How to secure forum?

[Ben Philp]

Hello,

 

After xenforo to IPS board, many users started telling me IPS board have many exploit on internet and easy to hack forum

they said different comments such as

 

"I know there used to be exploit to make a admin account. I forget exactly how it worked but I know it had to do with user 1 in the database which is normally the default admin account. so please disable html on the forums"

"He said he was scanning the forums so that means to me he was doing pentesting. Then found some security flaws. This is why I am curious about this. https://www.exploit-db.com/exploits/25441"

"Dear modreator  the new fourm has some vulnbrity in it iam afraid from put a payload in it"

"i scan the new fourm and i found 5 high risk proplem so i suggest you to scan it again and make it safe"

 

please teach me the way how to secure the forum?

 

thanks.

 

 

 

Edited May 17, 2020 by Ben Philp

[bfarber]

I wouldn't put any credence whatsoever into random "oh your site can be hacked you should scan it" type reports like that.

The one link you provided is for legacy 1.x/2.x/3.x versions (none of which are even supported anymore). That would be like someone telling you your computer running Windows 10 is insecure because they managed to find an exploit for Windows 95 posted somewhere on the internet.

[Pescao6]

All forums are high targets for attacks.

I can comment on several CMS I've used where I know I did in fact get DDOS attacks, SQL injections, Cross Scripting attacks, etc.

And the only way I know to deal with those is by having a CDN and WAF.

 

1 hour ago, bfarber said:

I wouldn't put any credence whatsoever into random "oh your site can be hacked you should scan it" type reports like that.

Technically, no site is 100% safe. If someone really wanted to hack you, I'm sure they could find a way.

If you wanted to scan your site to see what you could do to enhance your security, these free tools are useful:

• https://sitecheck.sucuri.net
• https://observatory.mozilla.org

 

 

1 hour ago, bfarber said:

The one link you provided is for legacy 1.x/2.x/3.x versions (none of which are even supported anymore). That would be like someone telling you your computer running Windows 10 is insecure because they managed to find an exploit for Windows 95 posted somewhere on the internet.

I strongly agree with this. The latest release of IPS has more security features than previous ones so I feel more safe with using it.

These internet heroes are some trusted companies that can help you secure your site even more:

• CloudFlare
• SiteLock
• Sucuri

CloudFlare's CDN is free and it is the most popular CDN on the internet. I've never used their WAF, but from what I've read it seems good.

I've used SiteLock's WAF and it was great at blocking and removing stuff automatically. I can't comment on their CDN, but it should be good as well.

Sucuri was acquired by GoDaddy, so it's cheaper to buy it as GoDaddy Web Security which includes both a CDN a WAF making it easier to manage all of your site's security from one place. The things I like the most about Sucuri include that they remove things by having a security expert manually scan your site, their exceptional customer service, their easy to understand documentation, and the fact their Dashboard makes it really easy for you to add additional security features.

Other than that...

1. YOU are the biggest risk to your own site.
   Try your best to follow internet safety guidelines like using different emails and passwords
   on different websites and keeping your phone and computer clean.
2. Secure your emails, IPS Board, cPanel, etc. with Two Factor Authentication.
3. Read EVERYTHING on your AdminCP and lock down your permissions. 
   Do it like the military; if someone doesn't NEED access to something, don't give it to them.
4. Backup backup backup! If a file doesn't exist in at least 3 places, it doesn't exist.
5. Try to stay informed. These are some security blogs I follow:
   https://threatpost.com/
   https://www.schneier.com/
   https://krebsonsecurity.com/

You might also enjoy this thread:

I'll probably be adding more to that as I continue developing my site. 🙂

[VaBeach_Guy]

On 5/18/2020 at 12:47 PM, Pescao6 said:

Sucuri was acquired by GoDaddy, so it's cheaper to buy it as GoDaddy Web Security which includes both a CDN a WAF making it easier to manage all of your site's security from one place. The things I like the most about Sucuri include that they remove things by having a security expert manually scan your site, their exceptional customer service, their easy to understand documentation, and the fact their Dashboard makes it really easy for you to add additional security features.

I just implemented GoDaddy's firewall service on my site back on the 13th. Since then, there have been a few issues. One of which I just discovered yesterday and it was that all of the visitors (guests and members) were being assigned the same IP addresses. I found the "Trust IP addresses provided by proxies" setting and set it to be on, and now that's resolved. But some members have told me that they're getting error messages saying that GoDaddy's firewall is blocking them due to cross scripting, when they're only trying to post as normal. I've even had it block me when I'm in the ACP doing normal admin stuff. I had to go and whitelist my IP to prevent that from happening. But trying to whitelist any and everyone isn't a reasonable thing to do. 

That's why I sought out anything (here), about GoDaddy's firewall service. I want the protection, but not if it does more 'harm' (for lack of a better word), than it does help. 

