Servlet Web Hosting - MySQL, Java, JSP, Servlet, Tomcat, SSH Blog

CHAPTER 10 SECURING AND MAINTAINING PHPBB 305 Setting Per-User Permissions phpBB gives administrators the option to assign permissions to forums with Private permissions on a per-user basis, through the User Permissions Control panel. Here, you can also designate users as forum moderators. Like the Forum Permissions panel, the User Permissions Control panel comes in Simple Mode and Advanced Mode. Figure 10-6 illustrates the permissions of a generic user, Joe Blo, in Simple Mode, and Figure 10-7 displays the same user s permissions in Advanced Mode. Figure 10-6. Joe Blo s permissions, in Simple Mode Figure 10-7. Joe Blo s permissions, in Advanced Mode Note three things about the user permissions screen in this example: Joe Blo is currently a regular user, changeable to Administrator via the drop-down box in the top-left corner. Joe is not a moderator of any forum.
Check Tomcat Web Hosting services for best quality webspace to host your web application.

After setting the permissions you want, click Submit, and your changes will be successfully applied. You can test your permissions by logging out and logging back in as a normal user. Tip When setting permissions on your forums, it s a great idea to have a generic user account and a moderator account for testing your permissions. Since having administrative rights trumps all permissions, you need to have a way to get some idea of what to expect when other users and moderators interact with your forum. CHAPTER 10 SECURING AND MAINTAINING PHPBB 304 ADVANCED PERMISSIONS IN ACTION: AN ANNOUNCEMENT FORUM Many communities offer a forum dedicated to moderators and administrators posting announcements con- cerning the board. Some communities lock out all posting by nonstaff members. phpBB s permissions system gives you a unique opportunity to create an announcement forum that restricts creation of new topics to administrators and moderators, but permits registered users to give feedback on those posts. Putting feed- back posts on specific announcements in their own topics helps keep the rest of your forums on topic. First things first: you need to create your forum in the Forum Administration panel. (For a refresher on creating forums, see Chapter 8.) Keep the forum unlocked and do not enable auto-pruning. Next, go to the Forum Permissions panel and select the forum you just created. You ll need to use Advanced Mode, as the permissions are very fine-tuned. As shown in the following example, I m going to let all users see and read the forum; registered users post replies, edit their own posts, and vote in polls; moderators and administra- tors make new topics, delete posts, and create new polls; and administrators give priority (sticky/announcement flags) to topics. Feel free to adjust these permissions as desired. For example, if you want only administrators to be able to make forum-wide announcements, set the Post permission to ADMIN. Click Submit, and then log in as a regular user. You ll notice that you don t have permission to create a new topic in the forum. Now, log in with your administrator account, and try again. This time, it works! Your regular users should still be able to reply to topics in that forum, which you can test by creating a topic and logging back in with your regular account and trying a reply. You now have a unique forum for your users to sound off about your announcements in the proper threads, which encourages discourse between the staff and the users, and ultimately fosters a healthy community.
If you are searching for cheap webhost for your web application, please visit MySQL5 Web Hosting services.

CHAPTER 10 SECURING AND MAINTAINING PHPBB 303 Mastering phpBB Permissions Now that your board is at the latest software revision, it s time to go through and perform an audit of your forum and member permissions. Here, I ll discuss how to harness the power of the phpBB permissions system and use it to your advantage. Using Advanced Forum Permissions Back in Chapter 8, you learned how to create new forums and set basic permissions on them using the Simple Mode of the permissions screen. While the permission presets cover the most common usages, chances are you will want to delve into the more advanced options phpBB offers. The first step is to become acquainted with the permissions system s Advanced Mode, illustrated in Figure 10-5. Note Regardless of permission settings, administrators automatically have access to all forum features, and they cannot be denied access to those features. Figure 10-5. Advanced forum permissions To set permissions for a specific action, use the drop-down options available underneath each category (View, Read, Post, and so on). The five possible options you can set are described in Table 10-1. Table 10-1. phpBB Permission Options Option Description ALL All users, logged in or not, will be able to use the specified feature. REG Only registered users who are logged in will be able to use the specified feature. PRIVATE Users or user groups with specific permissions in this forum have access to features marked as private. MOD Moderators and administrators will have access to the feature. ADMIN Forum administrators will have access to the feature.
We recommend you use shared web hosting services, because many users agree that it is cheap, reliable and customer-satisfying webhost.

