if a password has been cracked?

In my case, I've been told by law enforcement that someone, at their request, obtained an IP address and the only that could have been done would have been to crack my password.

But how can I technically confirm that it was done?

I've been told that it was done, but I don't want to just accept their word for it. They won't tell me how it was done.

Please ask this in the support board.

[cat66]

Because our board has members all over the world, and is a closed board, time zones become a problem, in that if anyone has a problem, I may well be asleep, therefore I appoint alternate admin staff in the different time zones.
These people may do all the day to day stuff, approve members, etc.
However, I do not allow them to delete or modify any posts or do anything radical.
Also, if you are at all concerned about anything, a good idea is to check your security log from time to time.

[Weasley Twin]

The only forum which I have open for guests is the help forum, all other forums require members to register. I feel that if you have too many boards open to guests this increases the chances of your board getting hacked.

I would agree when they say choose your staff members cearfully not everyone can be trusted, no matter how long you've known them. I had a problem like that once, and it ended up in my board being hacked and eventually deleted without my consent which really upset me because I trusted my staff members.

[Thundermew]

My last one was HORRIBLE, it got spammed almost every time I went back on

When I first so a spam post, I deleted it

Then, I took a break, and when I got back on, there was another spam post

So I removed it, and then took another break, and when I come back (you could guess) there was another, in fact, there was moe than one,so I had to disable guest posting on every board

And THEN, I noticed I had missed one out so that one got spammed as well. Oh, and did I mention I got a post that violated ALL of my rules at the same time, that was a broken record

Well, i'd assume that was the same person, but I prefer to disable guest posting,due to this spam.

It did eventually get better though

[Conquesta]

I was made a staff member on a site after not being there long and the owner actually gave me their admin account password! I couldn't believe it, especially after I told her how to allow me to edit the boards for her and she gave it to me because she was lazy -shakes head-. From what I can remember she gave the board password to five different people... so I doubt that site would be overly secure. And its a good thing I've left that particular site due to the owner's poor administration and I was fed up with putting in time, but thats another matter.

I think in some cases, poor admins are part of the cause as to why sites get cracked or otherwise disturbed. They themselves need to be more aware about what could happen and be as active as they can. I've seen what can happen when iresponsible game owners simply leave the work entirely to their staff and well, eventually the staff get pretty peeved.

Some people have the same password for everything. This is pointless! Arrgh and so insecure, if someone cracks one they have access to everything else also. I have several passwords, they vary. I also have "secret" emails, these are the ones where sensitive details such as my ebay are hidden and where I won't have to worry so much, say for instance. If a banned member decides to try and cause some problems there, they can't.

As for spammers, I've discovered that they love spamming the c-boxs and any site I create I avoid having these. As useful as they are, they aren't really worth the trouble of having them there. I think guests should be able to view boards, especially rules boards which is something they should be able to read. As they should know what they're signing themselves up for.

[Gamoc]

Well, guests should be able to see the rules board if they are under 13, but still want to post without violating PB ToS.

When I create a forum, I never use the same password as I do on any other forum. It is always different, and I also always make it something easy for me to remember, but not something that could be easily guessed at the same time. If you want a truly secure password, you should find a random password generator, and get a random password for you to use. If it is something hard to remember(the harder the better). Save it in a document like notepad, or even hide it in a graphics that you make on photoshop, or even paint would do it.

With the staff powers thing that enchant came across. You really do want to be careful, don't just let people modify profiles if you haven't known them for a long time. When giving staff powers, I wouldn't ever let them have administrative powers or modify other certain things. I am happy with what I have right now.

It is true what enchant said about PBS staff never asking for your password. I am assured by what enchant said that they won't. They don't need to, anyway, if they need to do something for you on your forum, the admins will just log into the servers and do it there, they don't need your password, and they can see it anyway. Really, you can trust them.

Really, the only time that you should let someone have an admin password is when you and some friends(actual real life friends) got together and wanted to make a forum together. That is really the only time that I would. Oh, actually, if you have made a skin for someone, and you want them to get the stuff in themselves, you could give them the password to the test board.

No matter how sick it is that people want to crack forums, there will always be someone cracking that sort of thing, and it should try to be avoided at all costs. The first step is always a secure, strong password, and one that is different, same for your email.

[Miss Adventure]

The one thing I've learned through my experience online is to BACKUP everything. From member e-mails, to headers and footers. That way should you're forum get hacked or deleted it won't take more than a few minutes of copying and pasting to get it back up and sending out mass e-mails to your more well known and trusted members what happened.

As far as my site goes, I have taken all the measures listed, including forcing my staff to regularly change their passwords on alternating schedules. Examples of this would be alternating from one week to two weeks to three weeks. I never have them pick a specific day every month to do this task, but I do insist they change their passwords often and they all have access to a password generator that works brilliantly.

I also change my password on a regular basis and so far we have been doing rather well. Only recent after a year have we had spammers but that was quickly resolved by a few bans and closing up the posting for guests.

I have to say though that I've appreciated all the advice everyone has given and have learned a few more things that I plan to implement for my site. And definately plan to double check all my codes.

Thanks for posting this, it's brilliant!

[Gamoc]

Well, I think that that changing passwords thing is actually a very good idea. I haven't changed mine in a while considering mine is very random that no one would guess. The only problem is that they don't always want to change their password or have it changed so they have to check their email for their password. I do think that any administrative staff that you have on your forum should change it, but you don't really need to give any other staff group powers that will totally screw up your forum a whole bunch. I gave one person that wasn't an admin access to headers/footers and skins because he always made oour skins.

Yes, it is a great idea to have a random password generator. They really do help people think about what they want and how to make it strong because they can select, weak, intermediate, and strong. If they choose strong, and they forget, they should have it saved in a document on their computer somewhere, never hosted on a file hosting site, if they are not at their house, they should just check their email from where they are at.

Yes, backing up everything will help. You should always back up your PMs, headers and footers, have a copy of the skin on some test board or even copied as a sub skin on the forum. Having back-ups help everything if your forum gets cracked and everything is deleted, including the forum. If the forum is deleted, craig can restore it. Backing up has helped me in the past when I most needed it, and I am glad that I did that.

[Shentino]

Here's one I think might work...

Have 2 accounts. Basically, you put admin in a group all to itself, with maximum powers and some decoration.

Then, register on your own forum and pick out a username and screen name to your liking. Give that user administrative powers.

Keep the admin account in reserve, and log in there only as needed. If either account gets hacked, at least you'll have a backup.