Welcome to Atheist Discussion, a new community created by former members of The Thinking Atheist forum.

Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Change search restriction time to 10 seconds
#26

Change search restriction time to 10 seconds
(01-24-2020, 12:42 AM)Aractus Wrote:
(01-23-2020, 07:03 PM)Thumpalumpacus Wrote: They're not insults, they're suggestions.

It should be noted that last year's attack was mounted by an angry member,"Vosur". Disabling guest searches would not have prevented them.

If it was a DDOS on the search function, then yes disabling guest searches would have prevented such an attack vector. You seem to be under the impression he did his attack while logged in - that wouldn't be a DDOS attack, and even if he did log in simultaneously from 10,000 locations (which isn't what he did) the search flood time would apply to all instances of his. A DDOS attack is a denial of service attack that is simply designed to take a server offline.

Vosur wasn't attacking the search function in the first place, or the forum itself, so not a single setting in MyBB would have made any difference. Vosur's attack wasn't a DDOS attack, it was an authentication attack which was followed by a distributed authentication attack (also called a distributed brute-force attack). Vosur was attacking the SSH (109.123.86.253:22) trying to crack the root password. SSH login attacks are incredibly common, even when your server isn't under a targeted attack it will be attacked by botnets regularly, so a good chunk of the attacks on the server would have had nothing to do with him, and would have come from random servers around the web, which is why any server admin needs a very strong password for all of their server management entry points (SSH, control panel, SFTP, etc). The distributed authentication attack itself may not have been Vosur, although it seems likely. Vosur only had control over his own server. The distributed attack came from someone who controls a botnet - Vosur may have had a "friend" do it, or it may have been coincidence.

Okay. I'm no hack and don't know the ins and outs of it. I'll let the staff address your technical points.

I still don't understand why that extra twenty seconds means so much to you. The Internet ain't going anywhere, use that time to think about how you might rephrase your search terms.
The following 1 user Likes Thumpalumpacus's post:
  • SYZ
Reply
#27

Change search restriction time to 10 seconds
(01-24-2020, 12:42 AM)Aractus Wrote: Vosur wasn't attacking the search function in the first place, or the forum itself, so not a single setting in MyBB would have made any difference. Vosur's attack wasn't a DDOS attack, it was an authentication attack which was followed by a distributed authentication attack (also called a distributed brute-force attack). Vosur was attacking the SSH (109.123.86.253:22) trying to crack the root password. SSH login attacks are incredibly common, even when your server isn't under a targeted attack it will be attacked by botnets regularly, so a good chunk of the attacks on the server would have had nothing to do with him, and would have come from random servers around the web, which is why any server admin needs a very strong password for all of their server management entry points (SSH, control panel, SFTP, etc). The distributed authentication attack itself may not have been Vosur, although it seems likely. Vosur only had control over his own server. The distributed attack came from someone who controls a botnet - Vosur may have had a "friend" do it, or it may have been coincidence.

I'm wondering why you are so sure about what Vosur did and how the forum was attacked.

There was a lot that I have not explained for security reasons and I said in the post that you linked to that there was a DDOS attack.


(01-24-2019, 04:17 PM)Mathilda Wrote: Then it became a distributed attack. Now there are repeated attempts to ssh into the server.
The following 4 users Like Mathilda's post:
  • SYZ, Dom, Thumpalumpacus, jerry mcmasters
Reply
#28

Change search restriction time to 10 seconds
I took a screenshot in Putty for you:

[Image: tTJFmsP.png]

As you can see in the last 5 weeks since the last login to that server there were 58,548 attempts to hack the root login. That's quite normal. If the server was hit by a targeted attack it would be in the millions, or billions, or more. Really there's nothing to worry about if your password is strong. A lot of server admins will disable the root account and use a different account with root privileges, however I'd point out that security by obfuscation is a well known security myth, if your password can't survive a distributed brute force attack then it's definitely not secure enough.

