Easy Security Tips for vBSEO customers

In light of the recent round of attacks against vBSEO customers, I thought it would be nice to share some easy to implement security tweaks. 99% of hacking something is knowing that it exists and where it exists. By simply renaming something from the normal expected name, you are far more likely to never be a part of an exploit.

These instructions focus on apache webservers. These may be possible in other webserver platforms, but you will need to convert the rules to match your system.


Renaming vbseocp.php
Note: This is for version 3.5.x and higher only.

• open your ftp client to your forum root and find vbseocp.php
• 
• rename this file to something you and only you can remember what it is. In this example, I used 'myvbseocp.php'. You shouldn't use this. Use something like vb3242er42f2342seof23r234f423cp.php (and don't use that exact string either).
• 
• Next, we need to edit the left nav in adminCP to reflect this new name. Open (download) includes/xml/cpnav_vbseo.xml in your favorite editor (or notepad)
• 
• 
• Note the highlight link above... we need to change that to our new file name.
• 
• re-ftp that file back up to your site and it will work. To test, visit your vB admin panel, and click on the left nav link for vbseoCP. It should load correctly in the frame.
• 

Renaming the vb admin directory
vB comes with an easy way to rename the adminCP and modCP folders. These are configured in the /includes/config.php file from vb.
find:

Code:

$config['Misc']['admincpdir'] = 'admincp';
$config['Misc']['modcpdir'] = 'modcp';

Replace the string with your folder names. Remember, linux is case sensitive.

Then, of course, you physically re-name the folders on your site with your ftp client.

Hint - remember, vb and vbseo upgrades assume STOCK folder names. When performing future upgrades, always re-name the LOCAL folders to match your SERVER folder names before upgrading.


Securing the vb admin directory
Using htacces files and htpasswd files, it is fairly straight forward to add another login level of security. In this case, even if your vb account is compromised, the hacker would still not be able to login to your admin panel and deface your site.

The key point here is to place the htpasswd outside of the web directory.
ie, if your site is
/home/sitename/public_html/
you want this password file to be in a new folder of the site ABOVE the public web accessible folder, such as
/home/sitename/mypassvault/

• The first thing to do is to make a 401.shtml file in your site root (site.com/401.shtml is the access path, regardless of where your forum is). The contents of this file doesn't really matter-- it simply needs to exist. A 'pretty' template can be used if desired:
  
  Code:

  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
  
  <head>
  <title>401 - Authentication Failed</title>
  </head>
  
  <body>
  
  <h1>401 - Authentication Failed</h1>
  <p>
         Your request requires authentication. (Login and password) You may repeat the request with a 
         suitable Authorization header field.  Your browser will likely do this for you.
  </p>
  
  <p><!--#if expr="\"$HTTP_REFERER\" != \"\"" -->
         You were referred from <a href="<!--#echo var="HTTP_REFERER" -->"><!--#echo var="HTTP_REFERER" --></a>.
         <!--#else -->
         Please check your request for typing errors and retry.
         <!--#endif -->
  </p>
  <address>
         If the indicated error looks like a misconfiguration, please inform
         <a href="mailto:<!--#echo var="SERVER_ADMIN" -->"
        SUBJECT="Feedback about Error message [<!--#echo var="REDIRECT_STATUS"
          -->] <!--#echo var="title" -->, req=<!--#echo var="REQUEST_URI" -->">
    <!--#echo var="SERVER_NAME" -->'s WebMaster</A>.
  </address>
  
  </body>
  </html>

• Next, create the htaccess file in /admincp/.htaccess. If you already have a file in this folder, the next set of rules should come at the very top of anything else you have in there. Otherwise, make a new file called .htaccess with the following contents. Note, you will need to replace mypassvault with your actual PATH and file name to where you will be storing your passwd file (to be made in the next step):
  
  Code:

  AuthUserFile /home/sitename/mypassvault/passwd
  AuthName "AdminCP"
  AuthType Basic
  Require valid-user

  Again, this must be your exact path to your passwd file (that we will make next). Consult your phpinfo script if you need help finding and creating paths. If your host doesn't allow you to make folders above public_html, ask them for advice.
• Create the passwd file. These are simply flat files with no extension that use a username:hash(password) format. Go here: .htpasswd Content Generator (or any other md5 generator site you can google) and enter your password to receive the hash back. Remember your password, as there is no lookup tool/etc.
  Code:

  username:md5passwordstring

  is all that this file should have in it. Save it as "passwd" with no extension and place it in the correct path as outlined in the step above.
• Now, when you visit your admincp, you should get a new popup box that asks for this login. If you can't login, you did something wrong. Retrace your steps 1 by 1.
• You can extend this to the modcp as well. Simply copy the htaccess file to the modcp/ folder as well.
• Be sure to alert your staff of these changes! They (and anyone) trying to access the admincp and modCP areas if configured will need this password. It is easiest to use a generic username and password for all staff, but you can find more advanced tutorials about making individual user accounts in the same manner.

