Looking to Enhance & Protect Our phpBB Site‎

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Scam Warning
Harewood
Registered User
Posts: 14
Joined: Sun Feb 17, 2013 12:16 pm

Looking to Enhance & Protect Our phpBB Site‎

Post by Harewood » Mon Aug 05, 2019 7:21 am

So far I`ve been looking at:

SiteLock
Expensive but good set of tools.

Sucuri
Looks good value for money with a comprehensive set of tools. [Cost effective for sites with EVSSL Certs]

Cloudflare
Pricing looks obscure and tools looks limited.

Wondered what experiences anyones had, and any feedback would be appreciated ;)

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by david63 » Mon Aug 05, 2019 7:28 am

What is it that you are trying to protect?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

Harewood
Registered User
Posts: 14
Joined: Sun Feb 17, 2013 12:16 pm

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Harewood » Mon Aug 05, 2019 8:21 am

Our phpBB Site

User avatar
Mick
Support Team Member
Support Team Member
Posts: 21333
Joined: Fri Aug 29, 2008 9:49 am
Location: Watching cricket - definitely

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Mick » Mon Aug 05, 2019 8:23 am

Is this related to spam? If so there are easier ways to stop (the majority) of spam bots and slow down human spammers. What are you looking to enhance?
"The more connected we get the more alone we become" - Kyle Broflovski

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by david63 » Mon Aug 05, 2019 9:42 am

OK I will rephrase my question.

What are you trying to protect your site from?
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Lumpy Burgertushie
Registered User
Posts: 66488
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Lumpy Burgertushie » Mon Aug 05, 2019 5:17 pm

bottom line is that there is nothing you need to add to phpbb to "protect" it from anything.

spam can be controlled by using the builtin Q&A with a good question that you can't google the answer for.

there are no known exploits for phpbb 3 and never has been since it came out.

so, unless you are expecting your board to be attacked by zombies I think you are ok as it is.

robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

Harewood
Registered User
Posts: 14
Joined: Sun Feb 17, 2013 12:16 pm

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Harewood » Tue Aug 06, 2019 5:25 pm

Thank you for all your replies...

I`m not technical especially when it comes to web site security, and I guess I`m old school and kinda go for a "belt and braces" type of approach, and trust in multi layers of security as a preventative measure, as I have no intention in trying to clear up any aftermath should anything occur.
I have no idea how secure phpBB is, past, present and future, so as a preventative measure I thought to ask the phpBB community for their thoughts on additional layers of security.

I guess one of the enhancements that I like the sound of with these solutions, is that SiteLock, Sucuri and Cloudflare offer to speed up sites.

All comments greatly received... ;)

User avatar
david63
Registered User
Posts: 16330
Joined: Thu Dec 19, 2002 8:08 am
Location: Lancashire, UK
Name: David Wood
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by david63 » Tue Aug 06, 2019 5:49 pm

Harewood wrote:
Tue Aug 06, 2019 5:25 pm
I guess one of the enhancements that I like the sound of with these solutions, is that SiteLock, Sucuri and Cloudflare offer to speed up sites.
Anything that adds a layer of protection will have the opposite effect - it will slow your site down. The mere fact that something has to be checked against a list/database or whatever adds additional processing wich has to have an affect on your site. I will accept that probably in most cases the difference will be indeterminable.
David
Remember: You only know what you know and - you don't know what you don't know!
My CDB Contributions | How to install an extension
I will not be accepting translations for any of my extensions in Github - please post any translations in the appropriate topic.
No support requests via PM or email as they will be ignored

User avatar
Lumpy Burgertushie
Registered User
Posts: 66488
Joined: Mon May 02, 2005 3:11 am
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Lumpy Burgertushie » Tue Aug 06, 2019 7:51 pm

once again, none is needed. you can't ever completely block spam on any website/forum etc. however, if you follow the suggestions here you can stop very close to 100% of it in phpBB.


robert
I'm baaaaaccckkkk. still doing work on donation basis. PM your needs.

Premium phpBB 3.2 Styles by PlanetStyles.net

If a tree falls in the forest and nobody is there, does it make a sound?

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3261
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by thecoalman » Wed Aug 07, 2019 1:33 am

david63 wrote:
Tue Aug 06, 2019 5:49 pm
Anything that adds a layer of protection will have the opposite effect - it will slow your site down.
Cloudflare adds both performance and security to a site, especially in the global context. They have datacenters across the globe and can serve cached content from them. This also reduces the load on your own server increasing it's performance. As far as the added security there is numerous features that can be deployed, some of the easily like blocking known bad bots to more difficult implementation like firewalling all traffic to your server except for Cloudflare IP's. It's a a tool and like any tool you need to know how to use it.

