8 Simple Rules For Keeping My Alliance Forum Secure

[bros]

[quote name='brass' date='16 February 2010 - 07:30 PM' timestamp='1266366610' post='2186536']
1) Do Not Use web based admin for the OS, such as PHPMyAdmin, MySQL Web Interface, etc. If you have no choice but to do so, put your hard IP Addy in the .htaccess file for access to only admin.

2) SSH - Use key only, no passwords allowed, no root login allowed. Also limit o IP block you know is yours.

3) Backup to a remote system daily. Log to a "write only" remote system if possible.

4) Run Tripwire or other intrusion detection system.

5) Use complicated passwords, "Leet Speak" combined with some non alpha-numeric characters tend to be fairly strong, but not bulletproof.

6) Always keep software, both OS and forum, updated.

7) Disable ALL non-essential services from the outside. Run Web server and database server so they can only speak to one another if on different machines. Turn off SMTP and other services if that box is not used for mail, etc.
[/quote]

Most people aren't on dedicated servers xd

And not many shared hosts allow ssh access. AFAIK, apis might offer it, not sure

[Voodoo Nova]

[quote name='bros2' date='16 February 2010 - 10:08 PM' timestamp='1266376084' post='2186814']
Most people aren't on dedicated servers xd

And not many shared hosts allow ssh access. AFAIK, apis might offer it, not sure
[/quote]

A Virtual Dedicated Server I once used allowed SSH. It was the only way I could do anything related to the maintenance of the website....Sadly, it still got hacked because a grown man felt threatened by a 14 year old.

[Starcraftmazter]

[quote name='brass' date='17 February 2010 - 10:30 AM' timestamp='1266366610' post='2186536']1) Do Not Use web based admin for the OS, such as PHPMyAdmin, MySQL Web Interface, etc. If you have no choice but to do so, put your hard IP Addy in the .htaccess file for access to only admin.[/quote]

I don't quite understand this.

[quote name='brass' date='17 February 2010 - 10:30 AM' timestamp='1266366610' post='2186536']2) SSH - Use key only, no passwords allowed, no root login allowed. Also limit o IP block you know is yours.[/quote]

I've used a root password for years, and never been hacked. It's all a matter of using a secure connection and having a very complicated & long password.


If someone is running their own server, the best advice to give IMO is to install csf. It's perfectly free, open source, and runs on many linux distros:
http://www.configserver.com/cp/csf.html

The other thing to do, is to always run the latest version of PHP. I recompile mine within hours of a new release



Also, if anyone needs help with phpBB - ask me. I would also recommend it, as it'd been security audited several times, and has proven to have no serious vulnerabilities from release.

[bros]

[quote name='Voodoo Nova' date='16 February 2010 - 10:34 PM' timestamp='1266377677' post='2186911']
A Virtual Dedicated Server I once used allowed SSH. It was the only way I could do anything related to the maintenance of the website....Sadly, it still got hacked because a grown man felt threatened by a 14 year old.
[/quote]

VPS, Dedi, they are close enough to each other.

[Electron Sponge]

I would add a rule:

Don't ever, ever, ever allow admins to be elected. Ever. Your alliance can be a democracy if you want. Your forum shouldn't be. The one who pays the server bills picks the admins. If a donation based system is used to pay the hosting bill, your donation is saying "we support your hard work", not "I am buying a say in who gets to be admin". There's always a user number 1 on any forum. Whoever controls that account makes all the calls (unless your forum is a very old Invisionfree convert like Polar, NPO or ODN, where user #1 may or may not even be active anymore).

If you give your elected officials admin access you are asking for disaster.

[bros]

[quote name='Electron Sponge' date='17 February 2010 - 07:09 PM' timestamp='1266451747' post='2188341']
I would add a rule:

Don't ever, ever, ever allow admins to be elected. Ever. Your alliance can be a democracy if you want. Your forum shouldn't be. The one who pays the server bills picks the admins. If a donation based system is used to pay the hosting bill, your donation is saying "we support your hard work", not "I am buying a say in who gets to be admin". There's always a user number 1 on any forum. Whoever controls that account makes all the calls (unless your forum is a very old Invisionfree convert like Polar, NPO or ODN, where user #1 may or may not even be active anymore).

