Security in General
#1
I am sorry for the very loose topic title and even more sorry that I might bore you with background, but I need to do this, so please try to have patience with me.

I have some 15 plus years of admin experience.  Started on some Microsoft paid for style boards for a company.  Helped transition one of those to phpBB.

Have about 10 years of experience with phpBB, but a few years ago that organization started to show oddness in management and I decided to leave them.

After studying a bunch of software out there I chose here, but I honestly don't remember the specifics as to what attracted me to you folks.  But I do good studying, so something here must be correct.

Anyway, due to a health situation I have to move a bunch of my intended scheduling up by quite a bit and after I transition to MyBB from phpBB I am going to need to be about the most secure board on the planet, because I will be engaged in a project that will definitely attract some bad characters.

It won't be that what I am doing is bad, don't get me wrong.  it will be because of the nature of the project I had to move forward.  We don't need to get into that right now.

What I did just a bit ago was stick - - - rats, the screen grab doesn't show the actual search terms.

Okay, maybe I put "security research" into your search engine.  Maybe some other word following security.

Anyway, I see in the screen grab three threads and one was/is titled "Security for a Forum" but that turned out to be limited in scope.

What I am looking for is a general paper anyone might have done on "Increased Security" in a general way, and hopefully a paper on Extra Security on a MyBB board.

I mean something beyond all the standard stuff, if that is any way to phrase it.

Something like Super Security, BUT not in the way that causes undo hardship for members to join and post.  I don't want my members jumping through too many hoops.  That makes people upset.

I mean maybe extra tools in my admin panel that shows weird stuff.  Or something like that.

I am already using special group style admission for new members on one of my boards, so that we see actual posts and screen the first few of a new member.  I know about that level of early security against spammers and such.  But I need something a bit more than that standard stuff.

You can tell I am not even sure how to ask about Extra Security, but that is because I am right now in the early stages of this area of research and because I am now limited in how much time I've got.

To be bluntly specific I have blood cancer discovered last November and so everything is getting moved much too fast forward and I am forced to do my research in a hurried manner.

So I need help to do research on how to make a MyBB board about the most secure on the planet, yet allow the members a rather un-difficult experience on the board.  Does that make sense?  Sorry if I am messing up this post.

Maybe one of my smarter moderator folks should get in here and do this post, but we are all in a sort of rush.

Okey-dokey, let me see if any of y'all can have patience with this old fool -- me.

Thank you for any advice you may have!  Really, thank you.
Reply
#2
So what i get from the post is that you want a secure MyBB board which however is not impossible and can be achieved by some short of configuration, i myself do the configurations on my boards like stopping spam bots setting up cloudflare with maxcdn(for better loading) and some short of customizations which aren't much but really helps in security. The most secure way to secure a database based website to have it exploit proof and stress proof. Like for exploits and DDoS you can use cloudflare and for other things your server side need to secured too because a secure server is a key for a secure website. Ah i don't know what i am trying to say that is something hard to explain since i am not much a blogger. But i do know how that feels if something like cancer shows up.
[Image: cafaf18ba2.gif]
FileSquid is under development
[Image: trk1]
Reply
#3
I appreciate your attention to my post.  Thank you.

I ought to be a little clearer about one thing up there, though, so I am not put in the bad-guy box.  The trouble I will probably have directed at our site will be because we are going to start highlighting a major political project I have been working on for about 15 years.  Just politics and not any of that other commercial stuff that some relate to bad people.  Just politics on an international level.  So there will obviously be trouble coming our way.  For sure.

So I hope that clears that up, just in case I gave somebody bad vibes about what we are going to be doing.

Now that bit about "Cloud-Stuff" is where an old-folk type like me is lost because I haven't had the time to properly understand what that is all about, except that it is not here at this work station or this building where I do my work.

But that only means I study or hire.

I'll dig deeper into those thoughts you posted, Dark-Power-Invader, and ask further questions, if you don't mind.