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3261
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by thecoalman » Wed Aug 07, 2019 1:52 am

Lumpy Burgertushie wrote:
Tue Aug 06, 2019 7:51 pm
once again, none is needed.
phpBB3 has an excellent track record but telling someone that no additional security is needed based on that is very poor advice. In addition to potential exploits in phpBB in the future there may be other software running either as web application or server application that may be exploited. phpBB cannot protect against this:

Code: Select all

http://example.com/exploitable_third party_script.php?view=config.php
mod_security on the other hand may prevent this especially if it's common web application.

Harewood
Registered User
Posts: 14
Joined: Sun Feb 17, 2013 12:16 pm

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Harewood » Wed Aug 07, 2019 8:16 am

Thanks again for all your comments, and does phpbb.com use CloudFlare?

Paul
Infrastructure Team Leader
Infrastructure Team Leader
Posts: 25230
Joined: Sat Dec 04, 2004 3:44 pm
Location: The netherlands.
Name: Paul Sohier
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by Paul » Wed Aug 07, 2019 8:18 am

Only for DNS resolving.
Knock knock
Race condition
Who's there?

My BlogMy Photosmy phpBB Extensionscustom phpBB work & Development

User avatar
thecoalman
Community Team Member
Community Team Member
Posts: 3261
Joined: Wed Dec 22, 2004 3:52 am
Location: Pennsylvania, U.S.A.
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by thecoalman » Wed Aug 07, 2019 8:24 pm

Harewood wrote:
Wed Aug 07, 2019 8:16 am
Thanks again for all your comments, and does phpbb.com use CloudFlare?
I use Cloudflare on my site, I cannot speak about their free option because I used paid version. My site came under a DDOS attack a few years back, twice in two weeks. Without a service like theirs you are pretty much toast if such an attack is carried out on your own site. It's not difficult for someone to do this, it only requires a small amount of cash if you piss someone off. To fully implement such protection requires substantial amount of server configuration so if you are on shared host it's probably pointless.

Most of the security layers they add can be added server side however if you are on shared hosting some may be helpful but others would be pointless. Performance enhancements they provide should be beneficial to any site.

Last but not least when you utilize their service all legitimate traffic to your site is over Cloudlfare IP's. This is a good thing in that you can firewalll all other traffic over ports 80 and 443 not coming from Cloudflare IP's however once again if you are on shared host not going to happen. This presents a problem regardless of what type of hosting because server applications like logging and web application like phpBB that record IP's will only record Cloudflare IP's without further action. Ideally you need to install mod_cloudlfare so the real IP is passed to logs and phpBB and if you are on shared hosting it can only be done by you host. There is an extension for phpBB but this only works for phpBB, logs will still have Cloudlfare IP's.

User avatar
John connor
Registered User
Posts: 2186
Joined: Fri Nov 14, 2014 5:14 pm
Location: U S Of A
Name: Aaron
Contact:

Re: Looking to Enhance & Protect Our phpBB Site‎

Post by John connor » Wed Aug 07, 2019 9:35 pm

I use a plethora of security. Both for site protection against would-be hackers and to mitigate a DDoS or layer 7 DDoS and spam. I do use CloudFlare but only the free plan. If you use CloudFlare you need to know how to use it right to keep your origin IP hidden. I write about that on my forum. Look in my Sig below. I also use the free version of Ninjafirewall as a WAF. So that's why I don't need an upgraded plan from CloudFlare. Another script I run is CIDRAM and you can find that over at Github. The Dev is a friend of mine and I have made a few suggestions that have been implemented into CIDARM. Just recently my suggestion of adding an AbuseIPDB module to use their API made into CIDRAM.

Another thing I like about CloudFlare is that for free you can't beat the DDoS protection and the ability to block whole ASNS (Groups of IP ranges). I have an untold amount that I block from many hosters or Cloud providers. To me, there's no reason why a server should connect to a server. And yes, Google, et al is still allowed of course. Also, CIDRAM blocks a lot of unsavory traffic as well that may not be wanted and has search engine verification. So for instance. In my htaccess file I block the ability to see robots.txt except for Google, etc. Now if one were to change to a Google useragent they still can't see robots due to CIDRAM's search engine verification.

I do pay CloudFlare for layer 7 DDoS prevention and that's about 30 cents a month for me now since I don't have a high traffic website. With CloudFlare allowing you to mask your origin IP, it's a really good thing. That way no one can NMAP your server looking for ports and try to attack the SSH port or FTP port, etc. If you want to see something pretty crazy, check out Shodan and Censys. I can't tell you how many sites chose to use CloudFlare, but never use it right. Shodan and Censys know all, let me tell you.

Read the links in my Sig and if you have any questions ask. Never been hacked and I have reported a total of four spammers to the Stop Forum Spam database in the over four years I've had my website. I also run a WordPress website as well and no trouble there either. Yes, it's all about layers.

About mod_cloudflare. Yes, your host should already have that installed if you use a shared account. And don't use CloudFlare from cPanel. Create a CloudFlare account instead. Also ask your host if mod_security is on (I would hope so) and if Suhosin is installed.

Post Reply

Return to “phpBB Discussion”