News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Exactly how secure is SMF?

Started by minico, November 04, 2013, 08:34:16 PM

Previous topic - Next topic

minico

About 99% completed with building my website.  I have version 2.0.6 installed to my root directory and it is basically acting as the website.  I am on a shared server with shared SSL.  Do I need to upload a firewall mod etc...?  What do you recommend and why?  Thanks

Arantor

What do you mean by secure, exactly?

You don't *need* a firewall mod, just as you don't *need* SSL (SMF protects the password of users logging in without recourse to need SSL, though SSL is definitely better)

As for the firewall mod, I'm always wary recommending it because of the number of people that manage to ban themselves.

margarett

Well, that's a debatable question, the type of question that won't get you answered :P

SMF is safe to the extent of that we know/have been reported.

Now, what's safe? For safety, my company pays a bunch of money to Cisco certified engineers to maintain the firewalls safe. But if a user chooses to share a complete price list all over the internet... Meh :-/ (actually that's not easily doable, but it was just an example)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

minico

Quote from: Arantor on November 04, 2013, 08:38:32 PM
What do you mean by secure, exactly?


Hi Arantor,

Just wondering if my website will be fairly secure from hacks etc... the way I have it set up (No security mods) and if you guys recommended me doing anything to it as far as security goes.

minico

Quote from: margarett on November 04, 2013, 08:39:06 PM
Well, that's a debatable question, the type of question that won't get you answered :P

For safety, my company pays a bunch of money to Cisco certified engineers to maintain the firewalls safe.

I don't have a lot of money lol...   :laugh:

Arantor

You add whatever you feel comfortable with adding.

minico


margarett

You took my words out of context :P

What I was saying is that the chain will break by its weakest link. Imagine that one of your administrators (maybe yourself?) uses a weak password and it gets discovered... What's the use of anything outside the software? See my point?

SMF has, that we are aware, no vulnerabilities. But hackers are trying everyday to break security. Heck, PHP's website was hacked some days ago! So, security holes will exist, will be patched and will be exploited. Don't loose your sleep over it ;)
Se forem conduzir, não bebam. Se forem beber... CHAMEM-ME!!!! :D

QuoteOver 90% of all computer problems can be traced back to the interface between the keyboard and the chair

minico

Okay Margaret, thanks guys and have a great evening!

a10

Do regular backup'ing, so there's always very recent stuff available for restore whatever the situation (hacking, virus, one's own doings, crashes etc).
2.0.19, php 8.0.23, MariaDB 10.5.15. Mods: Contact Page, Like Posts, Responsive Curve, Search Focus Dropdown, Add Join Date to Post.

MrPhil

When you say "hacked", are you concerned about actual hacking, where someone gets in and erases or vandalizes files or adds Trojans or backdoors, or are you really talking about spamming, which is a whole 'nuther kettle of fish. SMF is quite secure against hackers (but nothing is invulnerable). Against spammers signing up, definitely use the Questions and Answers feature. You can also try turning up the CAPTCHA (visual puzzle) as high as you and your members can stand it, but that doesn't do much good these days. There are some separately installable mods that look up applicants on third-party databases of known spammers. Unfortunately, once a spammer gets past this hard shell, there's not much within SMF to stop them. You can require CAPTCHA for the first N posts, but that doesn't seem to do much good any more. SMF really needs something to examine post content and poster behavior, and hold suspected spam for the administrator to look at.

Kindred

Mr Phil,

You keep commenting on what you think SMF "needs".

Please... put your money where your mouth is.
Head over to the 2.1 repository on github and make some contributions towards these things that you feel are "needed".
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

MrPhil

If I don't have the time and the in-depth knowledge of SMF's internals to do the job right, what the hell is wrong with saying "I think SMF needs ______" and hoping that someone casting about for a project will pick it up? Yours and @Arantor's snippy comments about "Why don't you do it yourself, or STFU?" are wearing quite thin. I'm happy to make suggestions, I'm happy to come up with suggested algorithms and code segments, but I don't feel I have the time to do the whole thing. OK?

