Skip to main content
Security Risks Started by omBre · · Read 12071 times 0 Members and 1 Guest are viewing this topic. previous topic - next topic

Security Risks

Talking about servers specs, while trying to find exuse for larger cloud package, except engine overload by extra twicks to the gui of the forum, I have realised that real danger to this app as any other is ROP attack, few years ago I had some personal expirience with it, dont ask me how, I simply got the message Too Many Connections on the page ...

https://www.apriorit.com/dev-blog/434-rop-exploit-protection

https://www.elkarte.net/community/index.php?topic=4826.msg35094#msg35094

so is there any real threat to ElkArte as app or Dig.Ocean as cloud servers from ROP'ers ... what should I watch for, 2FA like sms authentication is not enough to stop an hacker with agenda, could they execute new hole directly through some addon here through this board, ha paranoia is good when one wants more than words from engaging in some public debate that can bring change on big skale ... tell me is there any addon that can track any changes to the code in real time through sms allert?

Re: Security Risks

Reply #1

AFAICS RoP attacks are directed towards languages that guarantee memory access, being php a scripting language I think it can hardly be affected by such a technique.
If you can't give details on how you were attacked in the first place... well it's difficult to say anything.
Bugs creator.
Features destroyer.
Template killer.

Re: Security Risks

Reply #2

I am not really sure what you are afraid of as running a forum is not like running a banking or highly valuable government site.

Sometimes problem like mysql connection failure with "Too many open files" is just "Limit on number of open files has been reached on the MySQL server. When MySQL fails to open required files, the process gets hanged and systemd fails to stop MySQL process." as stated in Plesk.[1]

That is basically saying running your own personal server and website (including a forum), you must really know what you are doing and how to troubleshoot things. Or at least, how and where to get help and support, for free or by paying.
I just faced this today and resolved! :D

Re: Security Risks

Reply #3

Emanuele I am not to much knowledgeable on the ROP matter, but I know it can be excuted in php, even tho I had attack of the archived blog page, that earlier was live and full, hm as I remember I have read somewhere that similar behavior was usual for others, what to say php rulz but hackers too https://www.nds.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf

Ahrasis I know, for sure me myself and I will ask for little help from the friends, live and virtual, coz in this e-society political forum as open source party motivation, clashed with regular political elites, even as idea must be insured as much as possible ... give it to the hackers :D which I am after, but I should be also aware of the risks, and how to expect resolve or avoid them ...

Re: Security Risks

Reply #4

here is similar aproach, but dont know is it related to ElkArte also

http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/#toc-2

http://codefap.com/2012/08/how-to-protect-your-simple-machines-forum-smf-from-bots/

finally thats why I am after 2FA secure login

https://www.elkarte.net/community/index.php?topic=3100.msg35046#msg35046

Re: Security Risks

Reply #5

Those examples are quite old. So old as to have lost relevance.  Addressing the first as an example, what admin would click on an item they didn't place on their own site? I'm not sure if we call that hacking or taking advantage of basic stupidity.  ;D


On a serious note, security should be a top priority as you point out. There are a few high points to hit. First, keep the forum software current. Second, keep the server software current. Third, research server hardening. Fourth, remain vigilant watching server logs for suspicious activity. Lastly, and I believe this may be frequently missed, keep complete local backups on daily intervals.


There are several other practices that could be mentioned as well. Be smart with admin credentials. Use SSL. Be kind to people.  Want an easy poor man's 2FA? Make your username and screennames different.

Finally, the reality exists we accept the risk of attacks simply by having a site. It happens. Do your best but don't let it stop you from providing people with a good service.

Re: Security Risks

Reply #6

Quote from: omBre – here is similar aproach,
ehm... no, these are completely different matters.
Can we please complete 1 (one) discussion before jumping in other 3 please?
Especially when we are talking about security, I'm a tad touchy and don't like to jump here and there without completing a discussion first.
Quote from: omBre – Emanuele I am not to much knowledgeable on the ROP matter, but I know it can be excuted in php, even tho I had attack of the archived blog page, that earlier was live and full, hm as I remember I have read somewhere that similar behavior was usual for others, what to say php rulz but hackers too https://www.nds.rub.de/media/emma/veroeffentlichungen/2014/09/10/POPChainGeneration-CCS14.pdf
Okay, this is the basically the "old" injection through unserialize.
In theory that one is avoided using a "safe" version and moving towards json for anything coming from the user.
Of course, as usual, anything can happen.

Quote from: omBre – http://www.jakoblell.com/blog/2013/12/13/multiple-vulnerabilities-in-smf-forum-software/#toc-2
Actually, I said 3 other things, but this already 2 by itself.
1) Username faking: I've never been wary about considering it a vulnerability, more a... way to identify people that click before think. Anyway there is some filtering on the matter, but since it involves regexp and unicode it's totally not my field, more Spuds field. xD
2) You have already the answer in the "Affected versions" section of the page.

Quote from: omBre – http://codefap.com/2012/08/how-to-protect-your-simple-machines-forum-smf-from-bots/
This is no security problem, just forum administration.

Quote from: omBre – finally thats why I am after 2FA secure login

https://www.elkarte.net/community/index.php?topic=3100.msg35046#msg35046
So when you posted this message you were actually looking for 2fa?...
Then you can just enable it from the admin panel.
Bugs creator.
Features destroyer.
Template killer.

Re: Security Risks

Reply #7

Life is more beautifull when u go with ur fears on the dancefloor ... at least I learned to be watchfull in front, daily email backups are maybe safest choice ... sorry for the piling links as fears and those are more like google drop, please if there are some other more than real let me know ...

Yes I was talking about sms-authentication but didnt know the 2fa acronym, didnt know also that there is such login option at all ... tho for political forum maybe even this is not the safest way for smooth participation ... some say Google Authenticator or an RSA token can be new safeguards around ... sure for mine paranoia even retina and palm secure would be  not enough maybe emf or dna check as divine option :D simply puted having gemstones in ur hand and giving them freely on the street is heresy for now, at least to have some order in the line ...

https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

 

Re: Security Risks

Reply #9

I am real outsider on the hosting field, trying quickly to learn what I'll need so I can push for a while forum by myself till in the project jump in people with knowledge and expirience, so PLEASE DONT MIND if I wrongly ask or asked in wrong time in right place or vice versa ...

so here is another try to find answer for What would be allround monitoring app plug or api for ElkArte that can be multiuser oriented as alert system ... here is where and how started this question ... hope now is in more adequate place ...

https://www.elkarte.net/community/index.php?topic=3262.msg35306#msg35306

Thanks