If an attacker knows what they're doing, and the server admin doesn't know what they're doing, what will happen is they'll attack every entry vector that could provide full server access: FTP/SFTP, SSH, control panel, or even the hosting account/VPS management panel, and whatever one has the weakest security will allow the attacker in. This is one thing that was of great interest on WHT when Rack911 did a free security audit of "alternative" control panels. One thing you may not know, unless you've ever had anything to do with back-end server management, is that in most cases the control panel isn't something that you can just install and uninstall, they all generally speaking have specific sets of software they require to run and changing from one to another on a live server is neigh on impossible. Therefore whatever one you choose needs to be secure. Running a server without a control panel at all is also not a great idea - the control panel keeps the majority of the software up-to-date for you, it performs a whole bunch of menial tasks. I do know people that insist on managing their own servers without one, but they're certainly not the norm even webhosts will use them on their personal servers.

Based on the Rack911 audit FYI my advice (not that anyone listens to me) for small VPS management would be: 1. DirectAdmin if available through your provider at a low cost, 2. Webmin/Usermin/Virtualmin. Both are low on resource use, as well as the best performers security-wise. Last I checked the provider pricing for DA's full license is $5 and the Lite is around the same price as their "personal retail licence", most providers barely mark up the control panel price some provide it "at cost" or lower, in any case it's way cheaper than Plesk or cPanel and as it's also lower on resources so that makes it by far the best commercial control panel for small VPS's. Of course actually finding out in advance what providers can offer DA licenses is a headache as I'm sure most of you know that most providers are not upfront about what addons they have and the cost, and many haven't added the Lite licence at all even if they are a provider. If you look up what the average server admin actually says, like I said before most of them haven't got a clue when it comes to security, I'd say 99% of the people that use control panels other than Plesk/cPanel/DirectAdmin on their VPS's have never given any thought into how secure the software is.

(01-24-2020, 04:41 AM)Mathilda Wrote: I'm wondering why you are so sure about what Vosur did and how the forum was attacked.

There was a lot that I have not explained for security reasons and I said in the post that you linked to that there was a DDOS attack.

(01-24-2019, 04:17 PM)Mathilda Wrote: Then it became a distributed attack. Now there are repeated attempts to ssh into the server.

Okay sure, I misunderstood my apologies. But if you're seeing this:

[Image: tTJFmsP.png]

That's perfectly normal on any server. That's just regular hacking attempts, but it's not targeted. Although I'm sure you saw a spike in activity which would have been targeted. My broader point though about search being used to attack - yes, if your goal is to hack the website such as through SQL injection, not so much a target for DDOS and if it is just disable guest search. A year ago there was a bug in Google Search for 5 months that allowed an XSS injection:




Google's crawlers themselves can be made to carry out SQL injection attacks (thereby obfuscating the source of the attack), and it's been observed in the wild as well.
Reply
#29

Change search restriction time to 10 seconds
Don't worry Aractus. The reason I do not talk about how the back-end is set up is because I do not want to help any potential hackers.

For example, I could say, "Hah! My password is 100 characters long!"

Great. Now the hackers know not to try permutations of characters between 1 and 99 characters in length.

I also don't tell people what is installed on the back-end because if there is any known vulnerability then it could be exploited before it gets fixed. I certainly do not tell them how it is configured.

I figure every bit of information I reveal in public makes the server less secure. So I don't. Even revealing how much or how little I know could be useful for a hacker.

Social engineering is often forgotten about when people consider whether they can be hacked. I assume hackers don't forget about it though. It certainly did not work for Vosur.
The following 5 users Like Mathilda's post:
  • SYZ, Dom, Thumpalumpacus, jerry mcmasters, Finite Monkeys
Reply
#30

Change search restriction time to 10 seconds
(01-24-2020, 05:20 AM)Aractus Wrote: I took a screenshot in Putty for you:

[Image: tTJFmsP.png]

As you can see in the last 5 weeks since the last login to that server there were 58,548 attempts to hack the root login...

[major snip]


...Google's crawlers themselves can be made to carry out SQL injection attacks (thereby obfuscating the source of the attack), and it's been observed in the wild as well.


For fuck's sake mate!  Give it up... please!

