Author Topic: SMF Security  (Read 12335 times)

0 Members and 1 Guest are viewing this topic.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
SMF Security
« on: January 19, 2007, 05:54:41 pm »
A friend of mine was having problems with someone hacking his IPB installation for an online community with a large user base.  He didn't have the money to upgrade to the newest version of IPB so I suggested SMF.

Any SMF veterans have any tips for securing SMF for a large user base?  I'm looking at you iago and Sidoh.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SMF Security
« Reply #1 on: January 19, 2007, 05:55:12 pm »
:(.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #2 on: January 19, 2007, 08:15:06 pm »
SMF, like most other stuff, is secure as long as you stay at the latest version. 

There are no major known security vulnerabilities in SMF.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #3 on: January 19, 2007, 09:04:38 pm »
thanks, no general advice like disabling offsite avatars to avoid script injection or that sort of thing?

some things tend to be less secure than others in larger user bases

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #4 on: January 20, 2007, 01:33:13 am »
Well, unless they've fixed it karma was traditionally vulnerable to a CSRF attack, which is sort of why it got turned off on vL.  I have no idea if that's been fixed, but I generally just turn off karma.  It's easier than letting people abuse it. 

Off-site avatars can cause minor privacy issues, like user-tracking, but I don't know of any real danger. 

I can't really think of anything serious. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #5 on: January 23, 2007, 06:32:26 pm »
Ironically, somebody posted a XSS flaw recently that affects all current versions.  There's a workaround on Bugtraq, but it's so minor I'll wait for a patch.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #6 on: January 24, 2007, 10:39:41 am »
Ok, the guy that hacked the previous boards (before I convinced them to install SMF instead of an old version of IPB) posted on our boards yesterday.  I banned him of course, but I think he was using a proxy to post.  Do you have any recommendation for banning all proxies, other methods of keeping them out, etc?

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: SMF Security
« Reply #7 on: January 24, 2007, 11:36:42 am »
I don't think that it's possible, though I'm definitely no expert with proxies.  You could just turn on account verification for a few weeks until he finds something better to do.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #8 on: January 24, 2007, 12:05:15 pm »
He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

Is there a list of publicly known proxies that I can ban? I'd rather people didn't use proxies at all for this forum (its important on this particular forum to avoid duplicate accounts, etc).

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: SMF Security
« Reply #9 on: January 24, 2007, 12:18:33 pm »
He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

Is there a list of publicly known proxies that I can ban? I'd rather people didn't use proxies at all for this forum (its important on this particular forum to avoid duplicate accounts, etc).

Some of these look pretty promising.

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SMF Security
« Reply #10 on: January 24, 2007, 05:30:57 pm »
He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

He's a bitch. I bet he sits on efnet with a 3-bot botnet and talks shit.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #11 on: January 24, 2007, 06:34:23 pm »
Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SMF Security
« Reply #12 on: January 24, 2007, 06:36:33 pm »
If he actually tries bruteforcing with one active attempt at a time, he's a damn fool.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #13 on: January 24, 2007, 08:48:55 pm »
Assuming it takes 100 bytes to do an attempt, a low-end 768kbit connection can do 123 attempts/second.  I don't think that's an unreasonable number.  You aren't going to get a significant improvement if you have 3 bots. 

Plus, not every hacker has bots.  In fact, most don't.  Bots are typically just used for spamming (using them to attack or DDoS is significantly less common this year, and spam is more common). 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SMF Security
« Reply #14 on: January 24, 2007, 10:03:49 pm »
123*4 = 492 attempts/second. That's a pretty significant improvement.
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #15 on: January 24, 2007, 11:10:14 pm »
Not really, not in any way that would justify the work of getting bots. 

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: SMF Security
« Reply #16 on: January 24, 2007, 11:48:13 pm »
That is true. Especially since anybody who is out to get bots is more than likely going to have more than three...
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #17 on: January 25, 2007, 12:22:01 am »
That too. 

And like I said, it's getting more and more rare to see people using bots for attacks, they tend to be focussed on what's profitable, ie, spam.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #18 on: January 25, 2007, 04:13:44 pm »
Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 
Here's my current backup script that runs via cron every night:

Code: [Select]
#!/bin/sh
DATESTAMP=`date +%m-%d-%Y-%H%M`
cd /home/check6ga/public_html/chavo/backup
rm *.gz
mysqldump --opt -p******** -u******** check6ga_tdtboards | gzip >$DATESTAMP.gz
cd /home/check6ga/public_html/chavo/
echo $DATESTAMP >> msg.txt
cat msg.txt | /usr/lib/sendmail -t

