Securing the forum and exposing to the internet

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
Maxburn
Registered User
Posts: 17
Joined: Fri Jan 05, 2018 1:44 pm

Securing the forum and exposing to the internet

Post by Maxburn » Mon Jun 11, 2018 8:37 pm

Can anyone think of anything else I should do before exposing the forum to the internet? Is there a checklist somewhere, something that covers everything including things not directly related to phpBB?

I've followed the chmod permissions FAQ: https://www.phpbb.com/support/docs/en/3 ... rmissions/

I do have phpmyadmin loaded but I've followed the digital ocean guide on locking it down, there's basic auth to even get to it's login. https://www.digitalocean.com/community/ ... untu-16-04

In my case I have a nginx reverse proxy adding TLS with LetsEncrypt and redirecting to the forum server inside the network, it's linking to the forum http://{ipaddress}/phpBB3folder/ itself so things like forum.example.com/info.php and forum.example.com/phpmyadmin/ just show a not found error because that's in the wrong folder, hopefully there's not a way to jump down to web root and hit those directories?

I'm using LDAP; any special concerns there? I've got user registration disabled. I see 5 attempts before the login spambot is enabled by default so hopefully this protects against brute force stuff.

This thread was pretty helpful for me as I didn't want contents to be viewable by just anyone; viewtopic.php?f=46&t=2133242

User avatar
Lumpy Burgertushie
Registered User
Posts: 64485
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Securing the forum and exposing to the internet

Post by Lumpy Burgertushie » Mon Jun 11, 2018 8:47 pm

actuallly there was no need for any of that. you could have simply installed it on the web server and setup registration to be by user. created a good Q&A anti spam measure and that would be all you had to worry about.

now, with all that running around of urls etc. you might have problems with cookies etc. and people will have problems logging in and staying logged it etc.

hundreds of thousands of people all around the world have install phpbb and have no problems with hackers etc. ever.

since phpbb3 came out there have been no successful hacks of the software itself that I am aware of.


so, save yourself some worrying and stress. just upload it, install it and enjoy it.


rob ert
I am available for custom work on a donation basis. Please send me a PM with your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

User avatar
John connor
Registered User
Posts: 1582
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Securing the forum and exposing to the internet

Post by John connor » Mon Jun 11, 2018 9:24 pm

Read my sig on a few extensions to combat spammers. I also wrote about using [spam removed] on my site and that is linked there, too. Do you use a reverse proxy like CloudFlare? If so, I can tell you how to set that up without ever exposing your origin IP to prevent a DDoS and some other things. For one, it means you can't use your host's E-mail as the mx record will expose your origin.

Maxburn
Registered User
Posts: 17
Joined: Fri Jan 05, 2018 1:44 pm

Re: Securing the forum and exposing to the internet

Post by Maxburn » Mon Jun 11, 2018 9:28 pm

Lumpy Burgertushie wrote:
Mon Jun 11, 2018 8:47 pm
now, with all that running around of urls etc. you might have problems with cookies etc. and people will have problems logging in and staying logged it etc.
Found all those problems and wasn't too hard to get them worked out, searching here it's all been addressed before.
Lumpy Burgertushie wrote:
Mon Jun 11, 2018 8:47 pm
hundreds of thousands of people all around the world have install phpbb and have no problems with hackers etc. ever.

since phpbb3 came out there have been no successful hacks of the software itself that I am aware of.
I feel decently good about phpbb now but I'm also looking for things that I might have completely missed.

Maxburn
Registered User
Posts: 17
Joined: Fri Jan 05, 2018 1:44 pm

Re: Securing the forum and exposing to the internet

Post by Maxburn » Mon Jun 11, 2018 9:31 pm

John connor wrote:
Mon Jun 11, 2018 9:24 pm
Read my sig on a few extensions to combat spammers. I also wrote about using Ninjafirewall on my site and that is linked there, too. Do you use a reverse proxy like CloudFlare? If so, I can tell you how to set that up without ever exposing your origin IP to prevent a DDoS and some other things. For one, it means you can't use your host's E-mail as the mx record will expose your origin.
I'm using nginx and I optionally have the ability to put the whole thing behind a basic auth login so they can't even touch phpbb without authentication but that's proving to be a PITA.

Good point on the IP and DDoS but I don't think that's within our threat model, and our email isn't hosted there. Will definitely read your linked security topic though.

User avatar
John connor
Registered User
Posts: 1582
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: Securing the forum and exposing to the internet

Post by John connor » Mon Jun 11, 2018 9:34 pm

Maxburn wrote:
Mon Jun 11, 2018 9:31 pm


Good point on the IP and DDoS but I don't think that's within our threat model, and our email isn't hosted there. Will definitely read your linked security topic though.
Let me know if you can understand it. I tried to make it as layman as possible. :lol: The free version is all you really need and I mention that in my write up.

Maxburn
Registered User
Posts: 17
Joined: Fri Jan 05, 2018 1:44 pm

Re: Securing the forum and exposing to the internet

Post by Maxburn » Wed Jun 13, 2018 4:59 pm

John connor wrote:
Mon Jun 11, 2018 9:34 pm
Let me know if you can understand it. I tried to make it as layman as possible. :lol: The free version is all you really need and I mention that in my write up.
OK, now that I know it's a WAF I can see some other options I can go. Specifically I'm thinking something involving a pfSense package maybe.

Unfortunately for the ninja one it seems the one I need is the paid edition. I'm not against paying but I will try the platform I'm a little more familiar with first. But if I misunderstood let me know.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19368
Joined: Fri Aug 29, 2008 9:49 am
Location: Cardiff
Contact:

Re: Securing the forum and exposing to the internet

Post by Mick » Wed Jun 13, 2018 5:28 pm

What are your concerns about going ‘live’, hacking or spam or both or something else?
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.
Forza Garibaldi

Post Reply

Return to “[3.2.x] Support Forum”

Who is online

Users browsing this forum: Google [Bot], mdkdio, vmNav2 and 23 guests