As for the other business, I have Grade 3 non-Hodgkin Follicular Lymphoma, but the big complication lately has been the atopic dermatitis that might have surfaced because of the cancer.  But even though I suffer from various sports injury type problems they say my organs are in good shape for my age and give me good marks for getting the cancer into remission, but one has to figure that years are probably going to get dumped and so I hurry a bit now with my work.  By the way, the steroid intake the docs ask of my system is really messing up my sleep patterns.  And I have the last three sessions yet to go -- six total.  Hopefully, just six for now.

Enough of that.  Only brought it up so all know why I am in a rush.

Let me take a closer look at your post Dark-Power-Invader and see what I can learn.

Oh yes, I don't own my server.  I have to trust the folks who are charging me for using their server are sharp folks and can step up to the plate if the going gets tough.  We've been on-line for close to ten years now with the site I'll be converting, but we have been a sleepy kind of no-trouble-to-anyone Community.

I'm afraid that is going to abruptly change.  Luckily I have been able to practice hardball Internet Community work because I am also the admin on a rather hardcore military vets site that has sort of gone astray on the media side of that company.  We have gotten a lot of very strange attention over the years and that one has been around for a long time.  That has kept me in practice with the hardcore Net types.  But that is phpBB software.

Okay, I've got some studying to do.

Thanks for the post!

Now management may get angry, but this is a note post and if anyone wants to comment on what I have found it might be helpful.

From the search tool here:

<>  <>  <>  Copy Starts  <>  <>  <>

    Thread: Exploits?
Post: Exploits?

Yo, Is there a site scanner people recommend? To check for SQL injections, XSS and such? I input all my data with mysql_real_escape_string and curently display with htmlentities with bbcode support. ...
Exze  Web Development and Administration  25 9,149 07-16-2012, 07:44 PM
     Thread: IBM says: Web applications have the most exploits this year.
Post: IBM says: Web applications have the most exploits ...

http://www.google.com/hostednews/afp/art...3haJ5-q8rw Read that, and mostly this quote. QuoteConfusedoftware weaknesses were most abundant in Web applications, programs accessed in browsers on the Interne...
Lo.  General Discussion  18 3,629 08-26-2010, 01:18 AM
     Thread: [split] How MyBB Handles Hacking and Exploits
Post: [split] How MyBB Handles Hacking and Exploits

MybbTurkiye.com, this site's forum team always try to hack my site !!!
CasTexx  Translation Discussion and Development  


<>  <>  <>  Copy Ends  <>  <>  <>

Uh oh, are the links going to be there?

I'll do another paste to a doc.

I am going to ask if it is okay with the admin/mods for me to bring this to this discussion?

<>  <>  <>  Copy Starts  <>  <>  <>

08-26-2010, 11:54 PM  (This post was last modified: 08-26-2010, 11:55 PM by Sleepwalker.)  

That and most people haven't taken the time to go through the MyBB code and find vulnerabilities. People say the same thing about operating systems. Everyone hangs crap on Microsoft saying Windows is so insecure and has bad security. I can almost gaurantee that MacOS and 90% of Linux Distros are just as, if not more, insecure it is just that people haven't spent as much time checking for functions without data integrity validation.

<>  <>  <>  Copy Ends  <>  <>  <>

That is post #16 in this thread IBM says: Web applications have the most exploits this year.

Given how long ago that opinion was offered to this Community, I am sure that situation has been looked into, yes?

I ask, because I did not see any dispute with that member's opinion in the remaining three posts after his.

Meaning, I assume the engineers responsible for the security of this software would have taken the time to go over that member's concerns, if they felt that assessment was off the deep end.  Or am I fishing for sharks with a hook for goldfish?

Testing "New Reply" because I am confused why I keep just getting addendums to post #3. I'm unfamiliar with that style of code on a board such as this.
Reply
#4
Hello -

A problem here might be that if too much security information is put out here for the public to see the hackers are also going to learn how to get around some things in the code that are only for security. But we should be assured by staff here that the code is safe. I don't understand there being no response by staff here. Is everything done here only by volunteers?
Reply
#5
It does appear that the program is run by volunteers alone.  That was a good question, which I didn't really let get into my thinking a few days ago when I got serious about doing our site's transition.

So your question had me going to this page:

Get Involved

Interesting, though, they seem to have another communications platform away from the one here in this location.

Sort of seems like we have to jump back and forth -- to and fro -- and that . . .  Well, I don't know.