Suki

You don't actually need to build an entire feature, every small bit counts.

You making suggestions is not the problem but how you do it, perhaps wording it differently will get different reactions.
Disclaimer: unless otherwise stated, all my posts are personal and does not represent any views or opinions held by Simple Machines.

Kindred

#14
I'm glad to hear that you're willing to help.... Even not doing a completely finished "pull" (like dropping the algorithms into an enhancement issue report) would be useful.

And as Suki points out, the problem is not pointing out things that you'd like to see...  The problem that we have is that you DEMAND that whatever feature you are talking about is "needed", "required", "must be done" and other language along those lines. :( In other posts you refer to some existing features in excessively negative terms (despite the fact that the features are only buggy under certain circumstances).

So, yes... while things probably should get fixed or addressed, we have a limited number of devs working (although more than we did 2 months ago!) and they have a limited amount of time to work on SMF amongst their RL responsibilities.

So, if we sound snippy sometimes, it's because you (and certain others) SEEM to be demanding and complaining about things alot without actually stepping up to contribute
Слaва
Украинi

Please do not PM, IM or Email me with support questions.  You will get better and faster responses in the support boards.  Thank you.

"Loki is not evil, although he is certainly not a force for good. Loki is... complicated."

Arantor

This is it exactly... I see an awful lot of 'SMF MUST DO THIS OR ELSE RAAAAAAHH' type comments from you, MrPhil. The difference is, instead of complaining about what SMF isn't doing, I spent my time not complaining about it but researching how it should be done.

You speak very often of a defence in depth approach. What exactly do you consider this to be? Does it involve the admin configuring it or some kind of centralised ruleset of spam that admins refer upwards (like some kind of Akismet system)? How would this work for multiple languages?

One of the things I will be adding in 3.0 is the moderation filters system I built for <that other forum system whose name I dare not speak lest its author stalks me again>, which would cover a number of the things you mention; it redefines how post moderation works such that you can tie all kinds of criteria to it (even down to things if the post contains links or not and how many) but it's way out of scope for 2.1 if we want it out this year.

MrPhil

Quote from: Arantor on November 05, 2013, 10:37:56 AM
I see an awful lot of 'SMF MUST DO THIS OR ELSE RAAAAAAHH' type comments from you
That's not what I'm posting, but if that's how you choose to interpret/filter what I say, that's your problem. Needless to say, with that attitude (you and a few others), I do not wish to devote serious time to SMF. I already spend more time than is good for me, trying to help out around here. I am free to say "SMF needs such and such", and may offer suggested algorithms or code fragments (as I have done before), but leave it to someone else to actually put them into the code.

Arantor

Obviously I was embellishing it a little for effect.

But even from your post earlier in this thread:
QuoteSMF really needs something to examine post content and poster behavior, and hold suspected spam for the administrator to look at.

How am I supposed to interpret that, exactly?

But here's the thing, you're the one telling us how things should be done, and every time we invite you to actually put your money where your mouth is, you back out. Last time it was the talk of infighting, this time it's the attitude of myself and others. What will the next time be? Oh, that's right, next time it'll be that no-one's helping you get familiar with the code. (No-one gave me a how-to on writing code for SMF. I just wrote dozens of mods.)

I mean, as you told me, you have *decades* of experience more than I do about this stuff, you were doing this before I was born, so if you're so good at it, I'd love to see more than pontificating and "suggestion" (which isn't really suggestion) and actually putting some time in.

If you really feel you're putting in too much time here, that's your problem, but kindly get off the lawn if all you're going to do is play the grumpy old man card.

On the other hand, I put aside some time to actually fix the issues. Remember that before you start your next tirade: I spent a lot of time complaining, just like you do, only I put my money where my mouth is to actually fix things, to actually create improvements. Until you do the same, I don't see how I can take your diatribes too seriously.

Advertisement: