Scared to turn on my PHPBB Forum

New Member Joined: Mar 06, 2008 Posts: 23

Hi everybody.

I know this sounds stupid, and I have read that RavenNuke is very secure. But am I really okay to set my forums up? Every forum I tried to run in the past got hacked by script kiddies, although I have never used Sentinel before which I think I have running now.

Will I be safe to set them up you think?

Oh and also, sorry to be a pain. Would someone just look at my site to make sure that I haven't missed anything. I know a little bit of coding and stuff but this is probably the first CMS that has ever worked for me lol, so I am eternally grateful already. I am just scared all the hours of work I am going to put into my new fully loaded website will get deleted by some kiddie.

Thanks for reading, you can find my woeful website Only registered users can see links on this board! Get registered or login! - please excuse my empty posts hehe.

Oh and one more thing, before I forget. How often does RavenNuke get updates and are they usually security related? Should I be visiting every day checking for an update to make sure my website will be secure for the future?

registered · Site Admin Joined: Jun 04, 2004 Posts: 6437

Welcome, phearfactor.

Regarding setting up forums, the most effective way to prevent comment spam is requiring membership to post. Many people using RN have been running forums for years without problems other than comment spam.

As for updates and support, check the forums here and you'll quickly get a sense for how good the support is and how well the team resolves issues - security or otherwise. For specific information on RN updates, you can check the downloads section or the changelog included with the latest download. I would say generally about 2-3 times a year - but check monthly to be safe. Of course, there is so much here that you could check daily and learn something new every time...

Posted: Thu Mar 06, 2008 11:05 pm

Is there anything I can implement or adjust (within the vast pages of settings I still haven't looked at yet) to stop spammers on the forums? Like a post time-limiter? No idea what the technical term is for them.

I really cannot set-up the authorization thing, just won't work for me. I am using the Approve Membership Lite addon to get around this so I don't have to email them authorization codes.

Is there anything you can suggest that will help me out other than the use of auth codes?

Thanks again for your swift reply.

Posted: Fri Mar 07, 2008 1:21 am

Are you saying it is not sending the emails to new users for them to activate their account? Obviously if that is the case I would highly recommend trying to get that to work. There is now an option to use SMTP for sending the email, so where hosts have locked down php_mail you should still be able to use that function.

Also make sure you have the captcha turned on for all logins and lock down your admin area using HTTP_AUTH, or CGIAUTH. Have a search in the forums on how to do this.

Posted: Fri Mar 07, 2008 6:36 am

Thanks for that info Jakec.

Unluckily for me my problem is not related to my hosts as I host myself. My problem is my ISP, they are blocking port 25 and for the life of me I cannot understand exactly what to change in which files to get it to work.

I have got it working through php_mail, but the emails simply never appear. I haven't been able to get the SMTP one to work at all yet, I am probably missing something simple. I use to have a similar script working, but that was with my old ISP who didn't block my outgoing port 25, I believe my incoming one is fine.

I am based on a Windows PC using Apache2Triad, trying to make things as less complex as possible for myself. The email issue has really stumped me though, I spent a good 4 or 5 hours modifying things to no avail.

I haven't turned on error reporting though as I cannot seem to find any information on this. Is there a file I haven't looked at?

Thanks for all the help thus far!

Posted: Fri Mar 07, 2008 6:45 am

I've not setup my own server to host a site, apart from using XAMPP for testing, so it is difficult for me to comment specifically on this, but I'm sure you should be able to get the emails working. Presumably your hosts lets you send emails using Outlook and SMTP and therefore the SMTP option should work, or are you saying they have blocked that? Confused

One other thing slightly off topic, but I personally would not display a list of your referrers, because you could be subject to Referrer spam and you could end up with links pointing to unwanted content.

Worker Joined: Jan 18, 2008 Posts: 143

To curb forum spamming, go to the admin control panel under the forums module.
Under General admin, click on configuration. In there a setting call flood Interval you can set this higher then the defualt of 15 seconds.