If you give your elected officials admin access you are asking for disaster.
[/quote]


....what

do people actually do this?

no i can't believe they are that dumb

[Banksy]

[quote name='bros2' date='18 February 2010 - 12:23 PM' timestamp='1266452609' post='2188367']
....what

do people actually do this?

no i can't believe they are that dumb
[/quote]
Yeah- scary thought right. The ODN has it's admin team separate from government- but I know a large number of alliances do give admin powers to elected officials.

[yetanothername]

[quote name='bros2' date='17 February 2010 - 07:23 PM' timestamp='1266452609' post='2188367']
....what

do people actually do this?

no i can't believe they are that dumb
[/quote]

Yes, people actually do this, and yes, people are actually that dumb when it comes to technology. Kinda like the whole "I want multiple founders for my IRC channel." thing that I have to deal with every few days.

Every host I've ever been on (paid, that is), allows SSH connections.

[quote]
VPS, Dedi, they are close enough to each other.
[/quote]

A VPS is just a glorified shared server. You can still break out of the virtual machine and into the hypervisor, and wreak havoc on other people's websites.

[wickedj]

[quote name='Electron Sponge' date='17 February 2010 - 07:09 PM' timestamp='1266451747' post='2188341']
I would add a rule:

Don't ever, ever, ever allow admins to be elected. Ever. Your alliance can be a democracy if you want. Your forum shouldn't be. The one who pays the server bills picks the admins. If a donation based system is used to pay the hosting bill, your donation is saying "we support your hard work", not "I am buying a say in who gets to be admin". There's always a user number 1 on any forum. Whoever controls that account makes all the calls (unless your forum is a very old Invisionfree convert like Polar, NPO or ODN, where user #1 may or may not even be active anymore).

If you give your elected officials admin access you are asking for disaster.
[/quote]
Slightly on this subject, regular backups of your forums are always handy. Ive seen an instance where the guy footing the bill disagreed with what the alliance was doing, so in a fit of maturity he cancelled the account

[mythicknight]

[quote name='Electron Sponge' date='17 February 2010 - 07:09 PM' timestamp='1266451747' post='2188341']
I would add a rule:

Don't ever, ever, ever allow admins to be elected. Ever. Your alliance can be a democracy if you want. Your forum shouldn't be. The one who pays the server bills picks the admins. If a donation based system is used to pay the hosting bill, your donation is saying "we support your hard work", not "I am buying a say in who gets to be admin". There's always a user number 1 on any forum. Whoever controls that account makes all the calls (unless your forum is a very old Invisionfree convert like Polar, NPO or ODN, where user #1 may or may not even be active anymore).

If you give your elected officials admin access you are asking for disaster.
[/quote]

Agreeing with this.

At the max, positions that are elected get supermod with us. Only perma-gov get any kind of admin access.

And agreeing with the daily backups bit wicked said too.

Edited February 18, 2010 by mythicknight

[bros]

[quote name='yetanothername' date='17 February 2010 - 08:01 PM' timestamp='1266454874' post='2188436']
Yes, people actually do this, and yes, people are actually that dumb when it comes to technology. Kinda like the whole "I want multiple founders for my IRC channel." thing that I have to deal with every few days.

Every host I've ever been on (paid, that is), allows SSH connections.



A VPS is just a glorified shared server. You can still break out of the virtual machine and into the hypervisor, and wreak havoc on other people's websites.
[/quote]

hm.

i should really check if the MK host allows ssh, I don't think it does (at least not the last time I checked), but it is british and british people are weird

[bros]

Seems like a certain alliance needs a reminder on forum security

[PrinceArutha]

[quote name='Bilrow' date='16 February 2010 - 06:17 PM' timestamp='1266344481' post='2185826']
Not knowing anything about SMF, that simply sounds like you need to chmod your Package directory on your server to be writeable so that it can save the file there.
[/quote]

Talk Dirty to me some more, Baby.

