Securing my site

Regular Joined: Jul 22, 2005 Posts: 78

I NEED to make sure that my site is totally secure. My last site, which was a newer php board was hacked into through a backdoor somehow or another (I can't figure out how the hell they did it).

This is what I have:

I am running Nuke 7.6 patched to 3.0
Sentinel 2.3.2

I also downloaded the Approve Membership module.

I also ban every IP address that I don't know.

See, this is a private web page for a group of women who are trying to stay away from the hacker/stalker (who by the way is FEMALE!!). So it is VERY important for us to be secure.

Am I as secure as I can get, or is there something else I can do to prevent backdoor hacking?

Thanks
Rose

Posted: Tue Aug 02, 2005 6:29 am

And I forgot to ask this...need more coffee this morning I guess. Smile

How will I KNOW if my site got hacked into without them being obvious?

Thanks again
Rose

Site Admin/Owner Joined: Aug 27, 2002 Posts: 17088

The patches secure the core files from all known security risks. NukeSentinel secures your site from XSS and other exploits that are passed through the URL, as in GET and POST requests. If you have set the blocker settings conservatively, then you are protected from every known exploit. Now, your biggest risk comes from 3rd party applications, especially, but not limited to, Coppermine. However, any application that allows uploads w/o filtering and security, open your site to danger. Blocking IP's you don't know is very unfriendly because of dynamic IP assignments for most people on the net. But, that's just an editorial staement and not a gripe Wink

It's your site - do what you wanna do. I can't tell you, who to sock it to ROTFL

Thank the Isley Brothers for that Wink

Posted: Tue Aug 02, 2005 7:51 pm

Okay, exactly what do you mean by "However, any application that allows uploads w/o filtering and security, open your site to danger." Do you mean blocks that pull info from other sites, such as "Random Facts"? I'm a little confused.

And yeah, I know I shouldn't block everything, but I don't even want to be listed on the search engines if I can help it. We are THAT paranoid. This woman (and I use that term loosely, I have other, much more colorful names) has even tried to take her vendetta offline. She obviously doesn't play well with others!! These ladies just wish to be left alone and that is what I am trying to do for them.

And I'm going to do a search on Coppermine since I've never heard of it. And I guess other 3rd party applications too, just so that I am educated.

But as of now I am pretty much secure against known exploits. So that is good.

And oh yeah, that question I forgot to ask..how do you know if someone got in your back door if they don't do anything obvious. Will their IP address show in sentinel?

Thanks again Raven. Smile

Rose

Posted: Thu Aug 04, 2005 6:06 pm

Hi Rose,

PHP has the advantage of being easy enough to learn that almost anyone can create a script that will add functionality to your web site, but not everyone who can create a script necessarily knows how to secure it. Then too, some scripts can't be secured 100% and still be functional. A module that allows people to have their own photo albums (like Coppermine) is a good example. Best practice would be not to allow anyone to upload anything to your server, but if you want album functionalty you will have to allow this access to your members. You take a risk that someone can upload something malicious or use the broader access provided by the module to attempt a hack; as webmaster you have to decide how much access to the server is an acceptable risk.

As to Sentinel, Sentinel protects against known script exploits in PHP-Nuke. If somebody gains access to your installation through some kind of backdoor, Sentinel won't warn you about it.

If you have a static membership and need a high degree of security for to protect their privacy, it might be a good idea to require authentification for anyone to even view your web site. If the membership is small enough, you can assign each person a unique name and password for access; for a larger membership you can create a similar group access.

If you need to keep your site viewable by visitors, I would at least suggest blocking all proxies in Sentinel. If this stalker is trying to hack your site, she will most likely use a proxy to hide behind. Don't make anything easy for her - take away her anonymity.

Hope this helps some & good luck,

Laura

Posted: Thu Aug 04, 2005 7:17 pm

I absolutely do not need my site viewable by all visitors. I have a static membership of 12 members and as of now, that is it. These women trust each other and NO ONE else!!

I do not allow uploads of any kind. I did search Coppermine and it is not something that I would use. Really, all these ladies are interested in is the forum so they can just talk to each other. I put the other stuff up as eye candy and practice for myself. I figured if I'm going to learn it, I might as well go all the way with it.

And I have all proxies blocked. That is what the stalker was using before to make posts on other message boards, posting our PM'S for crying out loud. So I am very, very paranoid.

Okay, now another question. And I'm sure others may be wondering too. How exactly do you require authentification for anyone to even view the site? I've got most things turned off to "all visitors" and they can only be viewable by "registered users". Can I turn everything off so that nothing shows up but a login page? Or is there another way?

Laura, you've been awesome. Very clear and concise and easy to understand, even for a relative newbie like me. I've only been doing this about a month or so.

Thanks SO much

Rose

Posted: Thu Aug 04, 2005 11:38 pm

If you plan to restrict access to view your site you probably won't need this for the search engines, but to keep your site from being indexed by the "nice" engines, open up /includes/meta.php and change:

Code:

$metastring .= "<META NAME=\"ROBOTS\" CONTENT=\"INDEX, FOLLOW\">\n";

to:

Code:

$metastring .= "<META NAME=\"ROBOTS\" CONTENT=\"NOINDEX, NOFOLLOW\">\n";

If you are using a system running Apache server with cPanel, go into your control panel, select "Password Protect Directories" and then select /(Current Folder). This is /public_html, and you can set who may access your public site here.

It's been a while since I used an Ensim panel but as I recall, in site administration you should go into "Configure Apache Web Server". There should be something like Protect Directories, Manage Groups, Manage Users at the top where you can set up access.

When someone types in your domain name, they should then get a pop-up box requesting a valid username/password combination.

Thanks for the kind words. It brightened my evening. Smile

Site Admin Joined: Jun 04, 2004 Posts: 6432

You might also consider making all modules except for News and Your_Acount available only to members through modules administration. If you're using the standard modules block to display your menu, this would only display the Forums, for example, to members who have signed on. Most likely, the News module is the home page module, so you wouldn't want "Sorry, module not available" displaying on the home page. If Your_Account is available only to members, no one will be able to access their accounts (yes, the cookie gets saved on the members client system, but get removed easily and also expire).

If you REALLY want to block everyone but the 12 or so members AND you're hosting the site on an Apache server (as opposed to IIS), you could add HTTP authentication to your root Nuke directory and require anyone seeking access to your site to enter a user ID and password in a popup menu (NukeSentinel has this feature built-in for blocking access to the admin.php and you should DEFINITELY turn this on if you use Apache).

But this user ID and password is maintained separately from the PHP-Nuke users and would required an alternate solution or manual entry to determine the encrypted passwords and maintain the list of users and passwords. If this interests you, search the forums here for HTTP Admin Auth or just admin authentication for more details.

Posted: Sat Aug 06, 2005 8:42 pm

More awesome advice!!

I'll probably do all of the above. It's important to keep these women safe.

Thanks SO much for all the wonderful advice.

Rose