Is the firewall service just a superfluous service for an IP board or is it a genuinely beneficial thing to have? When I had them implement it, my belief was the latter. But I'm curious to know some other opinions/experiences.  

Edited May 19, 2020 by VaBeach_Guy

[Pescao6]

6 minutes ago, VaBeach_Guy said:

I just implemented GoDaddy's firewall service on my site back on the 13th. Since then, there have been a few issues.

Neither Sucuri nor Invision have proper documentation at this time, so hopefully this thread will answer some questions. 🦉

 

45 minutes ago, VaBeach_Guy said:

One of which I just discovered yesterday and it was that all of the visitors (guests and members) were being assigned the same IP addresses. I found the "Trust IP addresses provided by proxies" setting and set it to be on, and now that's resolved.

0. Yes, that needs to get enabled on AdminCP > System > Advanced Configuration > Trust IP addressess provided by proxies?

35 minutes ago, VaBeach_Guy said:

But some members have told me that they're getting error messages saying that GoDaddy's firewall is blocking them due to cross scripting, when they're only trying to post as normal. I've even had it block me when I'm in the ACP doing normal admin stuff.

Sucuri's Firewall blocks third parties to prevent cross scripting attacks and unfortunately they don't have a way to whitelist third party URLs at this time.

Twitter Style emojis are not hosted locally on your site.
If you look at the source of a twemoji image like  is it originates from:

https://twemoji.maxcdn.com/2/72x72/1f64a.png

Standard emojis like 🙊 shouldn't give you this problem and load faster on your site if you care about performance, but I prefer the twemojis because they look better.
This can be changed on AdminCP > Customization > Emoji

I found members were being blocked when:

1. Members attempted to use third party images images including twemojis on forum posts or their signature.
   Using a forum without third party images would be horrible. And I've had cases in the past where spammers posted links to phishing sites and images containing viruses, so this is something you'll need to consider really carefully. I don't know how much I'm exposing my site and everyone using Sucuri for their Invision Community by posting this here, but I will do it only because I don't want you to spend a month trying to figure this out like I had to. I simply whitelisted if a string ended with do=edit$ on Sucuri's Firewall > Settings > Access Control > Whitelist URL Paths After doing so, I went into the my site's AdminCP > System > Posting > Links > Allow only the links specified and whitelisted a bunch of URLs.
2. Admins attempted to edit a forum's description with third party images.
   I chose not to resolve this because the solution Sucuri suggested would expose my AdminCP and my Admins only seemed to get blocked when attempting to edit forums. I don't know what else you've been trying to do that you refer to as "normal admin stuff," but if you have any mods they may be causing the problem.
3. If you're using SSL and you allow your members to insert dynamic images that might change from a third party, you should also go to your AdminCP > System > Posting > Remote images > Serve images from local server? > Insecure images (Recommended)

Another dumb setting I found on Invision by default is AdminCP > System > Posting > Posting > Post Before Registering
I strongly recommend changing that to Disabled.

47 minutes ago, VaBeach_Guy said:

I had to go and whitelist my IP to prevent that from happening. But trying to whitelist any and everyone isn't a reasonable thing to do. 

You should whitelist yourself before doing any updates, but other than that you shouldn't need to stay whitelisted.

Also keep in mind that you will need to:

1. Clear your Invision cache by going to AdminCP > System > Support > Get Support > What do you need help with? > Something isn't working correctly
2. Clear Sucuri's CDN cache by going to Sucuri's Firewall > Settings > Performance > Clear Cache
3. Clear your Web Browser's cookies and cache by pressing CTRL+SHIFT+DEL or CTRL+H

And you will need to do so after every change your apply on your AdminCP or Sucuri.

I keep my Sucuri Caching Level on "Site caching (using your site headers)"
The "Enabled (Recommended)" caching option is too aggressive for forums.

You might also find this mod useful:

But I would wait until you resolve your Sucuri issues before implementing it. And while it does improve performance by leveraging browser caching, a change like that to your .htaccess could result in your members needing to clear their web browser's cookies and cache if you implement any major changes to your AdminCP or Sucuri.

57 minutes ago, VaBeach_Guy said:

That's why I sought out anything (here), about GoDaddy's firewall service. I want the protection, but not if it does more 'harm' (for lack of a better word), than it does help. 

Sucuri's Firewall has A LOT of features.

The latest thing I added as an idiot that caused my members to get blocked was switching my Referrer-Policy to origin

I then learned that caused some issues and I currently have it set to same-origin on Sucuri's Firewall > Settings > Security > Additional Headers > Referrer-Policy

I don't know if that's the "best" option for an Invision Community Refer Policy and if someone suggests something better let me know, but it seems to be working fine.

