What features would you like in a security mod?

[Fillip H.]

Well you dont use plesk for this the link i gave you uses MySQL to store htaccess and htpasswrd so the system can use a database this way XF and Plesk would not suffer from anything.

The problem is that mod_auth_mysql which that feature relies upon, is 11 years old. It's also nowhere to be found in the repositories for cPanel, the most popular control panel out there.

While the final decision is up to Decado as our Managing Director, my personal opinion is that it would be a bad idea to include a feature that cannot be used by the vast majority of our customers.

 

[Danielx64]

I am sure that it is possible to edit files without the need for things like exec and so forth. How do you think XF configuration file get created at install time?

 

[Fillip H.]

I am sure that it is possible to edit files without the need for things like exec and so forth. How do you think XF configuration file get created at install time?

if (!file_exists($configFile) && is_writable(dirname($configFile)))

To break that down; it checks if the config.php file doesn't exist and if the /library/ directory is writable by the web server.

There is a world of difference between a directory being writable and a .htaccess file being writable. Not only that, but the passwords used by the .htaccess authentication module is not stored in the .htaccess file. It's stored in a separate file, and if that file is writable, then that's a much bigger security flaw.

The question is: Would you prefer the convenience of not having to load up a FTP or SSH client, or would you prefer that the modification adds an additional exploit vector to your site?

As with the mod_auth_mysql feature, the decision isn't up to me, but personally I am not comfortable with adding functionality to a security modification that requires users to compromise the security of their web server to function.

 

[we_are_borg]

Found out more it can be done with php with fopen fwrite but you again have a security risk because the file needs to be writeable for webusers and thats also a no no. What ever you think off its always a security risk it seems.

Best would be to use only the first link i gave and make it like so.

When you promote some one you get an extra field to generate a htpasswd and username that you can copy and paste in the .htpasswd file so no need to go to other sites. You only need to start ssh client or ftp to put the line in. The line should be like this "
wsabstract:y4E7Ep8e7EYV" this is how its written.

What about the token system is that doable.

 

[Fillip H.]

What about the token system is that doable.

I think it would be more user friendly if it was a regular confirmation link, rather than asking the user to save 10 tokens they may have received months or years ago

 

[Decado]

We try as much as possible to avoid anything that has any potential to compromise security, however remote. The aim is to make it harder for people to exploit the system, and to make you aware of potential attacks on the system as well. If we're not 100% confident a potential feature will harden security we generally won't implement it. That's not to say the ideas aren't good ideas, or that they're physically impossible, just that our focus is on minimizing risk.

 

[Danielx64]

Have you guys looked at wordpress? If it cant edit a file then you are asked for FTP details.

 

[Alpha1]

Have you guys looked at wordpress? If it cant edit a file then you are asked for FTP details.

You mean the most cracked application on the net? Its as insecure as can be with all the auto-updating and 777 all over the place.
The idea of a XF version of vbsec is to increase security not to null it.
I would not want anything that automatically writes files to the root dir.

 

[Fillip H.]

Have you guys looked at wordpress? If it cant edit a file then you are asked for FTP details.

That's a good idea, editing files via FTP is something I've looked into on my own time for other reasons.

The problem I'm dreading for when the code I've written actually goes into any form of production is the vast differences in configurations and such. For instance, let's say you only allow FTP over SSH (SFTP) via the root account, but unlike cPanel's FTP accounts, it defaults to /root. The code needs to detect where the forum files are and change the directory before it can begin to edit or upload.

It's not impossible by any stretch, but it's very complex to do, and personally I would prefer to perfect it via a dedicated modification (like a mod installer / updater) before putting it in a mod like this one

 

[Fillip H.]

You mean the most cracked application on the net? Its as insecure as can be with all the auto-updating and 777 all over the place.
The idea of a XF version of vbsec is to increase security not to null it.
I would not want anything that automatically writes files to the root dir.

Yeah I definitely agree with you there, I wouldn't want anything auto-updating either. Even if I did add auto-update functionality to something like a mod installer/updater, it would default to off with strong warnings.

 

[Alpha1]

With that in mind, if we were to release a security mod for xF what things would you like to see in it?

1. The same functions you implemented for vbsec
2. The functions I already suggested for vbsec
3. Limit username validation. Currently this validation function can be used to brute force to get a list of community accounts.
   
4. ReCaptha after login fail
5. LiteSpeed Webserver Security features support. LSWS has many advanced and very effective security features that can be reused. For example (temp) ban IPs on server level. (Michael is active on XF.com)
   
6. More advanced / configurable login strikes viewer and filtering. Currently it needs quite a lot of work to review logs and to distill innocents and attackers. It should be more easy.
   
7. Login Watchers based on multiple conditions: Ban IP IF users meets condition 1 AND 2 OR 3.
   
8. TOR exit node blocking
9. Password minimum requirements with clear indicator for users
   
10. 'You are currently logged in from X devices'
11. Last logon X hours ago from device Y.
12. Advanced file checking with whitelisting and versions.
13. Block bad bots by badbehavior. Contact Michael here.
    
14. Moderate/block users with more than X connections per minute.
15. Moderate/block users with more than X bandwidth use per minute/hour/day
16. Lock & Moderate compromised accounts
17. Improve Compromised accounts parameters. Too many false positives but this can be easily solved.
    
18. Dismiss warnings, so that only important warnings remain.
19. Identify suspect IP ranges. Not just users.
    
20. Identify attacker by browser Fingerprinting, non-conventional cookies, http etags, html5 session storage, etc. Or simply integration with Sticky Multiple account. The main idea is that we need to prevent running after single accounts and stop attackers on a much wider effective scale.

 

[Akoni]

Nice info

 

[mysiteguy]

Hmm, do you have a link to one of these scripts? As far as I'm aware, you can't write to the .htaccess file using normal PHP - in my mind, that would be a massive security risk.

PHP, or any program for that matter, doesn't care about file names, only file permissions. Client machines I've gone over, more often than not they don't have permissions for it properly set.

 

[we_are_borg]

Won't solve the issue (especially here) as I'm pretty sure it looks somewhat similar to this

location /admin.php {
        auth_basic                      "Buzz off asswipe";
        auth_basic_user_file             /path/to/my/super/secrete/password/file;
        include /usr/local/nginx/conf/staticfiles.conf;
        include /usr/local/nginx/conf/php.conf;

    }

<?php
// Password to be encrypted for a .htpasswd file
$clearTextPassword = 'some password';

// Encrypt password
$password = crypt($clearTextPassword, base64_encode($clearTextPassword));

// Print encrypted password
echo $password;
?>

Would look something like that it just converts the password to one that htaccess uses you'll only need to copy and paste it in the correct place (aka manual work). This way you have the code straight away and it saves time not to go to other sites to make it.

 

[Fillip H.]

PHP, or any program for that matter, doesn't care about file names, only file permissions. Client machines I've gone over, more often than not they don't have permissions for it properly set.

Yeah that's what I meant, the file permissions. If .htaccess files (or especially htpasswd files) were made writable by the webserver user, that would be a massive security risk in my view.

If anyone doesn't believe it's a monumentally bad idea to allow .htaccess files to be writable by PHP, I'd like to direct you towards these directives:

php_value auto_prepend_file "/full/path/to/prepend.php"
php_value auto_append_file "/full/path/to/append.php"

Of course, it depends on what SAPI you use with your web server, and it's not necessarily applicable for Nginx, but for a large portion of users that code is still going to be a valid exploit vector. It would silently prepend and append exploit code into every single PHP file called, and no-one would be the wiser unless the admin were to go and check the .htaccess file manually - exactly what this feature would aim to avoid.

I do hate to be that guy who shuts down convenience features in the name of security, but part of my job is to come up with ways people can break these things.

 

[zappaDPJ]

Real time core file checking -alert get sent out if a file has changed.

really like the idea of being emailed when a template is altered

Advanced file checking with whitelisting and versions.

I'd also like to see something that includes these or similar features.

 

[ManagerJosh]

Crowd sourced threat intelligence - (willing to help out provide advisory)

 

[Woffie]

How about instead of porting over one of your mods that nobody is asking for, you port over one that many are asking for, the arcade?

 

[Alpha1]

After 2 pages of interest you assume that nobody has interest. Right!
In case you didnt figure this out: I was one of the people who asked Decado to port vbsecurity to XF.

 

[Decado]

Beta version of DragonByte Security for xenForo is out now if anyone wants to check it out: https://xenforo.com/community/resources/dragonbyte-security.5193/