General securing of phpbb

General Computing Coding and Design
1

I’ve been thinking of adding forums to my long neglected web site, and have started messing around with phpbb on an install at home.

Have to admit, gluing the bits together to get it working was fun…

Am testing: phpbb 2.0.6, php 4.3.4, xitami 2.5c1, mysql 4.0.17.

To get it running, it was pretty obvious that I needed a web server, and I’ve been using Xitami for a while and find it easy to set up and use. phpbb seems to be a popular “free” board, and from its name it’s no surprise I needed to install php too.

I configured my web server as instructed by php, and tried to run phpbb which promptly gave out various errors. Not good. After a lot of messing about, found out that I need to change one setting in phpbb in an ini file hiding in the windows directory, and also it usually helps if I access the right install file of phpbb.

Oh, somewhere in there I managed to install mysql even though I have no idea what I did or what it does, it seemed essential.

Soon it was running and I’m having loadsa fun messing around and getting used to the options.

Next step would be securing it before releasing it to the world. I’m fairly confident in the web server security, with the usual tricks of web admin disabled and non-default admin names. But I’m at a loss as to what, if anything, I need to consider in the remaining three components: mysql, php, phpbb.

So… are there any general hints to help making them secure? I’m still in RTFM mode but they never seem to give what you need to know. Alternatively, I remember hearing of web server attacking tools which I guess would find any obvious weaknesses quickly, any suggestions before I hit google?

2

I’m sort of guessing here, but with your sql install you would have created a new database, now phpbb likes to give the database a password that you can find, so for 1 I would recommend changing that. You would then need to alter the main file for hosting passwords, currently of which the name escapes me.

Try installing phpmyadmin as well - this gives you nice web based interface to view the sql database and change settings, this comes with a reasonable manual.

Errrm - anything I’ve overlooked guys ??? Brain may be more engaged in this tomorrow when I’m back at work - sort of relaxing at the moment.

HTH though,
DT.

3

Thanks for the info. Will have to dig into it…

As far as MySQL was concerned, I just downloaded it and installed it. The windows monitoring app showed two databases existing, one of which was called test and was empty. I pointed phpbb at it (no usernames or passwords) and it was happy. Guess I’ll be looking at creating and maintaining databases next then :smiley:

4

yes when you run your install, you want to be creating
into a new DB with associated Database Name / User Name
& password.

The fact you have pointed it at Test means your running as
such without any protection in place so anyone knowing
the addy to get to the mysql database can change anything
they want in there.

5

Thanks, I kinda guessed that was happening. As I said, this is not open externally while I figure out what’s happening. Installing mysql didn’t exactly make much sense, I just pushed buttons until it worked :smiley:

6

My forum at home is still going, I’m using

  • Apache 2.0.48
  • MySQL 4.0.16
  • PHP 4.3.4

I would like to tell you all about how I got it going, but it was more luck than anything else :slight_smile: and help from PMM and Mulda