Go Back   vb.org Archive > vBulletin Article Depository > Read An Article > vBulletin 3 Articles
FAQ Community Calendar Today's Posts Search

Reply
 
Thread Tools
HOWTO: Secure your vBulletin sensitive data
TECK's Avatar
TECK
Join Date: Nov 2001
Posts: 4,182

 

Canada
Show Printable Version Email this Page Subscription
TECK TECK is offline 05-26-2007, 10:00 PM

vBulletin is a very secure web application. Except the fact that it has the database, user name and password included into a readable text file.
There is a very simple way to correct this issue.
Basically, you grab the sensitive information and you move it outside the public area.

Secured vBulletin config.php file
Let's presume your server has the following structure:
Code:
/root
--/etc
--/usr
----/etc
--/var
----/www
------/html
--------/forum
----------/includes
Start by opening your config.php file:
Code:
[root@Linux-PC ~]# gedit /var/www/html/forum/includes/config.php
Paste inside the PHP EOF key (?>). It probably got deleted by accident in one of the SVN branches. It should look like that:
Code:
/*======================================================================*\
|| ####################################################################
|| # Downloaded: 17:35, Wed May 16th 2007
|| # CVS: $RCSfile$ - $Revision: 16258 $
|| ####################################################################
\*======================================================================*/
?>
Now, run those commands:
Code:
[root@Linux-PC ~]# mkdir /etc/vbulletin
[root@Linux-PC ~]# mv /var/www/html/forum/includes/config.php /etc/vbulletin/config.php
[root@Linux-PC ~]# ln -s /etc/vbulletin/config.php /var/www/html/forum/includes/config.php
[root@Linux-PC ~]# chown -R lighttpd:root /etc/vbulletin
[root@Linux-PC ~]# chmod 0640 /etc/vbulletin/config.php
I really hope you use nginx or lighttpd as web server, not Crapache, the resources hogger who eats memory like an elephant. Large sites like YouTube, Sourceforge, Alexa, etc. use it, you should also.

Secured MySQL vBulletin user
Start by creating a new database user:
Code:
[root@Linux-PC ~]# mysql -u root -p
Enter password: n50Ig7vYzXy2sXfc
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43 to server version: 5.0.22

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> GRANT ALTER, CREATE, DELETE, DROP, INDEX, INSERT, LOCK TABLES, UPDATE, SELECT
	ON vbdatabase.*
	TO 'vbuser'@'localhost'
	IDENTIFIED BY 'Ov4d4wk1BVXDllh9';
mysql> FLUSH PRIVILEGES;
mysql> SELECT Host, User FROM mysql.user;
+-----------+--------+
| Host      | User   |
+-----------+--------+
| localhost | root   |
| localhost | vbuser |
+-----------+--------+
mysql> quit
Note: Did you know that you can paste a password into your telnet window?
No need to memorize them... so you can use very complex passwords in your Linux configuration.

The privileges listed above are the only ones vBulletin needs for any operation, including upgrades.
Make sure you have only the users you need/use, in your MySQL database.
Hosts or users defined as "" are dangerous because they open the door to security issues.
The MySQL site tells you how to secure your user accounts, very well.

Also, I strongly suggest you to use at least 85 bits, for the quality of your server passwords.
A very good tool to generate and have all your passwords grouped together is KeePass.
It will store very securely all your important passwords. The beauty of this program is the fact that you can keep it on your USB flash drive and travel with it everywhere. Plus, it is free and works on Windows, Linux and MacOS.
I use it all the time to generate very strong passwords for all my server configurations.

Shared Accounts
If you are on a shared account, get a server. vBulletin was not meant to run on a shared account. Once your forums are getting a little popular, the site will die on you constantly.

That's all, enjoy your secured config.php file as well the secured MySQL user.
Reply With Quote
  #2  
Old 05-27-2007, 01:23 PM
Princeton's Avatar
Princeton Princeton is offline
 
Join Date: Nov 2001
Location: Vineland, NJ
Posts: 6,693
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Great article TECK!

