Protection Against Hackers
- Thread starter MQK8
- Start date
Snog
Well-known member
There's a lot that can be done. For example...
How many of you are the only person on your site that has an email address but leave your POP port open to the world?
How many of you are the only person that has an FTP password but leave your FTP port open to the world?
How many of you are the only person that has SSH access but leave your SSH port open to the world?
If you have a static IP, those ports should be closed to everyone except you. Check your firewall documentation about how to block those ports.
That just scratches the surface of what can be done.
How many of you are the only person on your site that has an email address but leave your POP port open to the world?
How many of you are the only person that has an FTP password but leave your FTP port open to the world?
How many of you are the only person that has SSH access but leave your SSH port open to the world?
If you have a static IP, those ports should be closed to everyone except you. Check your firewall documentation about how to block those ports.
That just scratches the surface of what can be done.
TPerry
Well-known member
And only fits a small, limited # of people. It's fine and dandy if you only log into it from 1 or two places.... but for my servers, I may have to be logging in from a client location that I don't know the IP of beforehand, I may have to be logging in via my cellular service. Could I set up a VPN to do it. Yep, but that in and of itself is another ball of wax.
For SSH, better than restricting ports to a specific IP is using keys and also 2 factor authentication. That way, you can access from your known computer with no problems - but also access it from remote locations utilizing the 2 factor authentication routines.
Same with the email - I may be the only one with an account - but my phone is set up to access those emails also - and guess what, Verizon doesn't give me a static IP for that ability.
There are ways you can mitigate it... but you will NEVER totally eliminate it.
Snog
Well-known member
It boils down to how far you want to go.
Personally when I log out of my computer here, that is the end of my internet day. So locking those ports down makes sense for me.
And if I'm away from this computer for any length of time, I am not available. There's nothing so important that it can't wait a day or two to be solved.
TPerry
Well-known member
Works until you have a dedicated server that not only provides VPS services for you, but for several other users. THEN you don't have the luxury of going "Oh well, it can wait a few days".
And even doing the "lock down" routine you denote - there are other vectors of attack that can (and are) utilized. To many people concentrate on the "open ports". PHP can have a security hole... the HTTP server can have a security hole, the SQL server can have one... shall I go on? All those are services that most people that have an internet exposed server utilize - and you can't "block" those ports or services.
TPerry
Well-known member
You can dig it 200 feet deep and it will still be able to be hacked by someone. I don't care how "smart" someone is on their coding... there is always someone else out there smarter. Used to the only way you could be assured of not getting hacked was not being networked... but even that doesn't apply now.That's why I originally said it only scratches the surface of what can be done.
Amaury
Well-known member
Fred.
Well-known member
A few things you can do to improve security.
1. Install CSF
http://configserver.com/cp/csf.html
2. Open only the ports you are using!
3. Switch SSH to another port above 1024
4. Disable password authentication and work with SSH keys.
5. Do not use insecure FTP (Use SFTP instead)
6. Disable dangerous PHP functions
From my php.ini
7. Use the Two factor authentication add-on
https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/
8. Always keep your server OS and software up to date. Also make sure you run the latest version of XF and your add-ons.
1. Install CSF
http://configserver.com/cp/csf.html
2. Open only the ports you are using!
3. Switch SSH to another port above 1024
4. Disable password authentication and work with SSH keys.
5. Do not use insecure FTP (Use SFTP instead)
6. Disable dangerous PHP functions
From my php.ini
Code:
disable_functions = "passthru,ini_set,shell_exec,eval,popen,exec,dl"https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/
8. Always keep your server OS and software up to date. Also make sure you run the latest version of XF and your add-ons.
I read an article before, I thought the advisable port is below 1024.
SilverCircle
Well-known member
This is true. Running sshd on a non-privileged port >1024 is actually a bigger security risk, because it makes it easier to attack sshd with fake daemons (binding to a port >1024 doesn't need a root exploit in the first place, that's why it's a bad idea to do that).
Running sshd on a different port than default generally opens more problems than it solves. The only positive aspect is that it will most likely reduce the frequency of brute-force password attacks against sshd thus saving some resources. But that's it. Keeping ssh updated and using public key authentication instead of passwords is more than enough to maintain an acceptable security level.
There is so much wrong advice on the net today, it's not even funny. People running so-called "security blogs" without having *any* clue what they're talking about should be held responsible for any screwups caused by their "advice".
Fred.
Well-known member
Ok, you guys seems to be right. I didn't know that.
I can't edit my post so if a mod would like to do that. Please remove tip 3
I found an interesting article about it.
https://www.adayinthelifeof.nl/2012/03/12/why-putting-ssh-on-another-port-than-22-is-bad-idea/
Thanks for learning me how to do it better guys.