302 CHAPTER 10 SECURING AND MAINTAINING PHPBB Running the Upgrade Script After the upload has completed, you need to take one more step. Go to the following URL (substituting yourdomain.com and your_phpBB_path accordingly): http:////install/update_to_latest.php This script performs any changes necessary to the database and updates a database field with the latest version. This allows the reporting tool in the Administration panel to report accurate version information. After the script has run, which usually takes no longer than a few seconds, reenter your FTP program and delete the installand contrib folders, as you no longer need them. Congratulations, your upgrade is complete! Now is a good time to test your board and make sure that everything is working as anticipated, especially if modifications are involved. If you run into problems, make sure you didn t miss uploading any files or incorrectly edit one of them when reinstalling modifications. If you ve verified your installation instructions for a modification and it still isn t working, you may wish to remove it temporarily and get in touch with the author of the fix and see if there are any incompatibilities. Upgrading with the Patch File Only Package Installing upgrades to heavily modified phpBB installations can be a royal pain in the neck. You must manually go through each file and remodify it, making sure that nothing new is broken in the process. It gets to be a very tedious process after a while, and the possibility of human error is great. If you have one of these boards and need to perform upgrades to it, lack patience, and have access to a UNIX command line, you can use the patch file only package provided by the phpBB Group to quickly upgrade your board, thanks to the patch utility. The first step is, as always, to back up a current copy of the board software to a safe place, in the event the patch utility does not work as planned. The phpBB Group recommends that you have a copy of the changed files only package handy, in the event the patch upgrade fails in spots (a rare occurrence). Next, create a separate folder to hold your files, and extract the contents of the /install directory there. You ll also extract the .patchfile that corresponds with your current version of phpBB. Extract the .patch file to the folder you specify, and then run the following command at the command line: patch -cl -d
-p1 < 2.0.x_to_2.0.y.patch where xrepresents the current revision of phpBB you are running, and y is the latest release of phpBB you are patching. With any luck, you ll get through the patching process without problems. If a file fails to patch, extract its corresponding file from the changed files only package and copy over it. In this scenario, unfortunately, you will need to reapply modifications to the file manually. After running patch, visit this URL: http:////install/update_to_latest.php This will verify the database for the new version of the software. Test your board thoroughly, especially in places where modifications were made. With any luck, you will be up and running without any problems.
We recommend cheap and reliable webhost to host and run your web applications: Coldfusion Web Hosting services.

CHAPTER 10 SECURING AND MAINTAINING PHPBB 301 Caution Now is an excellent time to back up the files from your existing installation to a safe place (especially if modifications are installed), just in case something doesn t work out as planned. You may even wish to perform a database backup using the backup tool in the Administration panel for added safety, as discussed in the Backing Up and Restoring Your Database section later in this chapter (though phpBB point releases rarely, if ever, see any wholesale database changes). Backing up is a good habit to get into, and you re better off safe than very, very sorry later. I recommend creating a separate folder for the files you are about to expand. This helps you remember which files and folders have been updated and which ones haven t, saving you from possible confusion and uploading more than necessary. You won t expand everything in the package far from it. You will need to expand the install directory and its subdirectories, which contain the database upgrade script, and the appropriate 2.0.x_to_2.0.y.ziparchive, where 2.0.xis the version of phpBB you are running. For example, if you are upgrading a phpBB 2.0.13 to version 2.0.16, you ll choose the 2.0.13_to_2.0.16.zip file. This file contains all the changes between versions 2.0.13 and 2.0.16. The upgrade to the latest version of phpBB is cumulative; therefore, it is unnecessary to install 2.0.14 and 2.0.15 to upgrade to 2.0.16 from 2.0.13, for example. Considering Your Modifications If you haven t installed any modifications (discussed in detail in Chapter 11), you can safely skip this section. If you have, you must take into consideration the modifications you have installed. It is always a wise idea to check with the author s homepage or distribution site where you obtained your hacks to see if new versions are available for the upgraded version of phpBB. Although the members try to minimize disruption, sometimes the phpBB Group is forced to make a change between revisions that can have an adverse effect on an existing hack. Other times, an outdated version of a modification could introduce a security hole that the new release was supposed to fix, which would certainly be counterproductive! Fortunately, volunteers at various hack distribution points, such as phpBBHacks.com and phpBB.com, verify that the most popular modifications work with the new release within a day. Since the files in the changed files only package are clean, unmodified files, installing them directly over your modified board may produce adverse results of varying severity, depending on how many hacks you ve installed and the complexity of your hacks. You will need to reinstall any modifications you ve made to any of the changed files. If upgrades are available, reinstall the updated modification using the new files you ve just expanded. Uploading the Upgrade Now that you ve verified your modifications (if necessary), you re ready to upload the files to the server. Fire up the FTP program of your choice (I use SmartFTP, http://www.smartftp.com), connect to your host s FTP server, navigate to where your phpBB version is currently installed, and upload the files you extracted from the package to your server, overwriting anything with the same name (overwriting is not a risk as long as you ve backed up your files). This could take a few minutes, depending on your connection speed.
If you are in need for chaep and reliable webhost to host your website, our recommendation is http web server services.