Lock down all writable folders
Stop any rogue code from running code directly. See:
Security issue for details.


If anyone else has a tip to share, please feel free to add it to this thread!

nice article, thanks

Good work Brian!
I would also suggest securing includes directory with .htaccess username and password.

Nice article, never thought of changing the vbseocp.php filename. Already had the other two done though

Hello all,

Here another tips:

• Never include your admincp and modcp directories within 'robots.txt' file.
• Try to make your user unalterable through AdminCP by editing your config.php file and looking for that:

PHP Code:

$config['SpecialUsers']['undeletableusers'] = '3'; 


Where 3 is your userid.

• Delete your '/install/' directory.
• ONLY install add-ons from vBulletin.org.
• If you have moved to vBSEO 3.5.x from vBSEO 3.3.x series, make sure you have deleted all vBSEO 3.3.x files from the old location.
• ONLY grant permission to access your AdminCP and run SQL queries to people you confide.
• Use diferent and strong passwords for each site you visit.
• Use .htaccess protection in folders chmod'ed 0777.

Another vBulletin general security tips:

How To Make My Forums More Secure

Hello Andrés,

Thanks for sharing

Great article Brian!

Also good input Andrés

This will help a lot of members out that don't really think of, or know how to secure their website/forum.

If you want to go further and also add the HTACCESS protection to individual files like the vbseocp.php (or whatever you rename it and other custom CP's you can do this) just add this code to the forum root .htaccess file including each file name you want to protect in the brackets.

Code:

<FilesMatch "(customCP|vbseocp)\.php$">
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</FilesMatch>

if it is just one file though, this would be more efficient

Code:

<Files vbseocp.php>
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</Files>

Please note: "Renaming vbseocp.php" only works if you are using vBSEO 3.5.x series, in other way, you must have to edit vBSEO source code in order to use that tip.

Great tips!

Has the vBSEO team thought about taking this a step further and automatically generating unique vbseo.php file names on a per license basis? (i.e. When you download vBSEO, it already has a unique file name). Of course myself and others will do it manually, but for those that aren't aware of the need or don't know how, having unique file names generated automatically could be a way to help protect all users.

Originally Posted by MTD

Great tips!

Has the vBSEO team thought about taking this a step further and automatically generating unique vbseo.php file names on a per license basis? (i.e. When you download vBSEO, it already has a unique file name). Of course myself and others will do it manually, but for those that aren't aware of the need or don't know how, having unique file names generated automatically could be a way to help protect all users.

Hey,

The problem with this would be trying to then explain to a *new* user how to access their vbseocp.php if it is randomly named to fldsh9jbf8deyfjlkb.php for that user. If you make the change yourself you will know the URL, they may not.

I know it is included in the AdminCP also but one of the key things with our design of the CP is that we still want it to work even if the vBullen AdminCP isn't.

Ceri

Originally Posted by Chuta

If you have moved to vBSEO 3.5.x from vBSEO 3.3.x series, make sure you have deleted all vBSEO 3.3.x files from the old location.

What's the best way to go about doing this? How do you know which files are from older versions and which are from new? Someone please share the best way to do this so no one accidentally deletes current vBSEO files

Originally Posted by Ceri May

If you want to go further and also add the HTACCESS protection to individual files like the vbseocp.php (or whatever you rename it and other custom CP's you can do this) just add this code to the forum root .htaccess file including each file name you want to protect in the brackets.

Code:

<FilesMatch "(customCP|vbseocp)\.php$">
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</FilesMatch>

if it is just one file though, this would be more efficient

Code:

<Files vbseocp.php>
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</Files>

Code:

Warning: file_put_contents([path]/images/vbsoccer/league/7.png) [function.file-put-contents]: failed to open stream: Permission denied in [path]/***/vbsoccer_admin.php on line 1222

i got this when i try to import the italian league's icon ... (note: i've changed the locatin of my acp and settled the pwd files)

so i'm wondering about this: i need to put this code in the .htaccess file (in the ACP)?

Code:

<Files vbsoccer_admin.php>
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</Files>

Code:

<Files vbsoccer_admin.php>
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</Files>

Code:

<Files admincp/vbsoccer_admin.php>
AuthUserFile /home/sitename/mypassvault/passwd
AuthName "AdminCP"
AuthType Basic
Require valid-user
</Files>

just tried with these, and it doesn't runs ...