Thread Rating:
  • 2 Vote(s) - 3 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[Tutorial] How to Help Secure your Forums from being Hacked/DDOSED
#11
(2012-12-03, 12:25 AM)imtiax Wrote: Yeah, but this tutorial eliminates the common ways of getting hacked.

There are many more common ways than the ones above. You've barely scrapped the surface.

(2012-12-03, 12:25 AM)imtiax Wrote: - If no one else can get hosting on your server, then they can't use any shell to gain access to your files as they can not upload anything. (Which is how most forums get hacked anyways [Especially the ones advertised at HF])

RFI/LFI, SQL injection, XSS, there are many ways to gain access to be able to upload a shell.

(2012-12-03, 12:25 AM)imtiax Wrote: - They can't bruteforce SSH/yourlogin since you disabled it and only the owner can access it via console.

The thing is, for most users that's overkill. Plenty of users use shared hosting without any issues, including big boards. If the host has hardened the server (jailed accounts for example) then there shouldn't be any issue.

(2012-12-03, 12:25 AM)imtiax Wrote: - They don't know your servers REAL IP, so they couldn't use a Putty client and try to bruteforce a login to your VPS

You shouldn't be using passwords, you should be using key pairs. Regardless, CloudFlare isn't meant to hide your server's IP address. As a reverse proxy that's just how it works. You should secure SSH itself instead of trying to hide the IP address.

(2012-12-03, 12:25 AM)imtiax Wrote: The only way they could hack you now is by exploiting myBB, which should be pretty hard.

That's not the only way. As I previously mentioned, you've barely scraped the surface. There's nothing here that really is specific to MyBB.
No longer involved in the MyBB project.
#12
I'll have to ask you for a small audit eventually, Nathan. Seems you are more proficient with the avenues of attacks than I am. I just know about DDoS attacks, Ping Floods, DNS amplification, SYN flood, XSS, SQLi, and uploaded shells, and I guess I have *heard of* null byte and symlinking.
Edit: I now know about RFI/LFI.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#13
This user has been denied support. This user has been denied support.
I got a question, if I delete all the records except the ones you said don't then would they be any problem(s) with sending mail or not?
#14
(2012-12-09, 11:52 PM)kamz89 Wrote: I got a question, if I delete all the records except the ones you said don't then would they be any problem(s) with sending mail or not?

If you rely on PHP Mail, then no problem.

If you use an SMTP Server, like NameCheaps OX Mail, they will ask you too add a few records which is totally fine.

Also @ Nathan,

The reason I suggest just buying a small VPS to host your site is,

The cost of shared hosting is $3 - $7 for month depending on who you pick, on average.

The cost of a small VPS is around $3 - 6 which will run a small Webserver just fine.

So why not take advantage of that, and hide your servers IP, so it's not possible for anyone to DDOS you, or shell bruteforce.
#15
(2012-12-10, 03:16 PM)imtiax Wrote: The reason I suggest just buying a small VPS to host your site is,

The cost of shared hosting is $3 - $7 for month depending on who you pick, on average.

The cost of a small VPS is around $3 - 6 which will run a small Webserver just fine.

The majority of administrators won't be comfortable with setting up a VPS and maintaining it. Shared hosting is perfectly fine for the average forum.

Having a badly configured VPS is worse than having an account on a secured shared host.

(2012-12-10, 03:16 PM)imtiax Wrote: So why not take advantage of that, and hide your servers IP, so it's not possible for anyone to DDOS you, or shell bruteforce.

You cannot hide your server's IP address. Why would you want to do that? The only reason I can think to ever do that is if you're very paranoid that you're going to be attacked. IP addresses are public. With a little research anyone can manage to get the IP address of the server.

Saying using CloudFlare would make the server impossible to DDOS is incorrect. If someone is trying to DDOS your site, and the attack is affecting other CloudFlare sites, CloudFlare will route the traffic directly to the server instead.

CloudFlare is not a service intended to hide your server's IP address. I cannot stress that enough.

Trying to hide the server's IP address is lazy way to try to secure a site. Forget 'hiding' it, implement services and configurations which make it impossible for an attacker to gain unauthorized access even with the IP address.
No longer involved in the MyBB project.
#16
This user has been denied support. This user has been denied support.
to be honestly you can't hide IP with CloudFlare, i think you know we can reslove CloudFlare protected IP.

and i wrote a small tutorial you can see it <snip>, its not everything just something
#17
I'm using cPanel X, is there a way for me to change php.ini?

I only use mysql and phpmyadmin.

If so, can someone tell me how to locate it? I can't find it anywhere.
#18
(2013-02-17, 09:42 PM)Knightrise Wrote: I'm using cPanel X, is there a way for me to change php.ini?

I only use mysql and phpmyadmin.

If so, can someone tell me how to locate it? I can't find it anywhere.
Probably not. Usually hosts keep it to themselves for security purposes.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)
#19
(2012-12-13, 05:19 AM)_Kitty_ Wrote: to be honestly you can't hide IP with CloudFlare, i think you know we can reslove CloudFlare protected IP.

and i wrote a small tutorial you can see it <snip>, its not everything just something

You can delete all the DNS records on Cloudflare and only keep the A and CNAME, that way a cloudflare resolver will not be able to pull any results.

[Image: fXQT+]

Try getting the real server ip of Landon.pro, you wont be able to.

(2012-12-10, 03:43 PM)Nathan Malcolm Wrote: [quote='imtiax' pid='947273' dateline='1355152560']

CloudFlare is not a service intended to hide your server's IP address. I cannot stress that enough.

Sure that is not the intended purpose but it will get used for that reason.

(2012-12-10, 03:43 PM)Nathan Malcolm Wrote: Trying to hide the server's IP address is lazy way to try to secure a site. Forget 'hiding' it, implement services and configurations which make it impossible for an attacker to gain unauthorized access even with the IP address.

Trying to hide your servers IP address is a good thing, it will save you a lot of downtime when kids try to DDOS your site.

You need to hit cloudflare with at least a 5Gbit attack for them to direct the traffic directly to your server. Most people do not have that much power, as they will use an ecatel or a shell booter.
#20
Or, you could just use CSF and let it do the magic for you... IIRC, CSF has an anti-DDoS module built in.
PGP Key (Fingerprint: 23B6 F4C0 FE2D 45AA 61A0 1E86 DB87 09DC DD87 6E40)


Forum Jump:


Users browsing this thread: 1 Guest(s)