Nobody here gives a damn about you showing off your alleged computer skills repeatedly
and relentlessly—as per this thread. We already understand that you claim to know a lot
about nearly everything on the planet, as you've told us a hundred times here. And half the
people you're preaching to won't even understand the intricacies of what you're posting—like me.

Just accept the extra 20 seconds-worth of time you claim to be wasting in your life.  I'm sure
it's taken you far, far more time to post this farrago of non-relevant complaints and pointless
elucidation.
I'm a creationist;   I believe that man created God.
The following 1 user Likes SYZ's post:
  • TheGentlemanBastard
Reply
#31

Change search restriction time to 10 seconds
(01-24-2020, 07:44 AM)Mathilda Wrote: I figure every bit of information I reveal in public makes the server less secure. So I don't. Even revealing how much or how little I know could be useful for a hacker.

I don't agree with that point of view, but then again makes no difference to me if you're running CentOS or Ubuntu or whatever (actually it's Debian I decided to look at the http header) and how the server's set up. But I will point out there's nothing to stop a motivated hacker working out what controls the back-end fairly quickly, they'd just have to cycle through a few ports until they find the control panel (even if it's on a non-standard port), once they know that they know what configurations the server can be in and what it can't be in (see this page for example), along with what default software is installed. That's one reason why you should uninstall everything you don't need/use. For example if you only use Apache you uninstall NGINX... if you only use NGINX you uninstall Apache. They'll also know or be able to make an educated guess at what software you might be running on the back-end that isn't managed by the control panel.

I reckon you'd be shocked if you knew how some people run their servers. I know people that have run servers since the 90's who leave their servers completely un-patched and running the same software for 5 or 6 years, and when they do bother updating them (which usually involves rebuilding the server, obviously) they do the same thing again. I haven't heard anyone say they were going uninstall one of the insecure hosting panels either. In fact I've seen people look at that security audit analysis and then declare they're installing CyberPanel anyway (no one who actually knows who Rack911 is has said that mind you!)

Quote:For example, I could say, "Hah! My password is 100 characters long!"

Great. Now the hackers know not to try permutations of characters between 1 and 99 characters in length.

The only thing that really matters is bits of entropy and to make it resistant to brute-force. And that has to be the case for anything that has root access, which is SSH, SFTP, and the control panel (a control panel is a webserver with full root access, whereas Apache/Litespeed/NGINX are webservers with jailed access with permissions usually set by the control panel).

Quote:I also don't tell people what is installed on the back-end because if there is any known vulnerability then it could be exploited before it gets fixed. I certainly do not tell them how it is configured.

I figure every bit of information I reveal in public makes the server less secure. So I don't. Even revealing how much or how little I know could be useful for a hacker.

Social engineering is often forgotten about when people consider whether they can be hacked. I assume hackers don't forget about it though. It certainly did not work for Vosur.

Well the fact there's still no HTTPS tells the potential hacker that whatever your using can't automatically manage TLS from the control panel. That rules out the big four right away: plesk, cpanel, directadmin, interworx. Still I don't mean to make you paranoid! Smile

(01-24-2020, 08:57 AM)SYZ Wrote: For fuck's sake mate!  Give it up... please!

Nobody here gives a damn about you showing off your alleged computer skills repeatedly
and relentlessly—as per this thread. We already understand that you claim to know a lot
about nearly everything on the planet, as you've told us a hundred times here. And half the
people you're preaching to won't even understand the intricacies of what you're posting—like me.

Just accept the extra 20 seconds-worth of time you claim to be wasting in your life.  I'm sure
it's taken you far, far more time to post this farrago of non-relevant complaints and pointless
elucidation.