Thanks for sharing with the community. :up:
Reply With Quote
  #3  
Old 06-01-2007, 04:09 PM
TECK's Avatar
TECK TECK is offline
 
Join Date: Nov 2001
Location: Canada
Posts: 4,182
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thanks, Princeton.
Reply With Quote
  #4  
Old 05-23-2009, 03:19 PM
Sweeks Sweeks is offline
 
Join Date: Jul 2008
Posts: 633
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

A long time since you have wrote this but thank you, I have enjoyed the read
________
EASY VAPE"" REVIEW
Reply With Quote
  #5  
Old 06-01-2009, 07:11 AM
almohd's Avatar
almohd almohd is offline
 
Join Date: Feb 2009
Location: Bahrain
Posts: 68
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Thank you
Reply With Quote
  #6  
Old 07-29-2009, 01:46 AM
J105C J105C is offline
 
Join Date: Mar 2008
Posts: 120
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Yeah, this doesn't seem to work with apache.

It doesn't work with config.php what so ever.

When I use a test html file it works though, I can view it in the browser. But I have to chmod the file to 644 and the folder in /etc location to 755
Reply With Quote
  #7  
Old 09-07-2010, 01:49 AM
narhot's Avatar
narhot narhot is offline
 
Join Date: Dec 2007
Location: www.jawhara1.com/vb
Posts: 16
Благодарил(а): 0 раз(а)
Поблагодарили: 0 раз(а) в 0 сообщениях
Default

Explain the awesome my brother thanks you and experience ...
Reply With Quote
Reply


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 01:03 PM.


Powered by vBulletin® Version 3.8.12 by vBS
Copyright ©2000 - 2024, vBulletin Solutions Inc.
X vBulletin 3.8.12 by vBS Debug Information
  • Page Generation 0.07440 seconds
  • Memory Usage 2,256KB
  • Queries Executed 20 (?)
More Information
Template Usage:
  • (1)SHOWTHREAD
  • (1)ad_footer_end
  • (1)ad_footer_start
  • (1)ad_header_end
  • (1)ad_header_logo
  • (1)ad_navbar_below
  • (1)ad_showthread_beforeqr
  • (5)bbcode_code
  • (1)footer
  • (1)forumjump
  • (1)forumrules
  • (1)gobutton
  • (1)header
  • (1)headinclude
  • (1)modsystem_article
  • (1)navbar
  • (4)navbar_link
  • (120)option
  • (7)post_thanks_box
  • (7)post_thanks_button
  • (1)post_thanks_javascript
  • (1)post_thanks_navbar_search
  • (7)post_thanks_postbit_info
  • (6)postbit
  • (7)postbit_onlinestatus
  • (7)postbit_wrapper
  • (1)spacer_close
  • (1)spacer_open
  • (1)tagbit_wrapper 

Phrase Groups Available:
  • global
  • inlinemod
  • postbit
  • posting
  • reputationlevel
  • showthread
Included Files:
  • ./showthread.php
  • ./global.php
  • ./includes/init.php
  • ./includes/class_core.php
  • ./includes/config.php
  • ./includes/functions.php
  • ./includes/class_hook.php
  • ./includes/modsystem_functions.php
  • ./includes/functions_bigthree.php
  • ./includes/class_postbit.php
  • ./includes/class_bbcode.php
  • ./includes/functions_reputation.php
  • ./includes/functions_post_thanks.php 

Hooks Called:
  • init_startup
  • init_startup_session_setup_start
  • init_startup_session_setup_complete
  • cache_permissions
  • fetch_threadinfo_query
  • fetch_threadinfo
  • fetch_foruminfo
  • style_fetch
  • cache_templates
  • global_start
  • parse_templates
  • global_setup_complete
  • showthread_start
  • showthread_getinfo
  • forumjump
  • showthread_post_start
  • showthread_query_postids
  • showthread_query
  • bbcode_fetch_tags
  • bbcode_create
  • showthread_postbit_create
  • postbit_factory
  • postbit_display_start
  • post_thanks_function_post_thanks_off_start
  • post_thanks_function_post_thanks_off_end
  • post_thanks_function_fetch_thanks_start
  • post_thanks_function_fetch_thanks_end
  • post_thanks_function_thanked_already_start
  • post_thanks_function_thanked_already_end
  • fetch_musername
  • postbit_imicons
  • bbcode_parse_start
  • bbcode_parse_complete_precache
  • bbcode_parse_complete
  • postbit_display_complete
  • post_thanks_function_can_thank_this_post_start
  • tag_fetchbit_complete
  • forumrules
  • navbits
  • navbits_complete
  • showthread_complete