Security Plug Ins

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
PoliFactsGlobal
Registered User
Posts: 9
Joined: Wed Jun 19, 2019 6:30 am
Name: K E
Contact:

Security Plug Ins

Post by PoliFactsGlobal » Thu Jun 20, 2019 7:59 am

Any suggestions on Security Customization Plug Ins from the plug in list

Like Spam Bot control - External Link Checks - login Attempts Ban - Toxic IP/Domains

This is a Political Forum - Guaranteed to be Attacked/Abused

Dont want to clog things up with layer after layer of plugins. Even adding a plugin can open a hole.
So thought Id check here before I do any thing.

I think external links are my greatest fear - Adding a link to a malicious file disguised as an Image or Video.

Dont want to disable ability to post links though.

Running version 3.2.7 BTW


TIA

User avatar
david63
Registered User
Posts: 16196
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Security Plug Ins

Post by david63 » Thu Jun 20, 2019 10:19 am

Are you referring to phpBB extensions or something else as phpBB does not have "plug ins"
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

PoliFactsGlobal
Registered User
Posts: 9
Joined: Wed Jun 19, 2019 6:30 am
Name: K E
Contact:

Re: Security Plug Ins

Post by PoliFactsGlobal » Thu Jun 20, 2019 10:26 am

Extension - I should have been more clear

sry

User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Security Plug Ins

Post by John connor » Thu Jun 20, 2019 12:07 pm

Might want to have a look at CIDRAM and Ninjafirewall. Look in my Sig.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66342
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Security Plug Ins

Post by Lumpy Burgertushie » Thu Jun 20, 2019 5:11 pm

basically phpbb does not need any type of security plugins or extensions.
it has not been successfully hacked since phpbb3 came out in 2007 that I am aware of.

as long as you have a good Q&A set for anti spam you won't get any bots signing up and spamming you etc.

other than that I don't know what type of security you could want for a bulletin board.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: Security Plug Ins

Post by Heo32 » Thu Jun 20, 2019 7:49 pm

1) phpBB has no security holes. If it did, they would get patched pretty quickly.

2) A good Q/A is all you need for registering. Don't make it too obvious.

3) Be sure you use TLS (https) with a key and certificate. Support TLSv1.2 and TLSv1.3 only. Do not allow TLSv1.1 or below since it is considered insecure. Also, do NOT support the SSL standard since that is very outdated and insecure. Once PHP officially supports TLSv1.3 (link here under "crypto_type"), drop support for TLSv1.2. Also, use strong ciphers. I suggest you get the key and certificate from Cloudflare. Use their service for your website. Some people have issues using Cloudflare for some reason, but if you set things up properly, you'll have no issues (like me). It also adds additional security to your site including a firewall, full TLS encryption, DoS protection, caching, and it hides your server's IP address using an IP from Cloudflare instead.

4) Test your website using the following links, then make changes to your configuration file as needed: There are more sites out there available, but those are some of the best that I know of.

5) Ban known bad IPs of bots that have malicious intentions. These are the ones I block, but you don't have to use it:

Code: Select all

117.7.188.7
118.92.13.232
118.98.160.194
12.202.58.155
12.219.232.74
121.241.242.109
122.201.83.4
124.38.72.206
125.161.244.62
128.194.135.94
129.187.148.240
129.187.148.244
131.107.0.113
139.91.200.198
142.22.16.58
143.88.90.245
151.13.75.33
151.9.239.163
162.62.129.253
168.209.97.34
171.75.222.63
189.17.82.37
189.20.244.107
190.12.2.35
190.24.128.222
192.68.112.136
193.164.133.13
193.164.133.17
193.251.29.45
193.251.52.59
193.251.53.22
193.251.80.30
193.252.200.122
193.253.178.183
193.53.87.109
193.53.87.111
193.53.87.113
193.53.87.89
193.92.70.208
193.93.74.14
194.165.42.137
194.165.42.153
194.165.42.157
194.165.42.59
194.208.184.230
194.246.124.67
194.3.18.6
194.3.21.18
194.8.74.158
194.8.75.206
195.131.188.93
195.144.134.42
195.166.233.191
195.166.233.65
195.166.238.131
195.225.178.28
195.225.178.39
196.192.81.96
196.28.239.15
198.54.202.210
198.65.122.125
200.150.28.220
200.220.151.1
200.63.42.109
200.63.42.111
200.63.42.113
200.63.42.143
200.63.42.77
200.76.250.44
200.79.162.130
200.88.42.40
201.10.168.155
201.24.32.108
201.29.12.243
201.52.198.43
202.101.180.170
202.183.218.187
202.29.87.47
202.75.33.249
203.158.221.227
203.162.2.134
203.162.2.136
203.162.2.137
203.177.74.135
203.177.74.139
203.190.173.81
203.67.201.21
204.246.129.196
204.255.43.27
205.178.184.154
206.190.65.134
206.53.51.77
207.160.131.168
207.210.208.135
208.223.208.181
208.36.144.8
208.58.251.39
209.249.86.17
209.62.20.18
209.85.73.30
210.176.202.178
210.19.71.60
210.191.136.34
210.200.105.227
210.217.59.22
210.251.211.111
210.254.102.143
211.157.36.4
211.157.36.5
211.161.23.245
211.161.24.131
211.21.116.130
211.21.116.139
211.76.97.228
212.107.116.240
212.118.158.68
212.178.115.54
212.224.30.68
212.45.53.79
213.134.40.89
213.148.3.114
213.183.195.161
213.236.204.70
213.84.162.99
216.119.173.253
216.138.199.77
216.171.104.242
216.185.57.98
216.240.136.125
216.255.182.173
217.126.182.116
217.128.154.91
217.128.252.166
217.153.66.146
217.167.235.90
217.169.46.98
217.199.216.229
217.20.123.129
217.217.204.48
217.22.60.25
217.91.20.123
218.145.25.105
218.15.138.214
218.160.2.47
218.231.136.175
218.231.138.206
218.6.13.215
218.6.9.217
218.72.151.218
218.86.46.195
219.181.201.29
219.93.175.67
220.144.155.229
220.226.198.55
221.141.3.55
222.127.185.68
222.127.223.72
222.127.33.213
222.127.88.67
222.239.220.196
222.240.212.17
222.251.133.59
222.255.31.82
222.46.17.43
24.11.97.106
24.123.125.205
24.222.100.119
24.226.197.211
24.44.5.10
24.87.161.224
38.*.*.*
59.188.30.59
60.190.240.66
60.190.240.73
60.190.79.24
60.240.249.195
60.240.249.205
61.133.87.226
61.174.192.77
61.174.204.122
61.19.242.44
62.101.126.225
62.143.69.218
62.181.1.150
62.195.91.228
62.213.161.163
62.219.168.150
62.77.100.19
64.118.129.92
64.124.148.26
64.22.118.42
64.252.23.186
64.27.0.41
64.27.0.42
64.27.0.61
64.27.11.179
64.38.50.26
64.59.139.138
64.62.142.170
64.69.34.135
64.81.148.131
64.86.25.92
64.92.199.47
64.92.199.49
65.213.208.*
65.222.176.*
65.222.185.*
65.94.44.127
66.15.122.250
66.212.19.146
66.228.126.245
66.232.105.72
66.232.126.195
66.36.230.12
67.191.151.236
67.215.231.186
67.228.225.182
67.59.147.59
68.109.73.115
68.111.127.37
68.117.98.81
68.185.130.94
68.215.54.172
68.229.73.144
68.83.57.127
69.106.236.72
69.119.185.187
69.120.191.48
69.127.30.66
69.13.112.144
69.130.7.251
69.217.73.52
69.255.118.194
69.31.32.16
69.37.104.196
69.61.12.100
69.84.207.37
69.84.207.39
69.93.38.130
71.12.5.116
71.209.133.36
72.147.34.127
72.21.36.130
72.232.163.171
72.232.201.250
72.232.225.82
72.232.96.242
72.232.96.42
72.36.175.106
72.36.182.226
72.36.198.2
72.36.94.42
74.12.55.215
74.208.68.31
74.208.71.119
74.233.67.91
74.50.117.96
74.55.12.50
74.86.171.82
75.120.134.242
75.126.231.122
75.146.62.233
75.92.50.181
76.205.74.252
77.77.8.138
77.92.88.12
77.92.88.9
78.129.202.17
78.129.202.2
78.129.202.7
78.129.208.115
78.129.208.130
78.129.208.135
78.129.208.20
78.129.208.200
78.129.208.30
78.157.143.186
78.157.143.233
78.31.106.146
78.46.197.81
78.46.86.18
78.80.11.238
78.90.24.115
79.147.187.4
80.11.65.210
80.11.65.74
80.119.68.51
80.13.163.248
80.13.169.152
80.13.78.25
80.14.185.210
80.14.67.140
80.14.67.42
80.15.37.100
80.191.160.121
80.218.114.94
80.228.230.97
80.242.48.10
80.66.177.128
80.71.118.27
80.80.111.200
80.80.111.240
80.88.128.12
80.90.160.45
81.154.142.33
81.168.0.216
81.169.152.97
81.199.83.31
81.199.84.12
81.209.145.122
81.215.76.148
81.215.80.51
81.215.85.192
81.248.17.52
81.48.127.67
81.49.209.131
81.51.116.43
81.51.227.244
82.103.128.87
82.121.32.161
82.194.62.235
82.226.66.67
82.239.113.212
82.99.30.36
82.99.30.41
82.99.30.55
83.175.188.194
83.200.207.240
83.233.30.38
83.33.24.106
84.108.223.95
84.16.227.88
85.10.202.240
85.10.206.147
85.12.25.118
85.179.106.95
85.20.40.10
85.21.125.100
85.214.68.78
85.68.88.112
86.34.4.118
87.118.100.104
87.118.116.154
87.118.120.241
87.193.221.131
87.249.60.197
87.250.140.151
88.191.94.206
88.191.97.89
88.214.224.34
88.239.82.244
88.24.87.7
89.122.213.193
89.122.29.122
89.122.29.128
89.122.29.39
89.122.29.76
89.122.29.79
89.122.29.82
89.123.6.19
89.149.226.174
89.149.227.14
89.149.227.165
89.149.242.149
89.149.244.45
89.149.253.167
89.248.168.70
89.248.169.90
89.3.143.125
89.49.180.159
89.79.73.121
91.192.117.16
91.64.118.154
91.89.86.14
92.11.225.97
92.48.127.68
92.48.203.116
92.48.84.209
92.48.93.246
93.150.15.144
93.174.93.208
93.174.93.224
93.174.93.39
94.102.60.19
94.102.60.43
94.102.60.45
94.102.60.77
94.69.179.160
94.76.199.10
97.81.19.227
98.200.250.129
98.209.44.52
98.214.191.249
These ones are from fake accounts:

Code: Select all

141.101.97.*
172.68.11.*
172.68.10.*
6) Ban known disposable e-mail address services. The list can get really, really long. I won't include mine here, but I'll give a few links to help you get started: I'm sure you'll find more. Be sure to remove any duplicates found as you make your list.
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3223
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Plug Ins

Post by thecoalman » Thu Jun 20, 2019 9:06 pm

Heo32 wrote:
Thu Jun 20, 2019 7:49 pm
and it hides your server's IP address using an IP from Cloudflare instead.
For this to work properly to truly secure the server requires quite a bit of server configutation. Server side ideally you need to install mod_cloudflare so the real IP of the user is passed to Apache and available in logs, applications like phpBB etc. There is an extension for phpBB but that only works with phpBB, logs and anything else utilizing the IP would still have Cloudflare IP's.

DDOS attacks are not random and Cloudlflare is useless if they know the IP, there is various points to obtain it. Firstly it can be exposed in outgoing email so you also need to be using separate IP for outgoing email. If you have WHM server this is easily configurable, if the IP is on the same server it's still vulnerable however the IP used for email can be null routed if it is attacked so it would be short term vulnerability. Make sure the IP for the email is not consecutive with the IP your site is on so it's easily guessed.

Within phpBB you need to disallow remote avatars and the image size checker used for limiting posted image sizes from external sources.

You also need to make sure the IP is not spitting out anything that can be used to identify it as the origin IP. If they know the IP of the email they can determine the range of your hosts IP's. They simply run a bot over that range making requests for 123.456.789.001/uniqueimage.jpg, 123.456.789.002/uniqueimage.jpg. You can prevent this by fire-walling all traffic to ports 80 and 443 except for Cloudflare IP's. This has added benefits beyond preventing DDOS, common bots traversing IP ranges randomly requesting vulnerable scripts are denied.

Also keep in mind after you do all this if the existing IP was listed in DNS records there is histories available for that. The IP you use in Cloudflare should be new one that was never listed in DNS records associated with your site. You can always change that any time in the Cloudflare panel and it's instant, no down time for propagation.

PoliFactsGlobal
Registered User
Posts: 9
Joined: Wed Jun 19, 2019 6:30 am
Name: K E
Contact:

Re: Security Plug Ins

Post by PoliFactsGlobal » Fri Jun 21, 2019 2:12 am

Thanks very much for the responses - Some great info within.
Exactly what I was looking for - people who have traversed this path in real world applications.

I dont have that much XP dealing with USERS as it pertains to forums/communities. Site isn't live yet, but will be soon - Just dont want to be blind sided by a "DOHhhhh" kind of moment having missed something.

I do expect the site to get hammered on if it becomes popular being a political forum.

Some great suggestions and info - I will take heed and delve into them

Thx Much :D


PS. No real point in doing a serious site if its just gonna get wiped out every 3 weeks.

