(2017-11-18, 06:37 PM)labrocca Wrote: [ -> ]Server logs can also give you what you need normally. Some shared hosts allow you access.
The thread isn't about server logs. I run my own vps so I can get what-ever type of logging needed - even TCPDumps - the thing is it'd be a nice update to MyBB's security - it still doens't protect you in event of an SQL Injection attack - but disabling log clearing could reduce attack impact.
(2017-11-18, 10:14 PM)Lunorian Wrote: [ -> ] (2017-11-18, 06:37 PM)labrocca Wrote: [ -> ]Server logs can also give you what you need normally. Some shared hosts allow you access.
The thread isn't about server logs. I run my own vps so I can get what-ever type of logging needed - even TCPDumps - the thing is it'd be a nice update to MyBB's security - it still doens't protect you in event of an SQL Injection attack - but disabling log clearing could reduce attack impact.
But preventing SQLi should not be done on the PHP script level anyways. MyBB does actually have standard protection from SQLi as they have ways to sanitize input by default. So I'm not sure what you mean.
You might be too paranoid and have high expectations of MyBB doing everything for your security needs. If you have a VPS there are lots of things you can do to at the server level for logging and other injection protection.
Your initial post was asking MyBB to prevent admin logs being cleared but you didn't comment on my flat-file post. So does this mean you expect a config option that prevents admincp from being used to clear the logs table? Then you speak about SQLi. Well, if your ACP is compromised you're kinda screwed anyways. What good will logs be? Do you think they wouldn't use a VPN/Proxy? And if they used SQLi then they can manipulate the database however they want anyways,
You can already remove the ability for admins to access the logs. That's enough. And I suggested, if you're this paranoid then flat-file save the info. You could probably set a table dump in cron every 15 minutes. It's normally a small table anyways and shouldn't cause too much disruption. Have them saved for 24 hours (100 logs) and to ensure the files don't get too large periodically prune your acp logs in MyBB. Maybe every 30 days?
When making suggestions for MyBB you should consider the need for all admins to have the feature, that's my opinion. Otherwise you just make a plugin for your own needs.
(2017-11-20, 05:50 PM)labrocca Wrote: [ -> ] (2017-11-18, 10:14 PM)Lunorian Wrote: [ -> ] (2017-11-18, 06:37 PM)labrocca Wrote: [ -> ]Server logs can also give you what you need normally. Some shared hosts allow you access.
The thread isn't about server logs. I run my own vps so I can get what-ever type of logging needed - even TCPDumps - the thing is it'd be a nice update to MyBB's security - it still doens't protect you in event of an SQL Injection attack - but disabling log clearing could reduce attack impact.
But preventing SQLi should not be done on the PHP script level anyways. MyBB does actually have standard protection from SQLi as they have ways to sanitize input by default. So I'm not sure what you mean.
You might be too paranoid and have high expectations of MyBB doing everything for your security needs. If you have a VPS there are lots of things you can do to at the server level for logging and other injection protection.
Your initial post was asking MyBB to prevent admin logs being cleared but you didn't comment on my flat-file post. So does this mean you expect a config option that prevents admincp from being used to clear the logs table? Then you speak about SQLi. Well, if your ACP is compromised you're kinda screwed anyways. What good will logs be? Do you think they wouldn't use a VPN/Proxy? And if they used SQLi then they can manipulate the database however they want anyways,
You can already remove the ability for admins to access the logs. That's enough. And I suggested, if you're this paranoid then flat-file save the info. You could probably set a table dump in cron every 15 minutes. It's normally a small table anyways and shouldn't cause too much disruption. Have them saved for 24 hours (100 logs) and to ensure the files don't get too large periodically prune your acp logs in MyBB. Maybe every 30 days?
When making suggestions for MyBB you should consider the need for all admins to have the feature, that's my opinion. Otherwise you just make a plugin for your own needs.
Thanks for the suggestions - if the database is compromised then yes logs are easily wiped - thanks for the 15 minutes log table dump idea I might implement that - as for server side features WAFs only protect you for so long if you are already vulnerable - I'll probably configure nginx to do ip whitelisting for /admin/.
Make sure to use htaccess for your acp, change the acp directory name, create a fake acp directory, use a WAF, in your php.ini disable certain functions used by shells, and ip whitelist your acp.
Do all that and you have above average security that isn't easy to break. And if it is broken then you have a lot more problems than acp logs which are going to be pointless.
(2017-11-20, 08:29 PM)labrocca Wrote: [ -> ]Make sure to use htaccess for your acp, change the acp directory name, create a fake acp directory, use a WAF, in your php.ini disable certain functions used by shells, and ip whitelist your acp.
Do all that and you have above average security that isn't easy to break. And if it is broken then you have a lot more problems than acp logs which are going to be pointless.
I use nginx so no .htaccess for me
Would blocking the base64 functions break web shells? (See example:
https://github.com/nsuchy/php-malware-sa...scated.php)
(2017-11-20, 08:34 PM)Lunorian Wrote: [ -> ] (2017-11-20, 08:29 PM)labrocca Wrote: [ -> ]Make sure to use htaccess for your acp, change the acp directory name, create a fake acp directory, use a WAF, in your php.ini disable certain functions used by shells, and ip whitelist your acp.
Do all that and you have above average security that isn't easy to break. And if it is broken then you have a lot more problems than acp logs which are going to be pointless.
I use nginx so no .htaccess for me
Would blocking the base64 functions break web shells? (See example: https://github.com/nsuchy/php-malware-sa...scated.php)
That may interfere with some MyBB functions or plugins.
Disable all the functions on this page:
http://php.net/manual/en/ref.exec.php
exec() is sometimes used by MyBB for the admin to see some debug info but I've never really needed it and MyBB may have already changed that in newest version. The rest are commonly used functions in shell scripts.
And after you restart your PHP make sure in a phpinfo() page that indeed these are disabled. In php.ini it's the disable_functions directive.
(2017-11-20, 08:44 PM)labrocca Wrote: [ -> ] (2017-11-20, 08:34 PM)Lunorian Wrote: [ -> ] (2017-11-20, 08:29 PM)labrocca Wrote: [ -> ]Make sure to use htaccess for your acp, change the acp directory name, create a fake acp directory, use a WAF, in your php.ini disable certain functions used by shells, and ip whitelist your acp.
Do all that and you have above average security that isn't easy to break. And if it is broken then you have a lot more problems than acp logs which are going to be pointless.
I use nginx so no .htaccess for me
Would blocking the base64 functions break web shells? (See example: https://github.com/nsuchy/php-malware-sa...scated.php)
That may interfere with some MyBB functions or plugins.
Disable all the functions on this page:
http://php.net/manual/en/ref.exec.php
exec() is sometimes used by MyBB for the admin to see some debug info but I've never really needed it and MyBB may have already changed that in newest version. The rest are commonly used functions in shell scripts.
And after you restart your PHP make sure in a phpinfo() page that indeed these are disabled. In php.ini it's the disable_functions directive.
I dislike assuming that I will be compromised but you have good reason, I disabled the functions you suggested. The debug page works fine with exec() disabled.
php.ini excerpt
disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,phpinfo,exec,escapeshellarg,escapeshellcmd,passthru,proc_close,proc_get_status,proc_nice,proc_open,proc_terminate,shell_exec,system