SMF Security

[Chavo]

A friend of mine was having problems with someone hacking his IPB installation for an online community with a large user base.  He didn't have the money to upgrade to the newest version of IPB so I suggested SMF.

Any SMF veterans have any tips for securing SMF for a large user base?  I'm looking at you iago and Sidoh.

[Newby]

:(.

[iago]

SMF, like most other stuff, is secure as long as you stay at the latest version. 

There are no major known security vulnerabilities in SMF.

[Chavo]

thanks, no general advice like disabling offsite avatars to avoid script injection or that sort of thing?

some things tend to be less secure than others in larger user bases

[iago]

Well, unless they've fixed it karma was traditionally vulnerable to a CSRF attack, which is sort of why it got turned off on vL.  I have no idea if that's been fixed, but I generally just turn off karma.  It's easier than letting people abuse it. 

Off-site avatars can cause minor privacy issues, like user-tracking, but I don't know of any real danger. 

I can't really think of anything serious. 

[iago]

Ironically, somebody posted a XSS flaw recently that affects all current versions.  There's a workaround on Bugtraq, but it's so minor I'll wait for a patch.

[Chavo]

Ok, the guy that hacked the previous boards (before I convinced them to install SMF instead of an old version of IPB) posted on our boards yesterday.  I banned him of course, but I think he was using a proxy to post.  Do you have any recommendation for banning all proxies, other methods of keeping them out, etc?

[Sidoh]

I don't think that it's possible, though I'm definitely no expert with proxies.  You could just turn on account verification for a few weeks until he finds something better to do.

[Chavo]

He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

Is there a list of publicly known proxies that I can ban? I'd rather people didn't use proxies at all for this forum (its important on this particular forum to avoid duplicate accounts, etc).

[Sidoh]

He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

Is there a list of publicly known proxies that I can ban? I'd rather people didn't use proxies at all for this forum (its important on this particular forum to avoid duplicate accounts, etc).

Some of these look pretty promising.

[Newby]

He isn't posing a threat right now.  He apparently tried to crack my and a few other admins passwords last night, failed, and moved on to another dota site (which he did crack actually).

He's a bitch. I bet he sits on efnet with a 3-bot botnet and talks shit.

[iago]

Why would he have bots? 

Anyways, the only thing you can do is require admin approval for new members, and to require an account to view anything.  But that's not practical on most boards, so just back up your DB every night (to either a write-once media or to a remote server) or deal with it. 

[Newby]

If he actually tries bruteforcing with one active attempt at a time, he's a damn fool.

[iago]

Assuming it takes 100 bytes to do an attempt, a low-end 768kbit connection can do 123 attempts/second.  I don't think that's an unreasonable number.  You aren't going to get a significant improvement if you have 3 bots. 

Plus, not every hacker has bots.  In fact, most don't.  Bots are typically just used for spamming (using them to attack or DDoS is significantly less common this year, and spam is more common). 

[Newby]

123*4 = 492 attempts/second. That's a pretty significant improvement.