300 CHAPTER 10 SECURING AND MAINTAINING PHPBB Figure 10-4. The contents of the changed files only package The changed files only package contains the following: cache: A directory that exists as part of an optional file-based template-caching system. (I will discuss the template-caching systems available in the Using Template Caching section, later in the chapter.) contrib: A directory that contains the template-caching implementations and a database diagnostic tool. docs: A directory that contains late-breaking documentation and release notes for the updated version of phpBB you are about to install. install: A directory that contains the necessary upgrade scripts to complete the process of updating your board to the new version. 2.0.x_to_2.0.y.zip/.tar.gz: A series of compressed files containing all the changed files from version 2.0.x (where x is the older revision of phpBB) to the newer version (represented as 2.0.y), which is phpBB 2.0.17 at the time of this writing. Expanding the Updated Files Now that you ve downloaded and examined the upgrade package s contents, it s time to expand the appropriate files and upload them to your server.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

CHAPTER 10 SECURING AND MAINTAINING PHPBB 299 If you are running the latest release of phpBB, you ll see a message in green stating that your software is up-to-date and that no further upgrades are available. If not, you ll see the message in Figure 10-3, colored in red, notifying you that a newer version is available. Tip If the Administration panel lacks the update check, as shown in Figure 10-3, you ll want to point your browser at phpBB.com to download the latest available version posthaste. Versions of phpBB earlier than 2.0.13 can be dangerously vulnerable to attack. If you prefer, you can have update notifications delivered directly to your Inbox. Simply visit http://www.phpbb.com/support/, and enter your e-mail address in the field for the mailing list. You will then be notified via e-mail of security fixes and new versions when they become available. Obtaining Updates You obtain upgrades to phpBB in a similar fashion to how you initially obtained the full phpBB package: through the phpBB.com Downloads page. Instead of downloading the full package, this time you ll want to download the changed files only package, which as you might expect, contains only the changed files leading up to the current version. Caution The changed files only package can be quite large in size, upwards of 4MB. This is because the package contains updates specific to each older version of phpBB 2, starting all the way with phpBB 2.0.0. If you connect to the Internet using a dial-up modem, you may find it easier to simply download the full package and remodify your board, or use the patch file only package. On the other hand, if you have a lot of modifications installed and have access to a UNIX command line, you may wish to spring for the patch file only package, which contains files specifically designed for use with the UNIX patchutility. This utility can save you a great deal of time when dealing with a heavily modified board. Upgrading with the Changed Files Only Package The changed files only package is generally the most straightforward and reliable method of upgrading your board. To download it, choose the file you wish to download (on Windows, the safest bet is the .zip file; on UNIX or Linux, either the gzip or bz2 compressed files will do) by clicking its icon. Download the file to a safe place, and then open it. Figure 10-4 illustrates what the changed files only package contains at the point of the latest release at the time of this writing.
We would like to recommend you tested and proved virtual web hosting services, which you will surely find to be of great quality.

298 CHAPTER 10 SECURING AND MAINTAINING PHPBB Guidelines for Strong, Secure Passwords A strong password policy, particularly for people with power, is crucial to security. Having staff members rotate passwords on a regular basis is good common sense. Using strong passwords with a mix of letters, numbers, and symbols helps prevent hackers dictionary attacks. Thankfully, if they should break in, hackers cannot glean passwords from the database, as phpBB encodes passwords in the database using the MD5 one-way algorithm. This prevents intruders from deciphering the passwords in the database should they get that far. This also means that if you forget your password, you will need a new one. Note The MD5 one-way algorithm has its advantages and its disadvantages. Passwords must be stored in the phpBB database, but in their encrypted form. When someone logs in to the forum, the password she supplies at login time is encrypted, and that is compared with the encrypted password stored in the database. No decryption takes place, because the MD5 algorithm is a one-way encryption. This has the advantage of passwords being unlikely to be decrypted (never say never!) should any malicious intruder break into your database. However, this means that any passwords cannot be e-mailed to the forgetful board user, which is a small price to pay for the level of security MD5 affords. Installing Updates All the permissions in the world won t help you if your board has a flaw in its security, which could let Joe Hacker simply slip past those permissions! Fortunately, the phpBB Group regularly publishes updated versions of phpBB that contain security and other bug fixes. Keeping up with these updates, as tedious as it may be (especially if Chapter 11 inspires you to install a ton of modifications), is quite important, as updates have been known to be released in rapid succession. While installing updates can sometimes be a pain and an inconvenience, it is even more inconvenient and painful to catch up with a few updates in succession. Keeping Abreast of Updates The phpBB Group uses several methods of notifying administrators when phpBB upgrades are released. phpBB versions 2.0.13 and later sport an update check, direct from phpBB.com, on the front page of the Administration panel, as shown in Figure 10-3. Figure 10-3. phpBB s upgrade notification message (note that this installation of phpBB 2.0.13 is outdated and should be upgraded)
If you are looking for cheap and quality webhost to host and run your website check Jboss Web Hosting services.