3 hours ago, VaBeach_Guy said:

Is the firewall service just a superfluous service for an IP board or is it a genuinely beneficial thing to have? When I had them implement it, my belief was the latter. But I'm curious to know some other opinions/experiences.  

I think it's a beneficial thing to have. I like the weekly reports which you can enable on your Overview > Email Reports

Everything seems stable for me so far. I haven't had any members blocked this month. 🧙‍♂️

[VaBeach_Guy]

1 hour ago, Pescao6 said:

Sucuri's Firewall blocks third parties to prevent cross scripting attacks and unfortunately they don't have a way to whitelist third party URLs at this time.

Twitter Style emojis are not hosted locally on your site.
If you look at the source of a twemoji image like  is it originates from:

https://twemoji.maxcdn.com/2/72x72/1f64a.png

Standard emojis like 🙊 shouldn't give you this problem and load faster on your site if you care about performance, but I prefer the twemojis because they look better.
This can be changed on AdminCP > Customization > Emoji

I found members were being blocked when:

An example where I was blocked is when I was in the ACP and went to change the Advertisement settings, where I have my Adsense code set. Once I tried to submit the changes, I got the "You're Blocked!! You're a Hacker!!" page from GoDaddy ... ok, it didn't call me a hacker, but it did say that I was blocked for trying to cross script.

One of the members on my site was posting a news article, which didn't contain any pictures or other things of that sort, just text, and he got the same 'You're blocked!' screen. So I have to wonder if there's people trying to access the site who can't, or people who are trying to register and can't. 

[Pescao6]

1 hour ago, VaBeach_Guy said:

An example where I was blocked is when I was in the ACP and went to change the Advertisement settings, where I have my Adsense code set. Once I tried to submit the changes, I got the "You're Blocked!! You're a Hacker!!" page from GoDaddy ... ok, it didn't call me a hacker, but it did say that I was blocked for trying to cross script.

I wouldn't know because I was whitelisted when I configured my Google Adsense. My admins don't have access to Advertisements because I've restricted them from it and I definitely don't want anyone adding scripts to my AdminCP; so if it's blocking Administrators from doing that, I see that as a good thing.

1 hour ago, VaBeach_Guy said:

One of the members on my site was posting a news article, which didn't contain any pictures or other things of that sort, just text, and he got the same 'You're blocked!' screen. So I have to wonder if there's people trying to access the site who can't, or people who are trying to register and can't. 

After you applied the changes I mentioned and cleared your cache like I said?

Did they clear their web browser cookies and cache and have no images or links on their signature?

 

[VaBeach_Guy]

1 hour ago, Pescao6 said:

I wouldn't know because I was whitelisted when I configured my Google Adsense. My admins don't have access to Advertisements because I've restricted them from it and I definitely don't want anyone adding scripts to my AdminCP; so if it's blocking Administrators from doing that, I see that as a good thing.

After you applied the changes I mentioned and cleared your cache like I said?

Did they clear their web browser cookies and cache and have no images or links on their signature?

I'm the only Admin that makes changes like this in the ACP, so there's no worry there with anyone else adding things. 

I haven't made any changes yet, I'll dig into that tomorrow afternoon when I have time to sit down with it. 

[Miss_B]

On 5/17/2020 at 10:06 AM, Ben Philp said:

Hello,

 

After xenforo to IPS board, many users started telling me IPS board have many exploit on internet and easy to hack forum

they said different comments such as

 

"I know there used to be exploit to make a admin account. I forget exactly how it worked but I know it had to do with user 1 in the database which is normally the default admin account. so please disable html on the forums"

"He said he was scanning the forums so that means to me he was doing pentesting. Then found some security flaws. This is why I am curious about this. https://www.exploit-db.com/exploits/25441"

"Dear modreator  the new fourm has some vulnbrity in it iam afraid from put a payload in it"

"i scan the new fourm and i found 5 high risk proplem so i suggest you to scan it again and make it safe"

 

please teach me the way how to secure the forum?

 

thanks.

 

 

 

Ipb is very secure, you have nothing to be afraid of in that regard. And as mentioned above, that link is for older versions of Ipb. As long as you keep your forum up to date with the latest version, you are safe. 

That being said, if would be best if you shared your worries with your host as well. Ask them about their security and such.

Edited May 20, 2020 by Miss_B

[Pescao6]

On 5/19/2020 at 2:01 PM, VaBeach_Guy said:

[I] implemented GoDaddy's firewall service on my site

Just out of curiosity, are you still using GoDaddy's firewall? I decided to switch to StackPath after setting up a second website on the same GoDaddy Web Security account which broke the configuration for my Invision Community site I already had working fine for over a year. And so far I've been with StackPath for over a year with multiple sites and no problems. The configuration was similar to GoDaddy's firewall; you have to make some exceptions or modify what the WAF blocks, but it wasn't too bad after the initial nightmare I went through setting up GoDaddy's firewall.