1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Protection Against Hackers

Discussion in 'Off Topic' started by MQK8, Dec 20, 2014.

  1. MQK8

    MQK8 Active Member

    So I guess it's safe to say from seeing the North Koreans hack into Sony Entertianment and bring them to their knees that if hackers want to bring you down bad enough there's really nothing you can do? This should be a wake up call for a lot of people.
  2. Tracy Perry

    Tracy Perry Well-Known Member

    Only folks not really familiar with computers and networking. Anything written (that performs valid functions) by man can be broken by man. If it's not the code directly it's the core structure that sits under it.
    Goodfella likes this.
  3. batpool52!

    batpool52! Well-Known Member

    They kept all the passwords inside a "Password" folder, who in the world would that? Not me.
    RastaLulz likes this.
  4. Snog

    Snog Well-Known Member

    There's a lot that can be done. For example...

    How many of you are the only person on your site that has an email address but leave your POP port open to the world?

    How many of you are the only person that has an FTP password but leave your FTP port open to the world?

    How many of you are the only person that has SSH access but leave your SSH port open to the world?

    If you have a static IP, those ports should be closed to everyone except you. Check your firewall documentation about how to block those ports.

    That just scratches the surface of what can be done.
    Alfa1 likes this.
  5. Tracy Perry

    Tracy Perry Well-Known Member

    And only fits a small, limited # of people. It's fine and dandy if you only log into it from 1 or two places.... but for my servers, I may have to be logging in from a client location that I don't know the IP of beforehand, I may have to be logging in via my cellular service. Could I set up a VPN to do it. Yep, but that in and of itself is another ball of wax.

    For SSH, better than restricting ports to a specific IP is using keys and also 2 factor authentication. That way, you can access from your known computer with no problems - but also access it from remote locations utilizing the 2 factor authentication routines.
    Same with the email - I may be the only one with an account - but my phone is set up to access those emails also - and guess what, Verizon doesn't give me a static IP for that ability.

    There are ways you can mitigate it... but you will NEVER totally eliminate it.
  6. Snog

    Snog Well-Known Member

    It boils down to how far you want to go.

    Personally when I log out of my computer here, that is the end of my internet day. So locking those ports down makes sense for me.

    And if I'm away from this computer for any length of time, I am not available. There's nothing so important that it can't wait a day or two to be solved.
  7. Tracy Perry

    Tracy Perry Well-Known Member

    Works until you have a dedicated server that not only provides VPS services for you, but for several other users. THEN you don't have the luxury of going "Oh well, it can wait a few days".

    And even doing the "lock down" routine you denote - there are other vectors of attack that can (and are) utilized. To many people concentrate on the "open ports". PHP can have a security hole... the HTTP server can have a security hole, the SQL server can have one... shall I go on? All those are services that most people that have an internet exposed server utilize - and you can't "block" those ports or services.
  8. Snog

    Snog Well-Known Member

    That's why I originally said it only scratches the surface of what can be done. ;)
  9. Tracy Perry

    Tracy Perry Well-Known Member

    You can dig it 200 feet deep and it will still be able to be hacked by someone. I don't care how "smart" someone is on their coding... there is always someone else out there smarter. Used to the only way you could be assured of not getting hacked was not being networked... but even that doesn't apply now. :coffee:
    batpool52! likes this.
  10. Brogan

    Brogan XenForo Moderator Staff Member

    The ultimate security is to not own a server.

    It's all downhill from there.
  11. Amaury

    Amaury Well-Known Member

  12. Fred.

    Fred. Well-Known Member

    A few things you can do to improve security.

    1. Install CSF
    2. Open only the ports you are using!
    3. Switch SSH to another port above 1024
    4. Disable password authentication and work with SSH keys.
    5. Do not use insecure FTP (Use SFTP instead)
    6. Disable dangerous PHP functions
    From my php.ini
    disable_functions = "passthru,ini_set,shell_exec,eval,popen,exec,dl"
    7. Use the Two factor authentication add-on
    8. Always keep your server OS and software up to date. Also make sure you run the latest version of XF and your add-ons.
  13. RoldanLT

    RoldanLT Well-Known Member

    I read an article before, I thought the advisable port is below 1024.
  14. MQK8

    MQK8 Active Member

    According to the FBI Sony had the top of software safeguards in place (outside of the U.S. government). Surely they can afford the best protection you would think. I'm curious what Obamas response will be, a counter cyber attack I'm sure.
  15. SilverCircle

    SilverCircle Well-Known Member

    This is true. Running sshd on a non-privileged port >1024 is actually a bigger security risk, because it makes it easier to attack sshd with fake daemons (binding to a port >1024 doesn't need a root exploit in the first place, that's why it's a bad idea to do that).

    Running sshd on a different port than default generally opens more problems than it solves. The only positive aspect is that it will most likely reduce the frequency of brute-force password attacks against sshd thus saving some resources. But that's it. Keeping ssh updated and using public key authentication instead of passwords is more than enough to maintain an acceptable security level.

    There is so much wrong advice on the net today, it's not even funny. People running so-called "security blogs" without having *any* clue what they're talking about should be held responsible for any screwups caused by their "advice".
    RoldanLT likes this.
  16. Fred.

    Fred. Well-Known Member

    batpool52! likes this.

Share This Page