Protection Against Hackers

MQK8

Well-known member
So I guess it's safe to say from seeing the North Koreans hack into Sony Entertianment and bring them to their knees that if hackers want to bring you down bad enough there's really nothing you can do? This should be a wake up call for a lot of people.
 
Only folks not really familiar with computers and networking. Anything written (that performs valid functions) by man can be broken by man. If it's not the code directly it's the core structure that sits under it.
 
There's a lot that can be done. For example...

How many of you are the only person on your site that has an email address but leave your POP port open to the world?

How many of you are the only person that has an FTP password but leave your FTP port open to the world?

How many of you are the only person that has SSH access but leave your SSH port open to the world?

If you have a static IP, those ports should be closed to everyone except you. Check your firewall documentation about how to block those ports.

That just scratches the surface of what can be done.
 
If you have a static IP, those ports should be closed to everyone except you. Check your firewall documentation about how to block those ports.
That just scratches the surface of what can be done.
And only fits a small, limited # of people. It's fine and dandy if you only log into it from 1 or two places.... but for my servers, I may have to be logging in from a client location that I don't know the IP of beforehand, I may have to be logging in via my cellular service. Could I set up a VPN to do it. Yep, but that in and of itself is another ball of wax.

For SSH, better than restricting ports to a specific IP is using keys and also 2 factor authentication. That way, you can access from your known computer with no problems - but also access it from remote locations utilizing the 2 factor authentication routines.
Same with the email - I may be the only one with an account - but my phone is set up to access those emails also - and guess what, Verizon doesn't give me a static IP for that ability.

There are ways you can mitigate it... but you will NEVER totally eliminate it.
 
And only fits a small, limited # of people. It's fine and dandy if you only log into it from 1 or two places.... but for my servers, I may have to be logging in from a client location that I don't know the IP of beforehand, I may have to be logging in via my cellular service. Could I set up a VPN to do it. Yep, but that in and of itself is another ball of wax.

For SSH, better than restricting ports to a specific IP is using keys and also 2 factor authentication. That way, you can access from your known computer with no problems - but also access it from remote locations utilizing the 2 factor authentication routines.
Same with the email - I may be the only one with an account - but my phone is set up to access those emails also - and guess what, Verizon doesn't give me a static IP for that ability.

There are ways you can mitigate it... but you will NEVER totally eliminate it.
It boils down to how far you want to go.

Personally when I log out of my computer here, that is the end of my internet day. So locking those ports down makes sense for me.

And if I'm away from this computer for any length of time, I am not available. There's nothing so important that it can't wait a day or two to be solved.
 
And if I'm away from this computer for any length of time, I am not available. There's nothing so important that it can't wait a day or two to be solved.
Works until you have a dedicated server that not only provides VPS services for you, but for several other users. THEN you don't have the luxury of going "Oh well, it can wait a few days".

And even doing the "lock down" routine you denote - there are other vectors of attack that can (and are) utilized. To many people concentrate on the "open ports". PHP can have a security hole... the HTTP server can have a security hole, the SQL server can have one... shall I go on? All those are services that most people that have an internet exposed server utilize - and you can't "block" those ports or services.
 
That's why I originally said it only scratches the surface of what can be done. ;)
You can dig it 200 feet deep and it will still be able to be hacked by someone. I don't care how "smart" someone is on their coding... there is always someone else out there smarter. Used to the only way you could be assured of not getting hacked was not being networked... but even that doesn't apply now. :coffee:
 
A few things you can do to improve security.

1. Install CSF
http://configserver.com/cp/csf.html
2. Open only the ports you are using!
3. Switch SSH to another port above 1024
4. Disable password authentication and work with SSH keys.
5. Do not use insecure FTP (Use SFTP instead)
6. Disable dangerous PHP functions
From my php.ini
Code:
disable_functions = "passthru,ini_set,shell_exec,eval,popen,exec,dl"
7. Use the Two factor authentication add-on
https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/
8. Always keep your server OS and software up to date. Also make sure you run the latest version of XF and your add-ons.
 
According to the FBI Sony had the top of software safeguards in place (outside of the U.S. government). Surely they can afford the best protection you would think. I'm curious what Obamas response will be, a counter cyber attack I'm sure.
 
I read an article before, I thought the advisable port is below 1024.
This is true. Running sshd on a non-privileged port >1024 is actually a bigger security risk, because it makes it easier to attack sshd with fake daemons (binding to a port >1024 doesn't need a root exploit in the first place, that's why it's a bad idea to do that).

Running sshd on a different port than default generally opens more problems than it solves. The only positive aspect is that it will most likely reduce the frequency of brute-force password attacks against sshd thus saving some resources. But that's it. Keeping ssh updated and using public key authentication instead of passwords is more than enough to maintain an acceptable security level.

There is so much wrong advice on the net today, it's not even funny. People running so-called "security blogs" without having *any* clue what they're talking about should be held responsible for any screwups caused by their "advice".
 
Top Bottom