Alteran Ancient
Well-known member
First Ubuntu Forums. Then MacRumors. Now vBulletin.com. I bring this up, because naturally, a good number of members here will have been members or customer of vBulletin at some point. If you are one of those people, go and get your passwords changed. You should be doing that anyway, regardless of whether sites are being hacked or not!
So, it seems breaking into forums and other data-rich systems is becoming a thing - specifically to obtain user data such as email addresses and password hashes. In the case of Ubuntu and MacRumors, the weak point would have been a compromised Moderator account, or someone with the ability to post raw HTML.
Now, XenForo was built from the ground-up with security in mind. That said, you cannot afford to be complacent. With a default set-up, your members and moderators have no ability to post any HTML - just BB Code. vBulletin had the HTML-enabled Announcements feature and in previous security breaches, was used as a method to obtain an Administrator's cookie and gain access. XenForo does not have this problem.
Another plus for XenForo - plugins code is loaded from the library directory on the server's file system. Obtaining access to the Admin CP still limits how much access a hacker has to your system and by extension, its Databases.
Seeing these kind of announcements is quite worrying. I'm going to assume that you don't want the same to happen to your own forum, which is why ensuring security is necessary. To save you the run-around and panic, I've given you a list of various things you can do to improve the security of your forum and infrastructure...
Server Security
Maybe this is making a bit of a mountain out of a molehill, but at least by wasting your time with this thread, maybe I made you think or gave you some sensible ideas.
So, it seems breaking into forums and other data-rich systems is becoming a thing - specifically to obtain user data such as email addresses and password hashes. In the case of Ubuntu and MacRumors, the weak point would have been a compromised Moderator account, or someone with the ability to post raw HTML.
Now, XenForo was built from the ground-up with security in mind. That said, you cannot afford to be complacent. With a default set-up, your members and moderators have no ability to post any HTML - just BB Code. vBulletin had the HTML-enabled Announcements feature and in previous security breaches, was used as a method to obtain an Administrator's cookie and gain access. XenForo does not have this problem.
Another plus for XenForo - plugins code is loaded from the library directory on the server's file system. Obtaining access to the Admin CP still limits how much access a hacker has to your system and by extension, its Databases.
Seeing these kind of announcements is quite worrying. I'm going to assume that you don't want the same to happen to your own forum, which is why ensuring security is necessary. To save you the run-around and panic, I've given you a list of various things you can do to improve the security of your forum and infrastructure...
Server Security
- Disable external logins to your 'root' account. They can't break in if they don't know your username!
- Install denyhosts or fail2ban on your server to prevent brute-force attempts.
- Employ the use of two-factor authentication (Duo Security, or Google Authenticator).
- Route your site through CloudFlare to make your server IP harder to find.
- Ensure that Apache/Nginx/PHP and other web services run on a non-root user, so that any uploads may not compromise your entire server.
- Make sure that MySQL can only be accessed by localhost - maintenance can be done via SSH tunnel or phpMyAdmin
- Give your administrators only what they absolutely need - nothing more. Limit the management of plugins and templates only to those who absolutely need it. The more administrative accounts you can make useless to a hacker, the better.
- Give your moderators only what they need. There is far less opportunity for abuse here, but regardless, do check what your moderators can access.
- Demote the accounts of any inactive staff. The more stray elevated accounts hanging around, the more opportunity for a hacker to get in if any of them were using a weak password or had their email compromised.
- Put some kind of policy in place for your staff to change their passwords on a regular basis. It's annoying, but is a fairly common-sense security practice and means if an old password gets nabbed by a hacker, it won't be a problem.
- If you want to get really technical, you could implement two-factor authentication for your forum accounts. Personally, I'd only want to implement this for moderators. Giving your users access to this would probably just complicate things!
Maybe this is making a bit of a mountain out of a molehill, but at least by wasting your time with this thread, maybe I made you think or gave you some sensible ideas.
