SSL HTTPS help URGENT PLEASE HELP

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
hunterhusker
Registered User
Posts: 8
Joined: Sat Apr 14, 2018 10:20 pm

Re: SSL HTTPS help URGENT PLEASE HELP

Post by hunterhusker » Sun Apr 22, 2018 7:57 pm

Not sure if any of you will see this, because this thing is a little old, but I remember hearing some of you would be curious as to the phpBB's status after the competition. I'm happy to report we got 7th out of 40. We almost got 4th but in the last 5 minutes of the competition my forum was breached, by means of SSH. It is a capture the flag game, and my /etc flag was captured by a compromised admin account.(before you say I needed better passwords the password for this account was randomly generated and provided to us by staff, we couldn't use our own.) Anyways the site itself had two flags to be placed by red team. One to post in the admin only announcements forum, and one to post in the password protected developer forum. They didn't get any of those. However in the bug forum the red team decided to do some mind games and told us how they would get in. Not gonna lie scary af. They successfully XSS scripted my site. However we used barracuda WAF and it blocked them. Needless to say they were very unhappy. We have a phone service to address "customer calls" and the red team called us and complained about it, then hung up and rick rolled us lol. So yeah my team wonders if it may have been set up errors that caused that, but I used mostly default settings. So I guess that's it if you guys are securing stuff work on XSS to stop cross site/html injection attacks or buy Barracuda WAF its amazing.

Oh any sorry John I'm pretty sure you have to be a student or alumni of Iowa State University to red team, if you want look up Iowa State CDC and since I am in high school it should be the ITO one. I'll also link the scoring site and if you want to chat with them about next year I can send you the mail that we use to contact them.

the scoring site -> https://iscore.iseage.org/
Its down right now while they move the server out of the basketball court. If it is back up with scores, and you want to find us, we were team 3.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2724
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by thecoalman » Sun Apr 22, 2018 11:56 pm

hunterhusker wrote:
Sun Apr 22, 2018 7:57 pm
So I guess that's it if you guys are securing stuff work on XSS to stop cross site/html injection attacks or buy Barracuda WAF its amazing.
If there is a security risk within phpBB please report it to the security tracker.

https://tracker.phpbb.com/secure/Browse ... jspa#10020

Thanks.

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Tue Apr 24, 2018 3:27 am

You could have blocked that SSH breach by properly using CloudFlare.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19694
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably . . .

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Mick » Tue Apr 24, 2018 7:07 am

And spend the rest of the test period getting it to work.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Tue Apr 24, 2018 10:43 am

Getting what to work?

I use and have used CloudFlare for 3 years with no issues. There are more than one reverse proxy out there. If you know what you are doing there won't be an issue and it will greatly increase your security. Mostly from a DDoS attack. CloudFlare sits in front of my origin IP and if some chuckle head decides to DDoS the CloudFlare IP he'll have a very hard time. He would have to use an absolute ton of IoT devices, etc to knock me off line. CloudFlare has mitigated some of the largest DDoSes ever.

Go ahead. Look at my site and try to find the origin IP. You won't. And because of that you can't Nmap the IP and find my SSH port, FTP port, etc. So that mitigates any hacking attempt.

If there are issues you can always set up a page rule. One of my page rules specifies that the styles folder be cached. That means the server isn't used to pull the styles data with every page load and the site is that much faster.

In my CloudFlare dashboard it tells me how much I saved on origin server resources and it's roughly 70%. Meaning most data transfer comes over CloudFlare rather than my host. I have also installed the Amazon S3 extension for image hosting and that reduces page load even further by serving all images via Amazon's servers. And since CloudFlare uses a special mechanism to encrypt all mixed content, I don't have any issues with SSL mixed content warnings. Interesting to note that CloudFlare uses the HTTPS Anywhere database and something else to achieve that result.

If anyone is remotely concerned about security then learn how to use a reverse proxy like CloudFlare. And for free you can't beat it. I would not use the CloudFlare option in cPanel though. You have more control by creating a free account.

User avatar
Mick
Support Team Member
Support Team Member
Posts: 19694
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket probably . . .

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Mick » Tue Apr 24, 2018 2:31 pm

But, there is no need for Cloudflare, whatsoever. You talk about it like it’s the be all and end all, there is even an extension to correct Cloudflare issues. In any case, it’s a server thing.
"The more connected we get the more alone we become" - Kyle Broflovski

There are no ‘threads’ in phpBB, they are topics.

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Tue Apr 24, 2018 8:58 pm

No, you don't need CloudFlare at all, but it offers an ability to protect your server.

User avatar
david63
Jr. Extension Validator
Posts: 14550
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by david63 » Tue Apr 24, 2018 9:03 pm

John connor wrote:
Tue Apr 24, 2018 8:58 pm
it offers an ability to protect your server.
But most people do not have their own server
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Wed Apr 25, 2018 4:54 pm

david63 wrote:
Tue Apr 24, 2018 9:03 pm
John connor wrote:
Tue Apr 24, 2018 8:58 pm
it offers an ability to protect your server.
But most people do not have their own server
You don't need your own server. I have a shared account.

User avatar
david63
Jr. Extension Validator
Posts: 14550
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by david63 » Wed Apr 25, 2018 5:45 pm

John connor wrote:
Wed Apr 25, 2018 4:54 pm
david63 wrote:
Tue Apr 24, 2018 9:03 pm
John connor wrote:
Tue Apr 24, 2018 8:58 pm
it offers an ability to protect your server.
But most people do not have their own server
You don't need your own server. I have a shared account.
But you specifically said your server implying that you had to have your own dedicated server.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Thu Apr 26, 2018 1:26 am

I wasn't trying to imply that. If you have a VPS or dedicated server then all the more power to you. It just means you have to block all IPs except CloudFlare IPs and update those when ever there is an update range. Fortunately that isn't very often.

User avatar
Wes of StarArmy
Registered User
Posts: 288
Joined: Fri Mar 04, 2005 2:59 am
Location: StarArmy.com
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by Wes of StarArmy » Mon May 14, 2018 11:26 pm

I agree Cloudflare is very useful even on the free tier.

One thing to remember is that any non-Cloudflare subdomains like mail.example.com could reveal the server's real IP if not correctly configured.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 2724
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by thecoalman » Tue May 15, 2018 11:23 pm

Mick wrote:
Tue Apr 24, 2018 2:31 pm
But, there is no need for Cloudflare,
Cloudflare adds a huge layer of security and allows for things you simply cannot do without it. If you ever have the unfortunate experinece of having a site DDOS'd you will quickly learn what the need is.
there is even an extension to correct Cloudflare issues
What you are referring to as an issue is one of the biggest benefits of using Cloudflare, you can allow Cloudflare IP's in the firewall and deny the rest of the world for ports 80, 443 and any other port being proxied through Cloudflare.There is an Apache module you need to install so the correct IP is passed onto applications like phpBB, server logs etc. Of course if you do not have your own server or your host won't install the module you will need to use the workaround in the extension.

User avatar
John connor
Registered User
Posts: 1608
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Contact:

Re: SSL HTTPS help URGENT PLEASE HELP

Post by John connor » Wed May 16, 2018 3:27 am

The Apache module is called mod_cloudflare. If your host doesn't have it installed, ask them to install it. If you use WordPress there is a plugin from CloudFlare as well that will do what that extension does for phpBB.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: canonknipser, Lumpy Burgertushie, Miles Cellar, new.new and 37 guests