Then under user admin. Click on ban control. You Can use this short list I have compiled so far. Put these emails in.

*@sevastopol.in
*@mymail-in.net
*@s2worldsports.net
*@c2voyage.org
*@babusya.com
*@d2pills.org
*@s2sportblog.org
*@mail.ru
*@email.net
*@mail2.hqhost.net
*@hot-pussy.info (sorry raven, was a huge bot spammer on my stand alone boards. nothing like waking up to a crap load of porn all over your board.)
*@mail.health-ua.com
*@cheapoemsoft4u.net
*@jetfix.ee
*@email.com
*@e-mail
*@gawab.com
*@gmail.net
*@inbox.ru
*@objes.com
*@mymail.com
*@mp3-world.us
*@bk.ru
*@cowdump.com

Well thats all I have right now.

Posted: Fri Mar 07, 2008 7:07 am

I will try again with the SMTP set-up later. Trying to do that HTTP_Auth now.

I am using this thread:
http://www.ravenphpscripts.com/posts2950-highlight-httpauth.html

Is that what you was referring to? Also, the real path command doesn't seem to be working for me, it replies nothing.

Thank vaudevillian, that's what I was looking for. I will get all that sorted before I turn the forums on hehe

Posted: Fri Mar 07, 2008 7:23 am

Ah found out my real_path - thanks for all the help everyone!

Posted: Fri Mar 07, 2008 7:26 am

That's quite an old post. I'm not familiar with your hosting setup, but if it supports HTTPAUTH, you should be able to simply switch it on in the Nukesentinel settings.

If it doesn't support HTTPAUTH you will need to use CGIAUTH.

Further details on setting these up can be found in the HowToInstall directory of your installation, or here: http://www.ravennuke.com/HowToInstall/ Look under NukeSentinel.

In addition to what vaudevillian has suggested you can add strings to the string blocker in Sentinel to help prevent spamming.

Posted: Fri Mar 07, 2008 7:38 am

Yeah I just switched it on in the Sentinel control panel and now it seems to work! Now I will try out that smtp thing. Thanks for all the help Jakec.

Posted: Fri Mar 07, 2008 8:03 am

jakec wrote:

Presumably your hosts lets you send emails using Outlook and SMTP and therefore the SMTP option should work, or are you saying they have blocked that? Confused

I can use my POP GoogleMail account which uses port 587. I have that set-up now in my Outlook. Any idea where I go from there? Can I use my Gmail settings via the TegoNuke Mailer with SMTP set to Method?

registered · Posted: Fri Mar 07, 2008 8:09 am

You never replied back to kguske's point: are you allowing anyone, even non-registered users, to post in your forums? If so, you really need to turn that off and allow only registered users to post.

Also, ask your host how you are supposed to send mail. If they really got it horked up like that then I would switch to a different host ASAP.

Posted: Fri Mar 07, 2008 8:13 am

At the moment I don't have my forums running. I do have authorization code turned on at the moment but it is not working correctly because I cannot send my own emails for some reason (Port 587).

I am hosting it myself on my Windows PC and it is my ISP that is blocking Port 25. I am not sure how to get around that other than getting another ISP lol (not an option, not until 2010 anyway).

Gmail does work though, so it is surely possible for me to get it working, using Port 587. When I send newsletters using these settings though I receive a blank page.

I can use php_mail but when I change the default settings from Port 25 to 587 instead of getting email sent successfully, I receive the blank page again. There is something holding me back but I do not have enough knowledge or experience with this to have a clue, I don't even know where to begin.

Posted: Fri Mar 07, 2008 9:21 am

Yeah well technically you probably aren't supposed to be hosting a server like that (most ISP's forbid running a server of any kind). Find a web host. Smile

Posted: Fri Mar 07, 2008 9:38 am

Oh no its not forbidden, well I don't think it is lol. I am from England so maybe things work differently here, I know a lot of ISPs here block port 25 though.

I am trying to set-up a relay in xmail so it uses my gmail account, doesn't seem to be working yet but hopefully I will figure it out.