How you been Bilrow, it's been what? 2 years?

Also, I do think this is a great idea starting this thread... no one needs to have their server's hacked and it would be kinda cool if CN alliances would come up with some kind of informal agreement to help each other out with forums hackers. I know that people who are in the "know" and active members of larger alliances have people in their own alliance or know people in other alliances who will happily help. But perhaps smaller alliances who dont have the knowledge need some informal, "CN interalliance" team that would offer advice/help to any and all alliances who are having trouble with forums securities. Granted this is dependent upon trust and what not but it wouldnt be like you had to do it if you didnt want to. Even though I dislike/hate several alliances and members of other alliances In-game, I dont wish any ill will upon anyone outside of the game. I think a LOT of Planet Bobians are like this and would offer help.

Good job on setting up this QA forum. I likey.

[Bilrow]

[quote name='PrinceArutha' date='26 February 2010 - 06:33 PM' timestamp='1267231006' post='2205568']
Talk Dirty to me some more, Baby. :)

How you been Bilrow, it's been what? 2 years?

Also, I do think this is a great idea starting this thread... no one needs to have their server's hacked and it would be kinda cool if CN alliances would come up with some kind of informal agreement to help each other out with forums hackers. I know that people who are in the "know" and active members of larger alliances have people in their own alliance or know people in other alliances who will happily help. But perhaps smaller alliances who dont have the knowledge need some informal, "CN interalliance" team that would offer advice/help to any and all alliances who are having trouble with forums securities. Granted this is dependent upon trust and what not but it wouldnt be like you had to do it if you didnt want to. Even though I dislike/hate several alliances and members of other alliances In-game, I dont wish any ill will upon anyone outside of the game. I think a LOT of Planet Bobians are like this and would offer help.

Good job on setting up this QA forum. I likey.
[/quote]

Come here baby and we can discuss MySQL queries and doing backups. :winks seductively:


I agree when it comes to forum security we as a community need to look out for each other and help each other OOCly no matter where our friendships and allegiances fall in-game as far as giving warnings and such hackings going on. Unfortunately, anything "interalliance" that was set up probably would become political. :(

Edited February 27, 2010 by Bilrow

[bros]

I think that Bilrow and I would help other alliances out.

But some alliances are a bit touchy

[PrinceArutha]

[quote name='Bilrow' date='27 February 2010 - 01:41 AM' timestamp='1267235106' post='2205655']
Come here baby and we can discuss MySQL queries and doing backups. :winks seductively:


I agree when it comes to forum security we as a community need to look out for each other and help each other OOCly no matter where our friendships and allegiances fall in-game as far as giving warnings and such hackings going on. Unfortunately, anything "interalliance" that was set up probably would become political.
[/quote]

I'm a virgin when it comes to MySQL queries and such. But, you can back it up to my hard drive anytime you like, big boy.
[quote name='bros2' date='27 February 2010 - 02:12 AM' timestamp='1267236978' post='2205687']
I think that Bilrow and I would help other alliances out.

But some alliances are a bit touchy
[/quote]

Some alliances would be very touchy, but they dont have to take the help... it's just good to know that the help is available if people are in a tough spot.

Unfortunately Bilrow is right and it would almost certainly become a political entity. Sad but true. Id say a unilateral gentlemen's agreement similar to the FTLOGTOTC treaty back in the day would be good but I think that it'd just be a waste of paper. Or maybe not if done properly. Basically a "We wont hack forums but we agree to offer any support we can to those who need help or are hacked or have questions" type thing.

