Zealots Of Shiverpeak

[EmptySea]

Created the file robots.txt

File will stop some robots from scanning the memberslist.php file in our forums thereby stopping silent bots to a certain point.

File Contents:

User-agent: *
Disallow: /forums/memberlist.php

[Damadmoo]

why don't you disallow the whole forum directory? it is not like it will have any useful items for the bots anyway

if it is allowed to read the threads but not the memberlist then it is still able to get all information from all members who poted anyway.

[Belorn]

Interesting, I didnt know you could provide simple directions to non-malignant bots.

disable /forums/ probely will disable google search on "ZoS Forum", or atleast after the old search link get removed. this because it cant provide Link validation on it. that is, if it will follow the directions given or/and do Link validation checks.

[Damadmoo]

Well the main reason for not showing the memberlist is so the email addresses don't get published (at least i dun see another reason for doing that). Another way to achieve this is taking out all pages where the email address can show. The other pages which should be restricted are viewtopic.php and profile.php. Without the viewtopic.php page there is no use for any search engine bot to spider thru the pages of this forum.

Another way to secure the email addresses might be a setting in phpBB. Tho i haven't used it in quite some time so i have no idea or it is actually possible to not show the direct emailaddress but still be able to send email to it.

[Belorn]

Profile->Preferences->"Always show my e-mail address:"
*give some anti-spam protection*

There is a second use of disable non-loged-in users to see anything, and that is brutalforce atempts on user acounts. Now, a *much* better method to protect yourself from that is strong password on things like admins and officers acounts.

hmmm, wonder how manny login atempts a login.php page for bb forums get from bots per day, and if disable memberlist change any patterns. If I get time soemday I might speend a few moments building a honepot to get some data.

[Damadmoo]

I am aware of that function. Tho then ppl dun have a way to reach me outside the boards. Ofc i could always put it so i get an email as soon as i get a personal message on the board.

Brute force really is not that much of a problem on phpBB forum. I know the newer versions have protection against it. The thing is that brute force will never be done on the actual server itself. THe thing they do is sniff the internet connections and wait for a username with a hashed password go past. Then they go brute force until they get the same hashed password and then they will use that to login. Taking out the memberlist doesn't give any extra protection against this.

Tho i think this is going way beyond the reason for taking out the memberlist from search engines. But saying that you did add a security protection while you dun actually add any protection is a bit bad

[Belorn]

hashed passwords? *smiles*, you must be thinking about logins to unix or windows . Forum passwords and username goes in plaintext, and yes that is a verry sad thing *sad face*.

owell, a bigg thumb up to EmptySea for supporting and improving ouer forum!

[Damadmoo]

you can't be sure that phpbb still didn't put in the hashed password part......

That is one of the reasons why i stopped using it a few years ago and they still didn't add that...

Decent forums at least crypt the password with javascript before sending it over the internet. Ofcourse not everyone has javascript enabled so first they check the login or the hashed value is the thing they got. And if not then they hash the value they got and then do a check.

[Belorn]

Well, I made a check whit wireshark today, useing firefox whit all java enable, and it still gave me user/pass in clear text... Im not sure about IE, but thats because I refuse to use it .
If you are curius, just dl wireshark at http://www.wireshark.org/ and test... got grafic, collors and a cool "follow TCP connection" to see stuff in text.