Advertisement:

Author Topic: Exactly how secure is SMF?  (Read 5898 times)

Offline minico

  • Semi-Newbie
  • *
  • Posts: 83
Exactly how secure is SMF?
« on: November 04, 2013, 08:34:16 PM »
About 99% completed with building my website.  I have version 2.0.6 installed to my root directory and it is basically acting as the website.  I am on a shared server with shared SSL.  Do I need to upload a firewall mod etc...?  What do you recommend and why?  Thanks

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,228
    • StoryBB/StoryBB on GitHub
Re: Exactly how secure is SMF?
« Reply #1 on: November 04, 2013, 08:38:32 PM »
What do you mean by secure, exactly?

You don't *need* a firewall mod, just as you don't *need* SSL (SMF protects the password of users logging in without recourse to need SSL, though SSL is definitely better)

As for the firewall mod, I'm always wary recommending it because of the number of people that manage to ban themselves.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline margarett

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,761
  • Gender: Male
Re: Exactly how secure is SMF?
« Reply #2 on: November 04, 2013, 08:39:06 PM »
Well, that's a debatable question, the type of question that won't get you answered :P

SMF is safe to the extent of that we know/have been reported.

Now, what's safe? For safety, my company pays a bunch of money to Cisco certified engineers to maintain the firewalls safe. But if a user chooses to share a complete price list all over the internet... Meh :-/ (actually that's not easily doable, but it was just an example)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

Quote
Over 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Offline minico

  • Semi-Newbie
  • *
  • Posts: 83
Re: Exactly how secure is SMF?
« Reply #3 on: November 04, 2013, 08:41:54 PM »
What do you mean by secure, exactly?


Hi Arantor,

Just wondering if my website will be fairly secure from hacks etc... the way I have it set up (No security mods) and if you guys recommended me doing anything to it as far as security goes.

Offline minico

  • Semi-Newbie
  • *
  • Posts: 83
Re: Exactly how secure is SMF?
« Reply #4 on: November 04, 2013, 08:45:16 PM »
Well, that's a debatable question, the type of question that won't get you answered :P

For safety, my company pays a bunch of money to Cisco certified engineers to maintain the firewalls safe.

I don't have a lot of money lol...   :laugh:

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,228
    • StoryBB/StoryBB on GitHub
Re: Exactly how secure is SMF?
« Reply #5 on: November 04, 2013, 08:47:20 PM »
You add whatever you feel comfortable with adding.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

Offline minico

  • Semi-Newbie
  • *
  • Posts: 83
Re: Exactly how secure is SMF?
« Reply #6 on: November 04, 2013, 08:50:08 PM »
Okay, Thanks

Offline margarett

  • SMF Friend
  • SMF Super Hero
  • *
  • Posts: 19,761
  • Gender: Male
Re: Exactly how secure is SMF?
« Reply #7 on: November 04, 2013, 08:50:44 PM »
You took my words out of context :P

What I was saying is that the chain will break by its weakest link. Imagine that one of your administrators (maybe yourself?) uses a weak password and it gets discovered... What's the use of anything outside the software? See my point?

SMF has, that we are aware, no vulnerabilities. But hackers are trying everyday to break security. Heck, PHP's website was hacked some days ago! So, security holes will exist, will be patched and will be exploited. Don't loose your sleep over it ;)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

Quote
Over 90% of all computer problems can be traced back to the interface between the keyboard and the chair

Offline minico

  • Semi-Newbie
  • *
  • Posts: 83
Re: Exactly how secure is SMF?
« Reply #8 on: November 04, 2013, 09:00:36 PM »
Okay Margaret, thanks guys and have a great evening!

Offline a10

  • Charter Member
  • Sr. Member
  • *
  • Posts: 855
Re: Exactly how secure is SMF?
« Reply #9 on: November 05, 2013, 06:45:17 AM »
Do regular backup'ing, so there's always very recent stuff available for restore whatever the situation (hacking, virus, one's own doings, crashes etc).
2.0.15, ssl, php 7.1.31, MySQL 10.3.13-MariaDB~bionic
Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

MrPhil

  • Guest
Re: Exactly how secure is SMF?
« Reply #10 on: November 05, 2013, 09:12:35 AM »
When you say "hacked", are you concerned about actual hacking, where someone gets in and erases or vandalizes files or adds Trojans or backdoors, or are you really talking about spamming, which is a whole 'nuther kettle of fish. SMF is quite secure against hackers (but nothing is invulnerable). Against spammers signing up, definitely use the Questions and Answers feature. You can also try turning up the CAPTCHA (visual puzzle) as high as you and your members can stand it, but that doesn't do much good these days. There are some separately installable mods that look up applicants on third-party databases of known spammers. Unfortunately, once a spammer gets past this hard shell, there's not much within SMF to stop them. You can require CAPTCHA for the first N posts, but that doesn't seem to do much good any more. SMF really needs something to examine post content and poster behavior, and hold suspected spam for the administrator to look at.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,333
  • Gender: Male
    • Kindred-999 on GitHub
Re: Exactly how secure is SMF?
« Reply #11 on: November 05, 2013, 09:29:36 AM »
Mr Phil,

You keep commenting on what you think SMF "needs".

Please... put your money where your mouth is.
Head over to the 2.1 repository on github and make some contributions towards these things that you feel are "needed".
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

MrPhil

  • Guest
Re: Exactly how secure is SMF?
« Reply #12 on: November 05, 2013, 09:41:46 AM »
If I don't have the time and the in-depth knowledge of SMF's internals to do the job right, what the hell is wrong with saying "I think SMF needs ______" and hoping that someone casting about for a project will pick it up? Yours and @Arantor's snippy comments about "Why don't you do it yourself, or STFU?" are wearing quite thin. I'm happy to make suggestions, I'm happy to come up with suggested algorithms and code segments, but I don't feel I have the time to do the whole thing. OK?

Offline Suki

  • Kaizoku Jotei
  • Developer
  • SMF Super Hero
  • *
  • Posts: 15,477
  • Oh, wouldn't it be great if I *was* crazy?
    • MissAllSunday on GitHub
    • SMF mods
Re: Exactly how secure is SMF?
« Reply #13 on: November 05, 2013, 09:47:41 AM »
You don't actually need to build an entire feature, every small bit counts.

You making suggestions is not the problem but how you do it, perhaps wording it differently will get different reactions.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

Look at them. They're just asking for it. Maybe the human race deserves to be wiped out.

Offline Kindred

  • The Mean One
  • Support Specialist
  • SMF Legend
  • *
  • Posts: 58,333
  • Gender: Male
    • Kindred-999 on GitHub
Re: Exactly how secure is SMF?
« Reply #14 on: November 05, 2013, 10:13:17 AM »
I'm glad to hear that you're willing to help.... Even not doing a completely finished "pull" (like dropping the algorithms into an enhancement issue report) would be useful.

And as Suki points out, the problem is not pointing out things that you'd like to see...  The problem that we have is that you DEMAND that whatever feature you are talking about is "needed", "required", "must be done" and other language along those lines. :( In other posts you refer to some existing features in excessively negative terms (despite the fact that the features are only buggy under certain circumstances).

So, yes... while things probably should get fixed or addressed, we have a limited number of devs working (although more than we did 2 months ago!) and they have a limited amount of time to work on SMF amongst their RL responsibilities.

So, if we sound snippy sometimes, it's because you (and certain others) SEEM to be demanding and complaining about things alot without actually stepping up to contribute
« Last Edit: November 05, 2013, 10:46:58 AM by Kindred »
Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,228
    • StoryBB/StoryBB on GitHub
Re: Exactly how secure is SMF?
« Reply #15 on: November 05, 2013, 10:37:56 AM »
This is it exactly... I see an awful lot of 'SMF MUST DO THIS OR ELSE RAAAAAAHH' type comments from you, MrPhil. The difference is, instead of complaining about what SMF isn't doing, I spent my time not complaining about it but researching how it should be done.

You speak very often of a defence in depth approach. What exactly do you consider this to be? Does it involve the admin configuring it or some kind of centralised ruleset of spam that admins refer upwards (like some kind of Akismet system)? How would this work for multiple languages?

One of the things I will be adding in 3.0 is the moderation filters system I built for <that other forum system whose name I dare not speak lest its author stalks me again>, which would cover a number of the things you mention; it redefines how post moderation works such that you can tie all kinds of criteria to it (even down to things if the post contains links or not and how many) but it's way out of scope for 2.1 if we want it out this year.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.

MrPhil

  • Guest
Re: Exactly how secure is SMF?
« Reply #16 on: November 05, 2013, 09:22:32 PM »
I see an awful lot of 'SMF MUST DO THIS OR ELSE RAAAAAAHH' type comments from you
That's not what I'm posting, but if that's how you choose to interpret/filter what I say, that's your problem. Needless to say, with that attitude (you and a few others), I do not wish to devote serious time to SMF. I already spend more time than is good for me, trying to help out around here. I am free to say "SMF needs such and such", and may offer suggested algorithms or code fragments (as I have done before), but leave it to someone else to actually put them into the code.

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 71,228
    • StoryBB/StoryBB on GitHub
Re: Exactly how secure is SMF?
« Reply #17 on: November 05, 2013, 09:26:53 PM »
Obviously I was embellishing it a little for effect.

But even from your post earlier in this thread:
Quote
SMF really needs something to examine post content and poster behavior, and hold suspected spam for the administrator to look at.

How am I supposed to interpret that, exactly?

But here's the thing, you're the one telling us how things should be done, and every time we invite you to actually put your money where your mouth is, you back out. Last time it was the talk of infighting, this time it's the attitude of myself and others. What will the next time be? Oh, that's right, next time it'll be that no-one's helping you get familiar with the code. (No-one gave me a how-to on writing code for SMF. I just wrote dozens of mods.)

I mean, as you told me, you have *decades* of experience more than I do about this stuff, you were doing this before I was born, so if you're so good at it, I'd love to see more than pontificating and "suggestion" (which isn't really suggestion) and actually putting some time in.

If you really feel you're putting in too much time here, that's your problem, but kindly get off the lawn if all you're going to do is play the grumpy old man card.

On the other hand, I put aside some time to actually fix the issues. Remember that before you start your next tirade: I spent a lot of time complaining, just like you do, only I put my money where my mouth is to actually fix things, to actually create improvements. Until you do the same, I don't see how I can take your diatribes too seriously.
Don’t try to tell me that some power can corrupt a person. You haven’t had enough to know what it’s like.

No good deed goes unpunished / No act of charity goes unresented.