Is there an easy way to modify that to store it to a remote server instead?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #19 on: January 25, 2007, 06:57:18 pm »
I use scp to copy it to another Linux server.  Set up your public keys and it doesn't prompt for a password.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: SMF Security
« Reply #20 on: January 26, 2007, 09:29:28 am »
In order to defeat ssh bruteforce bots, I made a firewall rule that blocks for an hour anyone who connects more than 3 times within 30 seconds.  It's amusing to look at the auth log:
Code: [Select]
Jan 25 01:50:41 BOTTLE sshd[58117]: Invalid user staff from 211.239.154.81
Jan 25 01:50:44 BOTTLE sshd[58119]: Invalid user sales from 211.239.154.81
Jan 25 01:50:46 BOTTLE sshd[58121]: Invalid user recruit from 211.239.154.81
Jan 25 13:09:43 BOTTLE sshd[60605]: Did not receive identification string from 159.226.234.16
Jan 25 13:11:04 BOTTLE sshd[60625]: Invalid user webmaster from 159.226.234.16
Jan 25 13:11:07 BOTTLE sshd[60627]: Invalid user admin from 159.226.234.16
Jan 25 17:24:40 BOTTLE sshd[61268]: Did not receive identification string from 219.127.251.175
Jan 25 17:26:31 BOTTLE sshd[61275]: Invalid user staff from 219.127.251.175
Jan 25 17:26:33 BOTTLE sshd[61277]: Invalid user sales from 219.127.251.175
Jan 25 17:26:35 BOTTLE sshd[61279]: Invalid user recruit from 219.127.251.175

Additionally, I use a "badguys" list to permanently block network blocks that are from say China or Korea...most bruters on BLENDER oddly had Chinese and Korean IPs.  Now that those have all been blocked, BLENDER hasn't been bruted in months.

Maybe you can do something similar to prevent bruteforcing on the forum?
An adorable giant isopod!

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #21 on: January 26, 2007, 11:04:04 am »
Sounds like an interesting idea, but I don't have shell access on this host so I don't know if I can do that.  Our sponsor said they want to switch to a dedicated host soon, so hopefully when that happens I can implement something like that.  scp sounds promissing too.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #22 on: January 26, 2007, 10:43:20 pm »
In order to defeat ssh bruteforce bots, I made a firewall rule that blocks for an hour anyone who connects more than 3 times within 30 seconds.
Personally, I'd block somebody permanently after 50 attempts.  But I like being a jerk :)

If you had the ability to use snort-inline (which I know you don't) (not you, nslay), you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: SMF Security
« Reply #23 on: February 06, 2007, 03:49:18 pm »
... you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)
What would happen to those that forgot their password and they tried more than three times?


Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 
I would agree that you should try and do an admin approval for new members.  I also agree that having an account to view anything isn't practical, but can't you set the permisisons of a guest to have "View Only" on specific (of all) boards, so that they can only view certain boards of the forum and not actually post? 


P.S.
Sorry for a late reply. :P
« Last Edit: February 06, 2007, 03:52:19 pm by AntiVirus »
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: SMF Security
« Reply #24 on: February 08, 2007, 12:03:55 am »
... you could automatically block anybody with 3 failed logins to SMF.  That'd be a pretty cool rule :)
What would happen to those that forgot their password and they tried more than three times?

Contact an administrator.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: SMF Security
« Reply #25 on: February 08, 2007, 02:49:45 am »
http://cbl.abuseat.org/
http://www.njabl.org/

open relays/proxies, exploited computers, computers infected with viruses, known botnets, spammers, etc.

http://tor.noreply.org:9030/ (http://www.noreply.org/tor-running-routers/)

open tor exit nodes.

Trying to ban anyone using a proxy is impossible, it's the inherent nature of the concept of proxies...
« Last Edit: February 08, 2007, 02:54:24 am by Ersan »

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #26 on: February 08, 2007, 08:40:23 pm »
Trying to ban anyone using a proxy is impossible, it's the inherent nature of the concept of proxies...
It's inherent? Last time I checked, proxies are for relaying traffic, not for anonymization. That just happens to be a side effect, not its inherent nature.

Offline Ersan

  • Full Member
  • ***
  • Posts: 143
  • Hi! I'm new here!
    • View Profile
Re: SMF Security
« Reply #27 on: February 09, 2007, 12:07:40 am »
Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: SMF Security
« Reply #28 on: February 09, 2007, 03:31:07 am »
Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.

Why use words when you clearly don't know what they mean?

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: SMF Security
« Reply #29 on: February 09, 2007, 08:55:47 am »
Ok, side effect, who gives a fuck?  Stop trolling and learn something about network security.
Ok, one of us is being paid for being a security analyst with over a year of professional experience. Which is it? I'll give you a hint: not you.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: SMF Security
« Reply #30 on: February 09, 2007, 09:58:12 am »
This is actually a rather important thread that I'd rather not go off topic ;)