Page 1 of 2

SSL HTTPS help URGENT PLEASE HELP

Posted: Sat Apr 14, 2018 10:37 pm
by hunterhusker
I am in a cyber defense competition next Saturday. My role is to set up a phpBB forum and defend it from hackers for 8 hours straight. I really need to set up SSL & HTTPS. I have never done any of that stuff before. We get our certificates from the white team so no need to worry about getting one, just setting it all up and how to use it. It is an apache server so would the conversion be the same or is there similar stuff for converting it or is there special stuff for the phpbb part? If you have any help it would be awesome.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 12:41 am
by Brf
SSL and https have nothing at all to do with protecting your server from hackers. They are to protect your users, not your server. In any case, this board is support for phpBB, not setting up your server.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 1:47 am
by hunterhusker
Yes it is for phpBB support I was asking is there anything I must do different to set up a phpBB server versus all other servers. I know it wont protect my server from hackers but it will protect the data being transmitted through http from being sniffed and taken by the red team. I don't know if there will be anything different settings wise in phpBB that is why I came to the phpBB forum to ask for help on how to set up the phpBB service with SSL.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 3:50 am
by Lumpy Burgertushie
no offense but if you don't know how this all works then you probably do not have a chance in this competition.

there is no "phpbb server" phpbb is simply a bulletin board software that you install on a web hosting server.
'it is written in php and uses database that is normally mysql.

even if someone sniffs your packets when making posts etc. on phpbb it will not give them any access to the server that it is installed on.

however, you will need to learn how to setup your server for SSL which, as brf stated above has nothing to do with phpbb.

once you have the server setup then you simply change your phpbb settings to cookie secure and use https instead of http.
sometimes you also have to add a bit to your htaccess file to redirect http to https but that has little to do with the security of the data being transferred.


robert

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 7:43 am
by Mick
If this is a fresh install just make sure SSL is working before you install phpBB and it will work with HTTPS straight away. Like the others I’m not certain what this has to do with stopping your server being hacked.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 7:49 am
by david63
If, and it is a big IF, your install of phpBB is hacked I am sure that the phpBB security team would be interested and would like all the information that you can provide.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 3:21 pm
by hunterhusker
So yeah I have done it now. It is not different from apache. I wanted to know about settings in the forum acp itself. I understand SSL and HTTPS and how to set it up for apache. So in this competition they will be sniffing packets and all sorts of stuff to steal account info. We have used apache servers in the past and it can be sniffed and taken down. PhpBB was used the year before I joined my club and they said it was the first to go down and that I had to work very hard on it. Sorry for any lack of knowledge I am in Highschool and I only have one year of experience with this. This isn't like normal security its all the same yes, but it is required to be really good because it is all basically worst case scenario for a whole day. I do understand the https is just to encrypt traffic. Its just a good thing to have.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 3:58 pm
by </Solidjeuh>
phpBb is not easy to hack.
And do not use passwords, but phrases that do not make sense.
Like: My banana tastes like my ass

I also use this firewall:
https://nintechnet.com/ninjafirewall/
So far, it has already blocked 2 SQL injections.

Nothing to do with this SSL topic.. but still .... :D

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 4:26 pm
by Lumpy Burgertushie
yes, using a harder password is important . however considering how phpbb encrypts them it is very very hard to break it and find out anyone's password.

whoever told you that phpbb 3 was hacked easily was lying to you or they hacked the server first. once you have server access there is no hacking needed to access any program installed on that server.

robert

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 8:31 pm
by hunterhusker
So in resonse to the last two posts. We use lastpass to generate 20 character passwords for all accounts that aren't provided by the officials. Yes the servers are pre-hacked full of backdoors and bad configs and lousy passwords. We also got our hands on a full professional version of barracuda to block SQL injections and all that. We also run pfsense, snort, and mod-security to keep everyone out, although that is hard as there are accounts set up to fail/already leaked. This year they graciously allowed me to do a fresh install of phpBB, but the years before they said it was super out of date phpBB and it was already compromised, but I take that as it is comprimiseable. I am glad to hear you all have such confidence in the software though I hope it wont be my weak point. I'm looking at my SQL & SSH as my weak spots right now. Its a capture the flag game and the hackers have to turn off servers, and plant or capture flags like a capture the flag game kids would play. So I am gonna password protect my root directory as that is the location of my flags. Haha that will make them extra mad. :twisted:
edit: Thought I should add yes it is a bad idea to make the hackers mad I was kidding about making them mad

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Sun Apr 15, 2018 11:21 pm
by Lumpy Burgertushie
from the beginning of phpbb3 it has had proffesional outside security audits. I think at least each major update/upgrade gets a new one. I could be wrong about how often. however, as far as I know there has not been any successful hacks of phpbb since version 2.0.23

so, like I said, if a hacker gets access to your server there is nothing he can't access from that point. give me your ftp username/password and I can completely destroy everything on your server.


robert

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Mon Apr 16, 2018 2:24 am
by hunterhusker
Well at the beginning of the year the server was on windows 95 and it was running phpBB like 1.0. The scenario was they forgot about it a decade ago and the "customers" wanted it repaired. SO to "repair" it I put it on ubuntu and upgraded to 3.2.2.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Mon Apr 16, 2018 3:07 am
by Lumpy Burgertushie
that is good, the versions of phpbb previous to 3.0 did have a bad reputation for being vulnerable to hacking. no longer.


robert

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Mon Apr 16, 2018 3:56 am
by 3Di
hunterhusker wrote:
Mon Apr 16, 2018 2:24 am
Well at the beginning of the year the server was on windows 95 and it was running phpBB like 1.0. The scenario was they forgot about it a decade ago and the "customers" wanted it repaired. SO to "repair" it I put it on ubuntu and upgraded to 3.2.2.
I am sure you are talking about phpBB 2.0.xx, isnt?
The 1.0 version has been released on Dec, 2000.

I am not sure if it is possible to convert 1.0 to 2.0.xx too.
AFAIR converting from 1.4.x to 2.0.xx is possible, if still your server supports its specifics.

Re: SSL HTTPS help URGENT PLEASE HELP

Posted: Mon Apr 16, 2018 4:02 am
by John connor
You may want to read my write up I have a link to in my signature. I would also use CloudFlare and CIDRAM. I know the author of CIDRAM. I can help you greatly at protecting your site, although, I'm code stupid. :lol:

As far as HTTPS goes. Just use cPanel's Lets Encrypt free service. It should be there in most hosting providers. If not, I would question that host.

With CloudFlare you have to set up the DNS before the website is propagated in the Internet. Otherwise DNS hosting history sites or CloudFlare resolvers like CrimeFlare will see your origin IP address. If you are using a VPS, then block all IPs except CloudFlare's. Also, use a third-party E-mail service like something from Namecheap or Gmail and delete the MX record. The MX record will rat your origin IP out.



Where can I take part in this hacking project? Can I sign up?