1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

What security do you use? Hacker protection...

Discussion in 'Forum Management' started by Chassey Group, Nov 30, 2014.

  1. Chassey Group

    Chassey Group Member

    Can anyone offer advice on what we should do to protect our forum? We are new to this & want to be safe.

    Looking at this: http://sucuri.net/

    But, have no idea if it is good or not. What do you do/use?

    Thanks for any help!
     
  2. RoldanLT

    RoldanLT Well-Known Member

    Secure your forum on the server level, not via a 3rd party services like that.
     
    Chassey Group likes this.
  3. Chassey Group

    Chassey Group Member

    Thanks RoldanLT! Can you give examples. A complete beginner at this part of things.
     
  4. RoldanLT

    RoldanLT Well-Known Member

    Basic steps:
    • Password protect /admin.php and /install/ via .htaccess.
    Server Level:
    • Using CSF or any Software Firewall

    By the way XenForo is already 99% secured compare to other forum software.
     
    Chassey Group likes this.
  5. Chassey Group

    Chassey Group Member

    Oh thank you! That is so good to know. It's a bit scary, really.
     
  6. arn

    arn Active Member

    I like Sucuri. It's far easier to configure than a server-level security pattern matching. If you can set that up your self, then that's probably a better choice. But if you can't or don't want to take the time, I like using something like Sucuri.

    arn
     
    Chassey Group likes this.
  7. Chassey Group

    Chassey Group Member

    Thanks for the input, arn! Admittedly, we are not knowledgable on these things.
     
  8. The Forum Heroes

    The Forum Heroes Well-Known Member

    You should fully delete /install. Once your install is completed, it is not required to use until an upgrade, which comes with an install folder.
     
  9. Brogan

    Brogan XenForo Moderator Staff Member

    It is not necessary to delete the install directory and we don't advise it.
     
  10. Liam W

    Liam W Well-Known Member

    What if the need to restore master data arises? They'll have to re-upload.

    Personally, I either 404 the /install directory via htaccess, or 0000 the permissions. I never use it anyway (I always use the CLI upgrader).

    However, @Chassey Group I can't look at that service, because three thinks it's an adult site and has blocked it :rolleyes:, however I do believe that basic security measures such as using SSL where available and htaccess (digest) protecting the admin.php file (IP protection if you have a static IP), is the best way to go.

    Liam
     
  11. arn

    arn Active Member

    Here's a partial list of things I did to improve my security after we were hacked last year. This was written with vBulletin in mind, but should mostly carry over to Xenforo.

     
    Alfa1 and RoldanLT like this.
  12. RoldanLT

    RoldanLT Well-Known Member

    Cloudflare doesn't help much as website Firewall.
    Maybe Sucuri and Incpsula works great.
    I hope there is a stable plugin available.
    I think this is not needed with XenForo.
    I recall @Mike stated that most of the function is used and not advisable to disable.
     
  13. arn

    arn Active Member

    I've used Sucuri on vBulletin. It's not perfect and probably won't stop a targeted attack. Also there are false positives you have to monitor for. The main reason I like it (or other services like it) is that they will virtually patch (block) new exploits -- which helps block automated scans of new vulnerabilities, giving you a little extra time to patch yourself.

    I think a proper server-side WAF will do the same with regularly updated definitions.

    Ya, I was looking around for one.

    Certainly low yield and a bit whack-a-mole to provide you with much comfort, but there are some really insecure PHP functions out there, including show_source(), which will output the source of a local php file.

    arn
     
  14. Fred.

    Fred. Well-Known Member

    There is a stable Two factor authentication add-on available
    https://xenforo.com/community/resources/freddyshouse-two-factor-authentication.1663/

    Works like a charm. I'm using it for a year now.

    They don't recommend to disable php functions. But I also have the dangerous functions disabled.
     
    Verringer likes this.
  15. RoldanLT

    RoldanLT Well-Known Member

    Like?
     
  16. Fred.

    Fred. Well-Known Member

    From my php.ini
    Code:
    disable_functions = "passthru,ini_set,shell_exec,eval,popen,exec,dl"
     

Share This Page