(2013-02-18, 05:52 PM)Josh H. Wrote: [ -> ]Or, you could just use CSF and let it do the magic for you... IIRC, CSF has an anti-DDoS module built in.
CSF wont help protect you against the larger attacks. It can't keep up for ever as the port will get overwhelmed eventually.
It can for quite a while. Assuming you don't have Anonymous knocking on your door though, and if you have the web server optimized, you can probably reduce a fair amount of the problem.
But I personally think that using CF to hide an IP is the wrong use of the service. As has been stated, an attack needs to push 5Gbps or more for the attacks on the actual server to last long. If you don't have Anonymous knocking on your door or you haven't pissed someone off, you're probably going to be okay.
If we deleted every DNS entry except A and CNAME then mybb can't send mails I believe !!
MX entries are needed to send mails right ?
That's one issue with this guide, assuming you use SMTP instead of PHP mail().
PHPMail will work fine with the settings in the tutorial.
If you want to use a separate SMTP server then don't delete the MX records.
People can DDOS your mail server all they want, it won't take your site down. Lol
Yeah, but some people have the smtp server on the web server... If they get the MX IP and the server runs something like cPanel, then the removal of the other records is pointless.
(2012-12-03, 12:25 AM)imtiax Wrote: [ -> ]I have changed the title of the Topic with a better choice of words now.
(2012-12-03, 12:22 AM)Nathan Malcolm Wrote: [ -> ]I can think of 20 methods off the top of my head to hack a forum, and none of the above posted are included. Security is a process, not a product. The above might help to some degree, but it won't prevent your forum from being hacked.
Yeah, but this tutorial eliminates the common ways of getting hacked.
- If no one else can get hosting on your server, then they can't use any shell to gain access to your files as they can not upload anything. (Which is how most forums get hacked anyways [Especially the ones advertised at HF])
- They can't bruteforce SSH/yourlogin since you disabled it and only the owner can access it via console.
- They don't know your servers REAL IP, so they couldn't use a Putty client and try to bruteforce a login to your VPS
The only way they could hack you now is by exploiting myBB, which should be pretty hard.
Even if they use the upload attachment feature, and successfully upload a shell, it will most likely not work as we have disabled the main Symlink functions, but there are shells out there that still bypass it, their hard to find though.
1. Yes they can, lol. All it takes is you installing a poorly made plugin that allows them to execute something malicious, then you're a goner. And welcome to HF, no one there who can do anything will bother with a forum as small as yours, or anyones for that matter.
2. If you were smart about security in the first place, you wouldn't even have SSH listening on port 21, you'd have it on some random port that only you know.
3. They can still get it without having all the "CloudFlare Resolvers" around.
Those shells aren't hard to find at all, honestly.
(2013-02-19, 06:33 AM)Josh H. Wrote: [ -> ]It can for quite a while. Assuming you don't have Anonymous knocking on your door though, and if you have the web server optimized, you can probably reduce a fair amount of the problem.
But I personally think that using CF to hide an IP is the wrong use of the service. As has been stated, an attack needs to push 5Gbps or more for the attacks on the actual server to last long. If you don't have Anonymous knocking on your door or you haven't pissed someone off, you're probably going to be okay.
Yeah. I don't understand why people use CloudFlare to hide their IP, when you can just email them and get the IP. If I cared enough or the OP wanted to, I'll go and get his IP for his site without needing more than 4 sentences and 2 minutes of looking around. The real use of CloudFlare should be for making your site much faster.
Well hiding your IP address via Cloudflare wouldn't really be much help.
Essentially, Cloudflare will release your IP to who ever requests it allowing them to process DMCA requests at your hosting provider among other things. Essentially a simple email and they will have your websites IP address no problem.
Edit: Noticed this has already been said above
Edit 2: I guess using Cloudflare to "hide your IP" could act as a deterrent for those that are not aware that they can ask Cloudflare for the IP or simply just don't know what Cloudflare is.
Forum-wise: the best thing to do really is change your admin directory and put a fake admin login page at the "normal" location - Clever, easy and you can find out who is trying to get access where they shouldn't have.
Server-side: Well there are many things you can do though hiding your IP address isn't one.
Quote:They don't know your servers REAL IP, so they couldn't use a Putty client and try to bruteforce a login to your VPS
Sure they do. When they registered they get an email validation. IP would be right there in the headers. And if you have it disabled then they could just do a thread subscription and wait for a reply.
You never mention other services you may be running that could be exploited. Simple stuff like FTP.
Quote:The thing is, for most users that's overkill. Plenty of users use shared hosting without any issues, including big boards. If the host has hardened the server (jailed accounts for example) then there shouldn't be any issue.
Shared hosting is definitely the least secure method of hosting. But that's only assuming the sys admin is capable.
The only way you'll hide your IP is to hide SOME services on different IPs. But some services have no choice but to be exposed. You'll need to place those services on different boxes. You can run SMTP with MyBB but that will require you to get a different VPS to make sure your HTTP serving isn't effected.
The steps OP outlined are rudimentary at best and doesn't really offer sysadmin advice that's really needed like security each service properly, a firewall setup, packages like suhosin, triggers for root kits, and ways to spot entry and entry attempts.
If you do what OP says you'll be more secure. But you certainly won't be out of the woods.
Quote:MX entries are needed to send mails right ?
Technically only needed to receive mail. Mail services should be a thread all on it's own.
BTW there is at least one other method to grab server IP outside of mail using MyBB.
And if in the end you're not a capable sys admin you might actually be LESS secure using a VPS than if you used a reliable shared host.
Quote:BTW there is at least one other method to grab server IP outside of mail using MyBB.
Did you intentionally not tell him the method? I know what it is (or at least one way, which I think you are also referring to - "clever scripting" to patch it, right?), but I didn't realise it was hush hush.