CHAPTER 10 SECURING AND MAINTAINING PHPBB 297 Figure 10-1. The SQL query box in phpMyAdmin 2.6.1 You ll input a raw SQL query here. In the query box, type the following line to check who has administrator rights, substituting with the database prefix you selected while setting up your phpBB (typically phpbb): SELECT user_id, username FROM _users WHERE user_level = 1 To check to see which users have moderator permissions, run this query: SELECT user_id, username FROM _users WHERE user_level = 2 The queries return the user ID number assigned by phpBB at registration and the user- name of the empowered users, in a table structured like the one shown in Figure 10-2. Figure 10-2. The results of running the administrator query Tip If you find SQL queries cumbersome and inconvenient, as most people do, a far more graceful alternative to running these queries exists as a modification to the board. Visit http://www.phpbbhacks.com/ download/2977 to download the feature, and flip ahead to Chapter 11 for pointers on installing it. Auditing on a regular basis is a good method for detecting people who may have surreptitiously gained administrative or moderator access without your knowledge. If you find people who are administrators that you don t want as administrators, you can edit their permissions (see the Setting Per-User Permissions section later in this chapter) and remove their rights. Then be sure to read the Installing Updates section, coming up soon, as you may have a security flaw.
Searching for affordable and proven webhost to host and run your servlet applications? Go to Linux Web Hosting services and you will find it.

296 CHAPTER 10 SECURING AND MAINTAINING PHPBB Appoint members that visit regularly: Your moderators should be around your community on a regular basis so that their assigned forums are properly maintained. I ll leave it to you to define regular basis. Limit moderators to one or two forums at first: It s tempting to create supermoderator positions moderators who control every forum and give every moderator free reign. However, especially in the formative stages of your community when you may or may not know your staff members well, you will want to keep moderators limited to one or two forums. They will not be able to use their powers outside those forums, and that s an important step in securing your forums. Keep supermoderators to a minimum: If you wish to create supermoderator positions, with power over all forums, appoint just enough (one or two is usually plenty, but that can vary depending on traffic) to provide backup to existing moderators. Ideally, you should appoint supermoderators only when your board s traffic increases to the point where you need a couple people to back up the moderators. Use extreme caution when appointing additional administrators: As your board grows and the administrative tasks increase, you won t have a choice but to add another administrator or two. Appoint someone who you can trust and have worked with (preferably a moderator). Administrators should have enough technical savvy to operate the board s controls, know how to fix problems, and know how to avoid problems. Administrators should also know how to put on a good public face, as they will likely be contacted often by new members who may be unfamiliar with the phpBB software. (I consider prior experience with the board software a major plus in an administrator.) How to Audit Moderators and Administrators Keeping an eye on who is permitted to do what is incredibly important. Sadly, phpBB 2.0 does not contain an easy way to audit the number of people with administrator or moderator rights. I typically resort to periodically running two simple SQL queries using the phpMyAdmin front end to MySQL. Here, I ll explain how to run those queries. Note Contact your hosting provider to determine the location of phpMyAdmin on the server, as this location varies from host to host. When you have phpMyAdmin open, select the database you created for phpBB (when you installed phpBB, as described in Chapter by clicking the name of the database in the left pane. This will load a listing of this database s tables in the main area of the window. Newer versions of phpMyAdmin (which most hosts run) have a SQL tab just above the area where the tables of the database are listed. Click that tab, and you ll be presented with a SQL query box, which should resemble Figure 10-1.
In case you need quality webspace to host and run your web applications, try our personal web hosting services.