Register Members List Search Today's Posts Mark Forums Read

Reply
 
Article Options
HOWTO: Secure your vBulletin sensitive data
TECK
Join Date: Dec 2001
Posts: 4,182

Canada
by TECK TECK is offline 27 May 2007
Rating: (1 vote - 5.00 average)

vBulletin is a very secure web application. Except the fact that it has the database, user name and password included into a readable text file.
There is a very simple way to correct this issue.
Basically, you grab the sensitive information and you move it outside the public area.

Secured vBulletin config.php file
Let's presume your server has the following structure:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Start by opening your config.php file:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Paste inside the PHP EOF key (?>). It probably got deleted by accident in one of the SVN branches. It should look like that:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Now, run those commands:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

I really hope you use nginx or lighttpd as web server, not Crapache, the resources hogger who eats memory like an elephant. Large sites like YouTube, Sourceforge, Alexa, etc. use it, you should also.

Secured MySQL vBulletin user
Start by creating a new database user:

Block Disabled:      (Update License Status)  
Suspended or Unlicensed Members Cannot View Code.

Note: Did you know that you can paste a password into your telnet window?
No need to memorize them... so you can use very complex passwords in your Linux configuration.

The privileges listed above are the only ones vBulletin needs for any operation, including upgrades.
Make sure you have only the users you need/use, in your MySQL database.
Hosts or users defined as "" are dangerous because they open the door to security issues.
The MySQL site tells you how to secure your user accounts, very well.

Also, I strongly suggest you to use at least 85 bits, for the quality of your server passwords.
A very good tool to generate and have all your passwords grouped together is KeePass.
It will store very securely all your important passwords. The beauty of this program is the fact that you can keep it on your USB flash drive and travel with it everywhere. Plus, it is free and works on Windows, Linux and MacOS.
I use it all the time to generate very strong passwords for all my server configurations.

Shared Accounts
If you are on a shared account, get a server. vBulletin was not meant to run on a shared account. Once your forums are getting a little popular, the site will die on you constantly.

That's all, enjoy your secured config.php file as well the secured MySQL user.

Last edited by TECK; 06 May 2008 at 17:24..
Views: 4447
Reply With Quote
Comments
  #2  
Old 27 May 2007, 15:23
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Real name: Joe Velez
Great article TECK!

Thanks for sharing with the community.
__________________
Former vBulletin.org Staff Member

Latest Articles:
Liquid Layout = Less Ad Revenue?
How to Monetize Your Site
Improve Web Page Performance
How To Write For The Web


If it needs instructions, there's room for improvement.
Give users what they actually want, not what they say they want. And whatever you do, don't give them new features just because your competitors have them!
Reply With Quote
  #3  
Old 01 Jun 2007, 18:09
TECK's Avatar
TECK TECK is offline
 
Join Date: Dec 2001
Real name: Floren Munteanu
Thanks, Princeton.
__________________
Floren Munteanu
Axivo Inc.
Axivo Community - Visit the forums to find out more about us
Why Queued - My personal blog
Reply With Quote
  #4  
Old 23 May 2009, 17:19
Sweeks's Avatar
Sweeks Sweeks is offline
 
Join Date: Jul 2008
A long time since you have wrote this but thank you, I have enjoyed the read
________
EASY VAPE"" REVIEW

Last edited by Sweeks; 06 Apr 2011 at 14:23.
Reply With Quote
  #5  
Old 01 Jun 2009, 09:11
almohd's Avatar
almohd almohd is offline
 
Join Date: Feb 2009
Thank you
Reply With Quote
  #6  
Old 29 Jul 2009, 03:46
J105C J105C is offline
 
Join Date: Mar 2008
Yeah, this doesn't seem to work with apache.

It doesn't work with config.php what so ever.

When I use a test html file it works though, I can view it in the browser. But I have to chmod the file to 644 and the folder in /etc location to 755

Last edited by J105C; 29 Jul 2009 at 08:02.
Reply With Quote
  #7  
Old 07 Sep 2010, 03:49
narhot's Avatar
narhot narhot is offline
 
Join Date: Dec 2007
Explain the awesome my brother thanks you and experience ...
Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Article Options

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


New To Site? Need Help?

All times are GMT. The time now is 13:21.

Layout Options | Width: Wide Color: