Fully Secure Site

Discussion in 'Site Security & Legal Issues' started by Jare, Mar 9, 2012.

  1. Jare

    Jare Aspirant

    Hey guys, I am running vBulletin 4.1.9 and basically I want to scan it for vulnerabilities.

    I want to go far more in-depth than Acunetix will allow, as there are individuals in our community going around, hacking 30+ sites at a time, by rooting their servers.

    What is the best method to ensure this doesn't happen to me?
  2. Guerrera

    Guerrera Participant

    I've never used any off-the-shelf CMS before so I can't comment on how structurally secure their programming is (I'm assuming it's top notch) but it's very VERY difficult to mitigate a hack attempt because of the wide variety of methods that hackers are using. I mean sometimes remarkably inventive methods.

    I can only give you a few pointers:

    Generally if you're using an off-the-shelf CMS, there won't be too many vulnerabilities present. But you have to watch what kind of third party software you integrate into your site because anything that breaks the CMS processing even the slightest bit can be a potential vulnerability to exploit.

    Watch the kind of database calls your plugins are making, make sure there's no leakage or memory overflow that they can exploit to send your CPU or memory into overdrive. Do some profiling in Apache/LS if you have to.

    Then of course, you have to make sure that whatever plugin you use conforms to the standard SQL cleansing and data validation techniques. Make sure you look at every angle, analyse every possible scenario and come up with another 'if' condition to tackle it. Hackers are inventive.

    Be wary of any point where a user is able to upload data to your server. HTTP forms can be manipulated, they can be truncated and messed around with and they will do that until they figure out a unique set of variables that breaks your software. Don't let that happen. Invalidate all incomplete or strange HTTP POST requests.

    Secure your root. Secure any cross-domain links you have. If you're using MYSQL or the like, place your connection include files outside the public_html directory. It just adds extra protection.

    Log.. log log EVERYTHING. Even if you think you'll never need it, it's invaluable if you suffer a massive attack. You can peruse those logs to determine where and how hackers managed to penetrate your system and then work on rebuilding that portion of your site.
  3. webdev123

    webdev123 Participant

    Guerrera pretty said it all...the most important I think you can do is Log everything. Moderator logs will help you out.
  4. RiverJ

    RiverJ Aspirant

    No such thing as a fully secure site. New ways to hack will always be coming out, there's nothing you can do about that. You need to stay up-to-date with the latest vulnerabilities. Usually, forums aren't hacked if the admin accounts are not keylogged and the chmod settings are right.
Draft saved Draft deleted