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: Security Plug Ins

Post by Heo32 » Fri Jun 21, 2019 1:49 pm

You're welcome. :)

Have a backup plan in place and be sure everything is backed up on a regular basis. If you lose anything, or everything, you can look at the logs and figure out what went wrong, patch it up, restore everything and then go live again.
thecoalman wrote:
Thu Jun 20, 2019 9:06 pm
You can prevent this by fire-walling all traffic to ports 80 and 443 except for Cloudflare IP's. This has added benefits beyond preventing DDOS, common bots traversing IP ranges randomly requesting vulnerable scripts are denied.
I sure would like to know how to set that up. Could you post details here of what needs to be done to implement your suggestion?
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

User avatar
Lumpy Burgertushie
Registered User
Posts: 66342
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Security Plug Ins

Post by Lumpy Burgertushie » Fri Jun 21, 2019 3:38 pm

you certainly can do whatever you want with your b oard.

however, none of that is really needed with phpbb unless you have some very serious hackers with serious skills trying to bring your board down.

most political type fanatics probably are not that serious and do not have those kinds of skills.

they usually just like to make threats and jump up and down calling their opponents names etc. etc.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

PoliFactsGlobal
Registered User
Posts: 9
Joined: Wed Jun 19, 2019 6:30 am
Name: K E
Contact:

Re: Security Plug Ins

Post by PoliFactsGlobal » Fri Jun 21, 2019 4:11 pm

Thx for response - I do have a backup plan - DB Dumps and Site Files, and server is hardened.

I feel a bit better and confident after reading the responses.

Thx

Heo32
Registered User
Posts: 113
Joined: Sat Jan 07, 2017 10:08 pm

Re: Security Plug Ins

Post by Heo32 » Fri Jun 21, 2019 7:31 pm

I'm glad to help.

Also, if you're hosting your website, be sure all software components are fully up to date on a regular basis. That will often patch known security holes. If you're going with a host provider, then its out of your hands and in theirs. Host providers don't always keep their software up to date I've noticed, but they do keep backups.

Everything I've posted is a learning process. I had to figure it all out on my own from knowing absolutely nothing about hosting my own website. Learning about security comes with time. But the good thing about it is you don't need to be a coder/programmer to implement it. Anyone can do it if they have the interest and drive.
Is this for you? :arrow: Windows + Nginx + PHP + MySQL + phpBB + WordPress + Cloudflare

Allow using Content-Security-Policy without unsafe-inline
stevemaury wrote:
Sun May 20, 2018 8:16 pm
I went to your board and looked for an hour or so, but did not see the women without underwear.

User avatar
John connor
Registered User
Posts: 2119
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Security Plug Ins

Post by John connor » Fri Jun 21, 2019 9:13 pm

If you wanna go the IP block route, look into what I already posted on CIDRAM. Read it, use it, love it. The Dev is a friend of mine and I made many suggestions for CIDRAM that got implemented. There's also a WordPress plugin version.

Also, read my signature. That link has a post on CloudFlare and how to properly deploy it to keep your origin IP hidden. Without an origin IP it makes it next to impossible to DDoS or layer 7 DDoS, find the SSH or FTP ports, etc. For free you can't beat it, though for layer 7 DDoS protection that will cost and it only costs me about 30 cents a month based on my traffic flow.

Could have swore I mentioned Ninjafirewall as well... They too have a WordPress plugin version.

Check out Censys and Shodan...

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3223
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Plug Ins

Post by thecoalman » Fri Jun 21, 2019 11:15 pm

Lumpy Burgertushie wrote:
Fri Jun 21, 2019 3:38 pm
most political type fanatics probably are not that serious and do not have those kinds of skills.
You don't need skills to perform a DDOS attack, these attacks are orchestrated by what they call a bot herder who are basically guns for hire. They will rent them out their bots for X amount by the hour, day, week or whatever. They even offer control panels, discounted rates for return customers, scheduling and tips/tricks....really. They are run like a business.

The cost is relative to scale/length of the attack. It's not very expensive to bury even a site like this on dedicated machine because you do not need control of many machines to do it. The following graph depicts what went on for a week on my site, something like 2000 http requests per second on average.The reason it peaks during the AM is because the bulk of the IP's were European/Asian. It's also a graph of people waking up in the morning and turning their compromised computers on.

Image

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3223
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Security Plug Ins

Post by thecoalman » Fri Jun 21, 2019 11:17 pm

Heo32 wrote:
Fri Jun 21, 2019 7:31 pm
but they do keep backups.
Unless you are specifically paying for backup service the backups they have can be days out of date. Ask them...

Post Reply

Return to “phpBB Discussion”