Posted: Fri Mar 07, 2008 9:47 am

True, I was speaking from a US perspective. Well....good luck! But why put yourself through all that when you can find a web host? I wouldn't want to have my own PC on the internet like that. Yikes. Smile

Posted: Fri Mar 07, 2008 9:51 am

I dunno, I quite like running it myself it allows me to modify everything and anything, plus I don't need to use crappy ftp programs hehe. Yeah it is definitely scary at times, I try not to read the logs lol.

Ah well, what's the worst that could happen? Actually, don't tell me lol

Anything you can suggest other than buying hosting to help with my mail issues hehe?

Posted: Fri Mar 07, 2008 12:06 pm

Hosting really isn't that expensive, you can get it for £9 a year from some UK hosts. .....but of course Raven's is the best. Wink

That way you don't have the worry if mucking something up on your server and letting all the script kiddies in.

Client Joined: Jan 29, 2004 Posts: 624

vaudevillian wrote:

To curb forum spamming, go to the admin control panel under the forums module.
Under General admin, click on configuration. In there a setting call flood Interval you can set this higher then the defualt of 15 seconds.

Then under user admin. Click on ban control. You Can use this short list I have compiled so far. Put these emails in.

*@sevastopol.in
*@mymail-in.net
*@s2worldsports.net
*@c2voyage.org
*@babusya.com
*@d2pills.org
*@s2sportblog.org
*@mail.ru
*@email.net
*@mail2.hqhost.net
*@hot-pussy.info (sorry raven, was a huge bot spammer on my stand alone boards. nothing like waking up to a crap load of porn all over your board.)
*@mail.health-ua.com
*@cheapoemsoft4u.net
*@jetfix.ee
*@email.com
*@e-mail
*@gawab.com
*@gmail.net
*@inbox.ru
*@objes.com
*@mymail.com
*@mp3-world.us
*@bk.ru
*@cowdump.com

Well thats all I have right now.

Thanks vaudevillian Smile

If you can come up with more post them as a public service.

And phearfactor, all we need to phear is phear itself. RavenNuke including the Forums is way more secure than the PhPNuke turned out by FB. There is no comparison.

Posted: Fri Mar 07, 2008 8:57 pm

That is what I was thinking, I was just worried that the forum didn't reside under the secured bits you see. Good to know it does!

I have sorted out some alternate hosting now, emails seem to be working fine with the default settings, thankfully lol. Just need to work out how CGIAUTH works as the host doesn't seem to support the other one, the one I had already got running (bah humbug lol).

Ah well, it's all fun and games!

Thanks for the posts everyone, you have been very helpful.

Oh, just thought of something. Do I have to keep my phpbb forum up to date or should the RN updates be enough to cover the forum too?

Posted: Fri Mar 07, 2008 9:21 pm

cgiauth is not that difficult. I have some really simple directions here
http://www.southernwolf.net/cgiauth.txt
RavenNuke 2.20.01 updated the Forums too to 2.0.23, if other phpbb releases come out use those if you want.

Posted: Sat Mar 08, 2008 2:07 am

phearfactor wrote:

Oh no its not forbidden, well I don't think it is lol. I am from England so maybe things work differently here, I know a lot of ISPs here block port 25 though.

I am trying to set-up a relay in xmail so it uses my gmail account, doesn't seem to be working yet but hopefully I will figure it out.

Most UK ISP's will allow mail on port 26 if port 25 is blocked.
If your ISP is Blueyonder, Telewest or NTL these are all now owned by Virgin Media but their existing policy is still that they only allow 10 concurrent connections via a pasword protected connection to your PC.

Posted: Sat Mar 08, 2008 2:27 am

Yeah, I am using ADSL2+ (Be*) and they just out-right blocked most useful things heh. I could work around it by paying them £4 a month, in which case they then allow its use.. But I found a host that was even cheaper than that, silly ISP.

Posted: Sat Mar 08, 2008 5:05 pm

£4?? How much is that in USD?