I never said I'm an expert. When it comes to server admin, which I don't usually involve myself with, like I said I can give countless examples of shockingly poor management. The server I took a screenshot of was one I helped rebuild, the owner quite wisely decided to move off the control panel they were using following Rack911's free community audits. Let's just say it was one of the two panels that Rack911 said were the worst and "couldn't recommend" (they used stronger words than that on WHT!) I'd say the biggest security risk to any server is the admin/owner being complacent.
Reply
#32

Change search restriction time to 10 seconds
I should just add here that if it were up to me the password for all the root access points would always be the same (control panel, root SSH, and root SFTP) since they're all equal security-wise, you could think of it as they're just different doors to the same sensitive room, your security isn't better by having a different key for each door. That's why my eyes glaze over when I hear server admins say with great pride they disabled the root account on SSH or disabled the password, yet they still have a control panel with full root access (most of which can run full root SSH from within the panel I might add). It's the lower level stuff, like MySQL/MariaDB, that you use different passwords on. Someone hacks your database they can't hack the entire server, whatever damage they might do.
Reply
#33

Change search restriction time to 10 seconds
Is this still a thing? Ugh!

You have a stable, well managed platform to voice your thoughts and opinions and whatever else. Use it. Stop telling people how to do stuff when what they are doing works perfectly well. Geesh. You don't need to meddle in everything you see. Settle down, be happy.
[Image: color%5D%5Bcolor=#333333%5D%5Bsize=small%5D%5Bfont=T...ans-Serif%5D]
The following 5 users Like Dom's post:
  • SYZ, Mathilda, Thumpalumpacus, TheGentlemanBastard, jerry mcmasters
Reply
#34

Change search restriction time to 10 seconds
There's no need to read negativity into my comments. Jeez. Some of the comments that @Thumpalumpacus was making weren't at all in-line with reality, a point he conceded. The most common forms of hacking involve XSS and SQL injection, and of course brute-forcing weak passwords, while the first two are largely out of a server admins control they can mitigate the risk by keeping their software up to date, the last one is in the hands of the server admin. You should see some passwords I've seen used for root access... in fact I'll just tell you. One server, operated by a woman with almost no clue how her server worked, her root password was "timbuktu" (all lower case). How it was never hacked is a mystery to me.
Reply
#35

Change search restriction time to 10 seconds
(01-24-2020, 01:32 PM)Aractus Wrote: There's no need to read negativity into my comments. Jeez. Some of the comments that @Thumpalumpacus was making weren't at all in-line with reality, a point he conceded. The most common forms of hacking involve XSS and SQL injection, and of course brute-forcing weak passwords, while the first two are largely out of a server admins control they can mitigate the risk by keeping their software up to date, the last one is in the hands of the server admin. You should see some passwords I've seen used for root access... in fact I'll just tell you. One server, operated by a woman with almost no clue how her server worked, her root password was "timbuktu" (all lower case). How it was never hacked is a mystery to me.

Thump has nothing to do with this. 

Guess what? Women can actually do some things. Some of them much better than you. Put that in your glass and drink it.
[Image: color%5D%5Bcolor=#333333%5D%5Bsize=small%5D%5Bfont=T...ans-Serif%5D]
The following 6 users Like Dom's post:
  • Mathilda, TheGentlemanBastard, jerry mcmasters, SYZ, Finite Monkeys, Thumpalumpacus
Reply
#36

Change search restriction time to 10 seconds
I wasn't being sexist... that was just an example.
Reply
#37

Change search restriction time to 10 seconds
All right then.
[Image: color%5D%5Bcolor=#333333%5D%5Bsize=small%5D%5Bfont=T...ans-Serif%5D]
Reply
#38

Change search restriction time to 10 seconds
My apologies if it came across as rude/sexist, it was an example I could share where I knew I was not jeopardising the security of a live server (well unless there's some random server on the web with the same password!)
Reply
#39

Change search restriction time to 10 seconds
(01-24-2020, 01:05 PM)Dom Wrote: Is this still a thing? Ugh!

You have a stable, well managed platform to voice your thoughts and opinions and whatever else. Use it. Stop telling people how to do stuff when what they are doing works perfectly well. Geesh. You don't need to meddle in everything you see. Settle down, be happy.

Noooooo!  It needs to be faster!  Faster! Faaaaaaassssster!!!
The following 1 user Likes jerry mcmasters's post:
  • TheGentlemanBastard
Reply




Users browsing this thread: 1 Guest(s)