But your thoughts helped me take a second look around and to land on that page I put the link up there for.

Thank you.
Reply
#6
@brynriley, such security information is spread all over the web.
As you said, so called hackers try to grab the holes everywhere !

I assure that required care is taken for all known security concerns related to MyBB.

And as you can see, concerns raised here belong to the past.
They might have been already fixed.

MyBB is a open source software. its bugs/issues are open to public.

Major security issues are analyzed in private & fixed in the next release(s).

Staff might not devote time to dig the past & showcase those fixes.
Lot of work is done behind the scenes & Volunteers also provide help.

Volunteers have a great role in the development of the Software.
MyBB doesn't stand anywhere without the help of the volunteers.

MyBB Staff also belong to volunteers. None get payment for the work.
We work here with a interest. Not that we can't do anything else !
Reply
#7
Agreed @.m. though security is something i always setup privately as you don't want someone who is familiar with the setup pattern to mess around with your website.

Here is how i setup security to my websites.
Get a good small VPS with DDoS protection like from buyvm(frantec). optional
Remove the root user and change password based authentication to key based authentication. Applies only if you own a VPS
Always get the latest update for your kernel as well as applications. Applies only if you own a VPS
Setup LAMP stack(or use a panel like VestaCP for free and cPanel if going for a paid option). Applies only if you own a VPS
Make sure you are using latest stable release of php and other programs.
Counter the default configuration with the secure ones it may include disable all features who are not in use.
Setup MySQL with secure installation flag and remove remote login and test user always make sure you are using a strong password combination for mysql.
Not setup your forum, configure it carefully raise stopforumspam to highest level, and replace the footer credit text line with image backlink something like http://puu.sh/zAgj3/84950ca894.png
and the most important requirement get yourself a trustable team of mods and other guys.

Hope it helped.
[Image: cafaf18ba2.gif]
FileSquid is under development
[Image: trk1]
Reply
#8
(2018-03-04, 09:16 AM)Dark-Power-Invader Wrote: Agreed @.m. though security is something i always setup privately as you don't want someone who is familiar with the setup pattern to mess around with your website.

Here is how i setup security to my websites.
Get a good small VPS with DDoS protection like from buyvm(frantec). optional
Remove the root user and change password based authentication to key based authentication. Applies only if you own a VPS
Always get the latest update for your kernel as well as applications. Applies only if you own a VPS
Setup LAMP stack(or use a panel like VestaCP for free and cPanel if going for a paid option). Applies only if you own a VPS
Make sure you are using latest stable release of php and other programs.
Counter the default configuration with the secure ones it may include disable all features who are not in use.
Setup MySQL with secure installation flag and remove remote login and test user always make sure you are using a strong password combination for mysql.
Not setup your forum, configure it carefully raise stopforumspam to highest level, and replace the footer credit text line with image backlink something like http://puu.sh/zAgj3/84950ca894.png
and the most important requirement get yourself a trustable team of mods and other guys.

Hope it helped.

Please take the time to configure your own software rather than using a possibly _probably_ vulnerable control panel software. The CLI isn't as scary as you think.
Software Engineer specializing in C# Program Development
Reply
#9
(2018-03-06, 04:13 AM)Lunorian Wrote: Please take the time to configure your own software rather than using a possibly _probably_ vulnerable control panel software. The CLI isn't as scary as you think.

If its me then my production websites are hosted on different servers using LAMP stack, as for the testing stuff i have a server running with vestaCP cause its easy to add/delete accounts from a GUI instead of CLI it always depends on user whatever he wants some of forum owners are not even friendly with CLI based server management so its better to have something in back pocket.
[Image: cafaf18ba2.gif]
FileSquid is under development
[Image: trk1]
Reply
#10
You need to understand that everything can be exploited. The bad guys are always out there. In fact, your site probably gets a lot of suspecious activity at this moment.
Such as automatic bots trying to force their way in through SQL Injection, code injection, brute force on your password etc etc... This all can be seen through the logs of your server. Even a page that has an unoptimized SQL statement can be exploited. The bad guys are there, and they are powerful than ever.

You should be wary of what plugins you are installing on your board. They may not be secure or optimized.
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)