• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Security Category Or Forum Section

#1
Layer 7 attacks really are not fun --- at all.

If you have been a victim of Layer 7 attacks you are familiar with typing htop to see plenty o' red on the RAM, perhaps the CPU is through the roof too.

Can we get a security section, please? I would like people to be able to share firewall rules/filters/etc. It would really strengthen the overall security of the XenForo community and provide a local place for people to discuss hardening servers to keep their XenForo running stable plus secure!
 

Tracy Perry

Well-known member
#2
Can we get a security section, please? I would like people to be able to share firewall rules/filters/etc. It would really strengthen the overall security of the XenForo community and provide a local place for people to discuss hardening servers to keep their XenForo running stable plus secure!
Considering that the layer 7 attacks are at the server level (HTTP) I'm pretty sure it can be discussed here already.
But it's really better discussed on a site that is more targeted towards security than a support forum for a script since it is not directly related to the script. You will find the number of admins that could provide beneficial information is MUCH more limited on this site than a site that dealt with security issues specifically or OS/server related topics in general.
 
#3
Disclaimer: Use this information as friendly advice, I claim no responsibility nor liability for incorrectly configured security solutions. Seek professional help if you are unfamiliar with anything below.

Here is an example of what I was talking about:

Hide your web server IP address - Use https://cloudflare.com and make sure to setup SMTP for mailing otherwise your IP will seep out in email headers. Thanks to M@rc for pointing out that this should be done at setup time, if you are looking to set this up as a transition from a preexisting server --- you should consider getting a new IP assigned to the server and or only allow IP connections to the server on your SSH port and only from the CDN (Cloudflare) on your web ports where port 443 is HTTPS (secure) and 80 is simply HTTP.

Block common website attacks such as SQL injection or XSS - You may use
https://sucuri.net/website-firewall/signup as an affordably priced solution. Alternatively, for free OWASP has a list of mod_security rules to block common website attacks.

Prevent domain hijacking - Use a domain registrar that takes security seriously e.g. offers multi-factor authentication and will not simply unlock your domain with a fake ID, fake business letter, etc. Social engineering is a very real threat and you should also consider using privacy (whois) with your domain. If you pair multi-factor authentication with whois privacy, you should be good to go. https://markmonitor.com, https://hover.com, and
https://www.cscdigitalbrand.services/ are all great choices to start with. Security is part of your responsibility which means you should go into your account options and check security settings to enable multi-factor with a phone, etc.

Encrypting user traffic keeps the green padlock up top and users feeling safe?! So this can be free using Certbot (Let's Encrypt) or you may wish to have a paid SSL certificate which you may happily setup yourself on Apache or NGINX.

Considering checking the security of your website! Many free tools are available to analyze your website's security. I will list some below.
Mozilla Observatory - Scans your website for important headers and gives tips on fixing them --- my personal favorite.
SSL Labs Test - While the above provides this information, you may only want to check the SSL configuration.
DNSSEC Checker - Check to see if you have setup DNSSEC properly.
SPF Checker - The Sender Policy Framework allows you to specify what servers may send emails on your domain's behalf.
DMARC Checker - Check your DMARC records.
If you have any other good tools feel free to comment them below.

This information would be helpful to most people, how would it be hard or in any way a bad idea to provide this type of information to XenForo users? It could surely help anyone. I'm not saying we have to nor should we tell people what to do for security but giving some hints would surely be the thoughtful/caring thing to do for customers rather than have them skim through multiple other Internet forums to find what they need.

Out of the box XenForo doesn't come with Cloudflare, an SSL certificate, a web application firewall (the Zend Framework does help to mitigate SQL injections and the XenForo developers know what they are doing) but a web application firewall is never a bad thing just in case because humans are prone to human errors no matter who you are. Having an area of the forum to let people know "Hey, this is a good thing to do to keep your web server and users safe." would be quite _AWESOME_
 
Last edited:

Tracy Perry

Well-known member
#4
Having an area of the forum to let people know "Hey, this is a good thing to do to keep your web server and users safe." would be quite _AWESOME_
I refer you back to this portion of my reply
I'm pretty sure it can be discussed here already.
Detailed server administration/support/maintenance/whatever is not really what that area is for, nor is it on any other script support sites that I've participated in. It's more for guidance on issues that may be interactions between OS/services and XenForo. There are forums that are specific to server administration/security and allow access to many more knowledgeable references (persons) than here. I'd go so far as to say a large portion of the admins that run XF are on shared hosting and at the most know the day to day options in cPanel but do not go any level below that.
Many of the items you point out have already been discussed in the area I pointed to, as well as one or two other nodes on this site.
 
#5
nor is it on any other script support sites that I've participated in
I agree, I just never understood that mentality.

Perhaps I am just a dreaming cyber defense student. It would just make sense to me if any paid server component or software automatically comes with a hardening guide to maximize the protections of customers, their servers, and their users. Everyone wins that way, I think.
 

sheel

Active member
#6
...except it's not possible to write more than some basic guidelines, because everything else is too much to write, too much to read, and outdated right after publishing.

And, who's the target group? People who really know server security won't need it. And the rest ... while this is debatable, I'd say the majority are people who have no mindset for that - similar to eg. programmers: most people can follow detailed instructions without truly understanding what they do, but with a tiny variation from the instruction they don't know what to do anymore except trial-and-error (fatal for security).

Also, most people simply have no interest in doing tedious work for a more secure server...
it's hard enough to get someone to update his computer software once a year.
 
