Server security on www.Amigans.net

Just reposting a reply I made to Mikey_C on the old site, in case it gets missed, since I think this is an important topic:

@Mikey_C Quote:
Ouch . It appears that using (what I assume was) the latest up-to-date forum software is not sufficient for security. When I previously asked someone about forum security, I was told that it is best to either use custom software, or else install the standard software in non-standard locations, so that hacking bots/software will not work on it.

Quote:
Given what I wrote above, it seems we have two options:
1. Switch to some custom forum software. Orgin's hand-crafted forum system used for temp.Amigans.net would seem to fit the bill.
2. Get the EXISTING www.Amigans.net forum up-and-running again, but this time move all the server software to non-standard locations. This seems the easier option.


While in principle I have no objection to using Orgin's hand-crafted temp.Amigans.net site (system) instead, the problem is that we would loose (a) a huge amount of really useful threads, and (b) potentially many users may not bother to re-register because of the hassle (although I hope this would not be the case, you never know).

I am sure it is possible to transfer all those threads & user accounts across, but the problem is it would need a lot of work by one or more people with a lot of experience of web forum management (and databases in general).

I always use custom code on my websites for very much that reason, I wouldn't be suprised if my custom code was easier for a human attacker to break through, but it's never going to get a bot written for it.

Thank god it's up again. :)

Makes me wonder, who would want to attack us all the time? Suspicious.

Quote:

My website gets attacked every day by scripts designed to exploit weaknesses in various CMS software. To date, none of them have been successful though.

It's possible that someone came up with a highly successful script because this website wasn't the only one that I tried to visit that suddenly stopped working over the weekend.

Hans

Thanks to those for fixing the glich! That's worth a donation from a favorite PAL...

@staff

Were any passwords stolen this time possibly ?

@ChrisH

Do you know how the other Amiga forums are doing this? Are they using some custom forum software? For example I don't remember that this kind of things have happened to Amigaworld so far. But it has happened already twice at Amigans, although this site is newer.
I hope the security will improve over time.

1. The site was not hacked, it was subject to a DDOS attack after a dictionary attack on shell accounts failed.

2. This happens to sites all the time on the internet, but this site is hosted as a gratis favour so it isn't a high priority for us.

3. The site was brought down by me whilst I checked how far any hacks had gone, improved the security.

4. As far as I am aware no passwords were stolen, but you should reset your passwords as a matter of course regularly and never be so stupid as to use your passwords on a forum for anything important.

Whilst generic forum portal software is hard to keep secure if the administration staff do not apply regular patches - and even then - hosting custom portal software is no more likely to be secure if the target is tempting. Amigans.net is obscure and very much off the radar, therefore I do not think you need to worry unduly as most "hackers" just google for forum software version strings or typical URLs that identify the forum software and then attack that using known exploits and scripts OR they just attack a range of addresses.

Because much like the adminstrative staff of the forum software (not the same thing as the server) this service is provided voluntarily, if you want better service it would need to be paid for.

In this instance, I reiterate, it was not the forum software that was exploited (as far as I can ascertain) just a brute force attack. So the thread is pretty much moot.