What security do you use? Hacker protection...

[Chassey Group]

Can anyone offer advice on what we should do to protect our forum? We are new to this & want to be safe.

Looking at this: http://sucuri.net/

But, have no idea if it is good or not. What do you do/use?

Thanks for any help!

 

[rdn]

Secure your forum on the server level, not via a 3rd party services like that.

 

[Chassey Group]

Thanks RoldanLT! Can you give examples. A complete beginner at this part of things.

 

[rdn]

Basic steps:

• Password protect /admin.php and /install/ via .htaccess.

Server Level:

• Using CSF or any Software Firewall

By the way XenForo is already 99% secured compare to other forum software.

 

[Chassey Group]

Oh thank you! That is so good to know. It's a bit scary, really.

 

[arn]

I like Sucuri. It's far easier to configure than a server-level security pattern matching. If you can set that up your self, then that's probably a better choice. But if you can't or don't want to take the time, I like using something like Sucuri.

arn

 

[Chassey Group]

Thanks for the input, arn! Admittedly, we are not knowledgable on these things.

 

[Mike Edge]

• Password protect /admin.php and /install/ via .htaccess.

You should fully delete /install. Once your install is completed, it is not required to use until an upgrade, which comes with an install folder.

 

[Paul B]

It is not necessary to delete the install directory and we don't advise it.

 

[Liam W]

You should fully delete /install. Once your install is completed, it is not required to use until an upgrade, which comes with an install folder.

What if the need to restore master data arises? They'll have to re-upload.

Personally, I either 404 the /install directory via htaccess, or 0000 the permissions. I never use it anyway (I always use the CLI upgrader).

However, @Chassey Group I can't look at that service, because three thinks it's an adult site and has blocked it , however I do believe that basic security measures such as using SSL where available and htaccess (digest) protecting the admin.php file (IP protection if you have a static IP), is the best way to go.

Liam

 

[arn]

Here's a partial list of things I did to improve my security after we were hacked last year. This was written with vBulletin in mind, but should mostly carry over to Xenforo.

- Only give absolutely needed permissions to your mods and admins
- Create a separate admin account that is the "super admin" (in config) with plugin and theme permissions. Your day to day admin user should not have any of these permissions.
- Require password changes to your Mods and Admins every XX days
- I'm paying for password manager software for my mods/admins
- htaccess password protect both AdminCP and ModCP. Don't give out the password via the forums or through pm.
- Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com , http://cloudproxy.sucuri.net , http://www.incapsula.com
- Two factor authentication for moderators and admins.
- Consider globally disabling more dangerous PHP functions

 

[rdn]

Use a Web Application Firewall. SAAS versions include https://www.cloudflare.com ,http://cloudproxy.sucuri.net , http://www.incapsula.com

Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.

Two factor authentication for moderators and admins.

I hope there is a stable plugin available.

Consider globally disabling more dangerous PHP functions

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.

 

[arn]

Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.

I've used Sucuri on vBulletin. It's not perfect and probably won't stop a targeted attack. Also there are false positives you have to monitor for. The main reason I like it (or other services like it) is that they will virtually patch (block) new exploits -- which helps block automated scans of new vulnerabilities, giving you a little extra time to patch yourself.

I think a proper server-side WAF will do the same with regularly updated definitions.

I hope there is a stable plugin available.

Ya, I was looking around for one.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.

Certainly low yield and a bit whack-a-mole to provide you with much comfort, but there are some really insecure PHP functions out there, including show_source(), which will output the source of a local php file.

arn

 

[Fred.]

Cloudflare doesn't help much as website Firewall.
Maybe Sucuri and Incpsula works great.

I hope there is a stable plugin available.

I think this is not needed with XenForo.
I recall @Mike stated that most of the function is used and not advisable to disable.

There is a stable Two factor authentication add-on available
https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

Works like a charm. I'm using it for a year now.

They don't recommend to disable php functions. But I also have the dangerous functions disabled.

 

[rdn]

But I also have the dangerous functions disabled.

Like?

 

[Fred.]

Like?

From my php.ini

disable_functions = "passthru,ini_set,shell_exec,eval,popen,exec,dl"