I wish I was smarter and I would do something to actually be productive in this. lol

[yetanothername]

I'd also be willing to help out other alliances. I know I'm not as high-profile as Bilrow or bros is, but I know my @#$%. (Or at least I like to think I do )

[quote]But some alliances are a bit touchy [/quote]

If an alliance doesn't want your OOC technical knowledge and help just because you run with Pacifica or MK, then that's their own prerogative. Let them run their outdated pirated version of IPB. We'll still open our arms to help them once they get hacked.

[PrinceArutha]

[quote name='yetanothername' date='27 February 2010 - 02:37 AM' timestamp='1267238436' post='2205718']
I'd also be willing to help out other alliances. I know I'm not as high-profile as Bilrow or bros is, but I know my @#$%. (Or at least I like to think I do )



If an alliance doesn't want your OOC technical knowledge and help just because you run with Pacifica or MK, then that's their own prerogative. Let them run their outdated pirated version of IPB. We'll still open our arms to help them once they get hacked.
[/quote]

true story. and Im sure Bilrow or Bros would be able to refer them to someone who is with another alliance to help.
IC Bilrow can come across as a jerk and is a controversial/pivotal member of a lot of drama and I would understand where people wouldn't trust him.
OOC Bilrow is a pretty cool guy, very easy to chat with and knows his stuff as well as any I know and better than most. The same can be said about Bros from the rumors I hear though I dont know it from personal experience.

I can also give you a list of people I have used for help on such things who are on opposite sides of the map who are equally as ebil and oppressive as bilrow and bros but are actually cool guys. Nelchael runs NV's forums and does a damn fine job at it. He is equally as hateful and opressive and ebil as Bilrow...

Quick, I hereby order Nelchael and Bilrow to have an ebil off for my undying love and affection. May the most ebil one win.

[bros]

[quote name='PrinceArutha' date='27 February 2010 - 02:14 AM' timestamp='1267255058' post='2206201']
true story. and Im sure Bilrow or Bros would be able to refer them to someone who is with another alliance to help.
IC Bilrow can come across as a jerk and is a controversial/pivotal member of a lot of drama and I would understand where people wouldn't trust him.
OOC Bilrow is a pretty cool guy, very easy to chat with and knows his stuff as well as any I know and better than most. The same can be said about Bros from the rumors I hear though I dont know it from personal experience.

I can also give you a list of people I have used for help on such things who are on opposite sides of the map who are equally as ebil and oppressive as bilrow and bros but are actually cool guys. Nelchael runs NV's forums and does a damn fine job at it. He is equally as hateful and opressive and ebil as Bilrow...

Quick, I hereby order Nelchael and Bilrow to have an ebil off for my undying love and affection. May the most ebil one win.
[/quote]

ooooh there are rumors about me?

[PrinceArutha]

[quote name='bros2' date='27 February 2010 - 07:32 PM' timestamp='1267299350' post='2206806']
ooooh there are rumors about me?
[/quote]

only juicy ones.

[bros]

[quote name='PrinceArutha' date='27 February 2010 - 03:52 PM' timestamp='1267304133' post='2206893']
only juicy ones.
[/quote]

sexy

[Nadreck]

Some really great advice coming out of this thread, and I think it's fantastic that some sort of forum-helpers group is getting formed.

Just wanted to chime in on the good idea, and also: for the folks who find PHPBB, SMF, IPB and similar to complex, there ARE alternative forum options out there. I'm fond of Vanilla, myself (found it because Warren Ellis's forum uses it). There ARE secure, robust options that aren't quite the pain in the neck some of the big forums are (that said, the various forum packages have come a LONG way since the early days).

[zzzptm]

About backups... you need to test the backups by requesting a restore to a dummy directory every now and then. Make sure the files are all there and the DB has all the information from the board. SO MANY TIMES the guys that do backups, don't. They either are ignoring an error or flat-out aren't doing them.

You don't have backups unless they're tested.

[bros]

Make sure your backups remove the extended inserts, and always back up from phpmyadmin (or whatever you prefer )