Jump to content

  •  

* * * * * 1 votes

[4.1/4.2] How to secure your Forum + Server

[4.1/4.2]

  • Please log in to reply
6 replies to this topic

#1 Mercedes-Benz

Mercedes-Benz

    Account and Staff Recruit Administrator

  • Account Management Team
  • 700 posts
  • Locationinvision-virus

Posted 24 August 2017 - 06:26 PM

Hello and welcome to this guide on how to secure your Forum + Server (I am assuming you use a Debian based OS)

This will not cover every part of server hardening, since this would be way too long.

Let´s start with the Serverpart:

1.) In your php.ini disable dangerous functions. Here is a complete list:
apache_child_terminate
apache_setenv
define_syslog_variables
escapeshellarg
escapeshellcmd
eval
exec
fp
fput
ftp_connect
ftp_exec
ftp_get
ftp_login
ftp_nb_fput
ftp_put
ftp_raw
ftp_rawlist
highlight_file
ini_alter
ini_get_all
ini_restore
inject_code
mysql_pconnect
openlog
passthru
php_uname
phpAds_remoteInfo
phpAds_XmlRpc
phpAds_xmlrpcDecode
phpAds_xmlrpcEncode
popen
posix_getpwuid
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid
posix_setuid
posix_uname
proc_close
proc_get_status
proc_nice
proc_open
proc_terminate
shell_exec
syslog
system
xmlrpc_entity_decode
2.) If you use a SSL certificate (which I recommend), you should enable PHP Secure Flags.
3.) Don´t set the max_post_size too high, it can use alot of ressources and lead to a DoS attack.
4.) Always use the latest PHP version available on the standard repository. (Non standard repositories can include malicious code)
5.) I assume you use Apache - so first check which modules apache has enabled. Use apache2ctl -M | sort to display those on a Debian based system (I didn´t lookup other OS yet).
Once done, disable all modules which you don´t need - but make sure you know what you disable, it can cause real damage.
6.) If you use an SSL Certificate make sure you disable port 80 and run apache on port 443 only.
7.) Use .htaccess Basic Authentication to secure sensitive parts of your server, i. e. phpmyadmin or your adminpanel for IPB.
8.) Change your SSH Port to a non standard one and install a software like fail2ban to limit the request to specified port. - I recommend limiting the login to one IP only, but some of you might use a dynamic IP.
9.) Do not allow external MySQL logins, also disable anonymous logins!
10.) Let a security researcher/pentester check your server for issues, trust me, they can always help make things better.

Let´s go to the Forumpart:

1.) Did you look at the Security Center in your ACP? Did you really follow every step? I recommend to do so.
2.) Create a whitelist for image hosting sites. External pages can cause real damage/trouble by enabling basic authentications and logging usernames/passwords or by simply logging IP Adresses.
3.) If you can, restrict your ACP by IP (which can be done with code editing or server configuration / .htaccess). This adds an extra layer of security.
4.) If you have external untrusted javascript included in your script, save it locally and serve it from there, it can always happen that someone changes his javascript to log keystrokes.
5.) If you use SSL, use https versions of links included in your IPB Design.
6.) Don´t install plugins/applications from 3rd party sites, they might be backdoored.
7.) Check your forum directory for unusual files/filesizes and check weekly if you can find functions like eval() or system() in your files, since those usually indicate that someone uploaded a shell, or the code of your application is unusual.
8.) Do not host other software on your server, always seperate your software unless you want the data of all your applications to be leaked.
9.) Choose strong passwords for your users, unfortunately there are still people using 123456 as passwords.
10.) Always upgrade to the newest version of your Software!

Now to the weakest part in this chain:

You! - Trust me, in 75% of the cases, full access was provided by the admin himself. Thats caused by Social Engineering tactics used to fool admins into giving out info. Please never give out info unless it is absolutely necessary.

#2 Rainbow Dash

Rainbow Dash

    Community Team

  • Community Team
  • 104 posts

Donator

Posted 28 August 2017 - 01:27 AM

All done ;)
Thank's for that, maybe a plugin for IP protect ? :wacko:

#3 yoyoloop

yoyoloop

    Newbie

  • Member
  • Pip
  • 6 posts

Posted 29 August 2017 - 05:22 AM

Great Guide. Do you recommend any other ways to secure the server?

#4 logan5

logan5

    Newbie

  • Member
  • Pip
  • 6 posts

Posted 29 August 2017 - 08:41 AM

I'm glad you mentioned changing the ssh port, I was shocked the first time I looked at log files for my site, so many attempts made to the default port. It's a wonder I lasted long enough to learn to change it to something other than default. I have never allowed anonymous logins, they have something to hide.

#5 CaptainKirk

CaptainKirk

    Newbie

  • Member
  • Pip
  • 9 posts

Posted 13 July 2018 - 01:37 PM

Good tutorial.

Only thing I could add would be having two remote location backups (AWS is good for this) and disabling the real root account.

#6 sinisterlyhacks

sinisterlyhacks

    Member

  • Member
  • PipPip
  • 11 posts
  • LocationFlorida

Donator

Posted 18 August 2018 - 08:35 AM

Thank you for posting this guide, I would have no clue what to do if it was not for people posting clean guides like this.
Im going to do everything you say to do and hope to stay safe from hackers as my niche is going to piss some people off that will prob try to take me down!

#7 cleaninfla

cleaninfla

    Newbie

  • Member
  • Pip
  • 3 posts

Posted 14 October 2018 - 11:10 PM

Amazing guide, Glad i came across it. A little bit of extra security can't hurt! :)




1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users