#7
layer 7 attacks are at the server level (HTTP)
While you are not wrong, Layer 7 attacks target the scripts (PHP especially), PHP opens connections to a database, and hell ensues. In the case of XenForo, if you manage to throw bots at it you will notice heavy RAM. While this is not XenForo's fault entirely, I am certainly curious if there is a better way to handle guest/visitor traffic in a way that is less resource intensive. I have some Layer 7 protection but when enough bots go all at once, XenForo helps my server go full Alzheimer's. My ram gets rammed good. I will do additional testing and benchmark this for a case.

Maybe this is fixed for XenForo 2.0 but doing something more with caching and less with databases for ~guests~ could be a smart way (yes I have caching enabled properly). Anyone logged in with a registered account, I can agree to trusting more. Registered users are less likely to be clogging up database connections and ramming the ram than 10,000 guests scattered from across the world. On a global website, you cannot just block China or other countries where actual users live.

And, who's the target group? People who really know server security won't need it.
Umm people that give a single ____ about security and are not perfect. In simpler terms, everyone (with respect to security). Security does not have to be hard and the information I detailed above is more helpful in regards to protecting your XenForo in general than anything else I have come across on this website. My kind contribution to anyone who gives a hoot.

Maybe I am one of the few running a security-oriented forum on XenForo but with ~40K users I cannot afford to just install on cPanel and call it a day. I suspect others with larger forums are in the same boat. Not everyone starting a forum is a security enthusiast and student --- and anyone who has run a larger forum knows the expenses are great whereas your return is likely not enough to hire a personal security expert. Especially if your users are security conscious and you do not run ads for privacy reasons and out of respect. All I am saying is a simple DIY security hardening guide could be EXTREMELY useful for anyone while significantly enhancing the overall security of the XenForo community for anyone supportive of securing their website. Heck, I am willing to put it together alone if no one else is aboard the idea of securing XenForos.

update his computer software
This is another good point. I have gotten to see how some other forum software updates. Some automatically updates, I would consider that forum software the most secure and since they haven't had a security issue in almost 9 years I would say that is a solid track record. Updating the current stable XenForo (not 2.0) is a less modern approach. While this is no replacement to updating/upgrading web server software, perhaps there could be a feature to email admins on system and web server software releases (security-related) --- this may be a bit overkill but if done for just one system e.g. CentOS I could see this being a success.
 
Last edited by a moderator:
#8
I also wanted to point this out, the top XenForo result is from 2012.

Now go here and find anything about security from the front page. Nothing at all, except security issues and fixes in the Twitter feed. Having more security awareness and consciousness would be nice. :love:

I think something like https://xenforo.com/security would be good, akin to WordPress' https://wordpress.org/about/security/

I can't help but to think providing users at the very least a basic website security guide (if they want it) would be heaps of help. You don't need to be a rocket scientist to use Cloudflare's CDN. There are videos on mod_security and people launching a new website can choose a more security conscious domain registrar. This is simple stuff guys. Giving out a free website security guide to a XenForo customer is kind of like topping off someone's gas, filling their windshield washer fluid, and giving them a free car wash. Can it be done somewhere else? Sure.

Why not here...

The security page doesn't even necessarily have to be a guide, simply detailing how XenForo is secure would be nice. XenForo is a web application, having basic web application security information is not too crazy, better than this. :X3:
 
Last edited by a moderator:

sheel

Active member
#9
Security does not have to be hard
Well ... we disagree there. In an ideal, it shouldn't be, but it is.
(no, I don't mean "I tried and failed", I really just mean what I wrote)

And independent of that, spending 20sec to start a OS update is really not hard - but most server owners won't do it because they are too lazy. And there are already plenty guides, but 90% are not interested.
 
Last edited:
#10
spending 20sec to start a OS update is really not hard
There are so many resources that people may not know to look for that could help them e.g. RedHat offers a lot of useful and free security information.

Just saying "well people don't care about security" and implying "so we do not have to also" is not the way. :oops:

I will happily discontinue my security thoughts here though, since supposedly no one cares about security.
 

sheel

Active member
#11
Aren't you reading a bit too much between the lines? Just saying, security is a pretty big part of my life and mindset.
But, I rather not spend my limited free time on a 90384th rehash of topics that most people don't want, and that the rest already knows or can easily find out with Google

Xenforos start site has nothing - so what? Is that really important enough to write a huge article? Linking to a good existing one should be enough...
 

Tracy Perry

Well-known member
#12
I have some Layer 7 protection but when enough bots go all at once, XenForo helps my server go full Alzheimer's. My ram gets rammed good. I will do additional testing and benchmark this for a case
You will find it's not the script that is causing the issue (as this will happen no matter what the script) but at the server/service level. Very frequently you find that this is due to someone using a standard WordPress sites used indirectly as the source of the amplification (they have the pingback enabled). This is usually blocked at a hardware firewall or can be done via CSF or Fail2Ban.
My point is that to effectively discuss it takes a level of expertise that is not standard amongst admins of a forum as many of them rely on a managed service or shared hosting. For those that are running a VPS/dedicated server, they typically are already aware of the processes involved in securing their server(s). They typically know the resources that they need to have access to for information relating to securing a site - that are much more detailed than a generic (and quickly outdated) info that would be typical of a discussion on a script support site.

I will happily discontinue my security thoughts here though, since supposedly no one cares about security.
I think the point is, there is already an area that it can be discussed in, not that "no one cares about security".