In my opinion, other than the 'given' methods of removing one time installation scripts, not enabling html/java/flash and upgrading every time a patch comes out, the most important thing for a bulletin board owner is to hide his board version number if he can't upgrade as soon as a software patch is released.

Why?

Because as far as I am concerned, you can never protect yourself against 0-days hacks unless your are insanely good at web security and run your forums off a server you have full access too.

However bearing this in mind, when patches for your software are released, it's fair to say that version specific bugs are publically known to hacking groups. They can then google for e.g. "Powered by vBulletin Version 3.5.3" and hack every single board they encounter in a systematic fashion with their publically known hacks.

In conclusion, I feel removing your version number from website footer (especially if due to a heavily hacked board you can't upgrade quickly) is the best security measure you can do.

Interesting ideas. And for BBS options where that doesn't violate the TOS, it would be well worth it.

I was just checking this at vb.com, and you are allowed to do this with vb.
http://www.vbulletin.com/forum/showt...d_by_vbulletin

In the 'powered_by_vbulletin' phrase, I changed:
to:
The 3.5 for benefit of those who recognise the difference between 3.0 and 3.5 obviously.

That will only work with real newbies.

Experienced hackers use bots and that doesn't check the version number. If you have access to your server logs, especially the error log, you will see a sequential bot exploit checkers.

__________________
AZbb :: AZ Bulletin Board - Secure PHP BBS script, front page CMS, Chat, No Database

^ ^
I did place my point in context however. It's my opinion you can never be 100% secure against real hackers. However people googling for exploits who then google for outdated vbs shouldn't have things so easy.

That is true. However, script-kiddies do not usually have access to 0-day exploits.

Admins should regularly check with the forum software developer to make sure their software is up-to-date. I have seen some ancient version of software running in some places.

And finally, choosing a software that is fundamentally secure, and resisting the urge to install mods written by unknown parties, will greatly reduce the risk.

Good luck
AZ

__________________
AZbb :: AZ Bulletin Board - Secure PHP BBS script, front page CMS, Chat, No Database

I think it's was a good decision of the phpBB group to hide the version number. They have an automatic update check so that you are informed when a new version of phpBB is avaible.

You can disable posts by guests, that will make it much hard for spambots. You can also enable visual confirmination this will result in that bots can't register at your site. And like you also said in your startpost: disable HTML in posts.

Further you could block know spambots and other bots through .htaccess or the IIS version. You could SEND (I'm not talking about storing and comparing) the passwords encrypted. You can disable image tags. You could disable remotley hosted avatars, if you allow avatar uploading a stricter image check would be good or just disable avatar uploading.

__________________
.premodded - Premodded phpBB.

To bump my thread, with vb 3.5.4 out, here's best board sitting around with 3.5.3 in its footer.

If I knew the 3.5.3 exploit (which I don't but give me time) I would know straight away I could abuse it here.

My board is both upgraded and hiding its version number of course ^_^

I have been doing this for awhile on my sites.

__________________
Ford Mustang Forums - F-Series Trucks

Well, you are a valid license holder. So you could compare the current files to the updated ones and probably figure it out from there.