SMF 2.x Security Settings - General

Started by Skhilled, February 13, 2011, 11:17:43 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Skhilled

First, make sure your file and directory permissions are correct according to what your hosting has set. You must contact your hosting to find out what those are. We have no way of knowing. Having incorrect permissions for files and directories can allow others to see or possibly access files that you do not want them to see or have access to.

Making daily backups will also go along way to help protecting your site. Do keep a number of backups handy in case you find that one or more are corrupted, hacked, or have other problems that may render them unusable. I suggest keeping a few monthly, weekly and daily ones somewhere (not on the server but on your hard drive, usb stick or cd/dvd's) so you can go back as far as needed to get what you want. You never fully realize the importance of backups until you lose everything or your site gets hacked...trust me!

If nothing else, backup your database. It contains all of the most important info your need. It contains the posts, pm's, logs, user's info, etc. Even if you have lost all of your files, you can rebuild those later. But if you lose your database, you must start completely over from scratch! Adding the mods, images, coding edits, etc. is very minor compared to trying to remember and recreate every user, post, pm, etc.

Create an admin board and a separate staff board. Use the admin board for admins only and the staff board for the same.

Create a log of changes to the site and another for the server. Create a topic called "Changelog - Site" and only use it for any changes to smf's settings, mods installed/uninstalled, etc. Also, create a topci called "Changelog - Server" and only use it to log what changes where made to the server. Things like backups, hosting changes, etc. You can name those topics anything that will help you to know what they are but keep them from the eyes of your users. Doing this, you can always go back and find out what you or a staff member did, when ,where, and how. Add these logs to the Admin board.

You can also create a "Changelog - Users" just for users. Use this for making a name change for a user, banning users, trouble makers, etc. Add these logs to the staff board so staff can be aware of potential trouble makers.

And NEVER set your forum's registration settings to "Immediate Registration"! Anyone can join...this includes spammers hackers, trouble makers, etc. I recommend setting it to "Email Activation" or "Admin Approval". With "Email Activation", the potential user must verify their email address before registering. With "Admin Approval", you must explicitly approve users before they are allowed to join.

No matter which one you use I highly suggest that you run their IP, user name and email address through http://www.stopforumspam.com. You should also run their IP through http://www.projecthoneypot.org/search_ip.php. If you find them on either site you can block them and you should also take the time to add them to the list yourself.

Now on to the SMF settings... Enabling these particular settings will allow you to have more options in your admin. Those options created will be covered in detail in other topics in this board.

Go to Admin -> Configuration -> Core Features and enable the following, these will be explained later:

    * Moderation, Administration, and User Logs.
    * Post Moderation
    * Report Generation
    * Warning System

Moderation, Administration, and User Logs - This setting will turn on the logs for each of these so you can keep track of what is going on and have a record of it. Moderation will log all moderation actions of users and the staff that implemented them. Administration will track all admin and staff actions when using the admin section of SMF. User logs will log user actions.

These can help determine who, what, where, when, and how something happened and is much easier than reading the server logs.

Post Moderation - gives you the ability to moderate users' posts. For instance, you can not allow a certain user to make posts until you approve them.

Report Generation - allows you to create reports on a variety of things to help make things easier than searching by normal means.

Warning System - works in conjunction with Post Moderation. Allows you to warn users invisibly (only staff can see) or openly (everyone can see including the warned user). This is useful for keep track of suspected trouble makers in you do it invisibly. You can also do it openly to let others know that the user is a trouble maker which will also embarrass that user as well. You can even send an email to the user alerting them to the issue(s) at hand. I suggest using this sparingly in case you've made an error. However, you can always change it later.

Skhilled

This is now an article which can be found in the SMF 2 Security block and has been updated. :)