Advice to Master to make this forum secure and never have the forum down

Jason Voorhees

Jason Voorhees

Say cheese
Joined
May 15, 2020
Posts
77,118
Reputation
223,893
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

1000096279



I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

1000096280



Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too with iptables. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said this forum isn't going down. I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We have need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.

AOP doesn't stop DDOS style volume attacks so you need network-level defenses for that built-in DDoS protection is good enough but I suggest Magic Transit. It is again overkill for a forum and the standard ddos protection is more than good enough but we are building for an end of the world scenario so you might aswell throw this in.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump daily or weekly basis , send it to Amazon S3 with versioning and in the takeover scenario. Wipe everything and do a rollback to start new.
 
Last edited:
  • +1
  • Love it
  • JFL
Reactions: CorinthianLOX, Serialsuicide, TechnoBoss and 37 others
Get rid of the Turks problem solved
 
  • JFL
  • +1
  • Woah
Reactions: Serialsuicide, kiing_ronk, 2vi and 22 others
@imontheloose
 
  • +1
Reactions: 2vi, MiserableMan, KKamikaze and 9 others
@User28823 @gooner23 @HighIQ ubermensch
 
  • +1
Reactions: 2vi, Deleted member 98185, Deleted member 130748 and 3 others
@Foreverbrad @Gengar
 
  • +1
Reactions: 2vi, Deleted member 98185, Deleted member 130748 and 4 others
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you want more control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said CIA security I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump , send it to Amazon S3 and restore it from a snapshot
Click to expand...
@Master :
 
  • JFL
  • +1
Reactions: Serialsuicide, 2vi, Grilldaddy❤️ and 10 others
Tagged everyone but master
 
  • JFL
  • +1
Reactions: Serialsuicide, kiing_ronk, 2vi and 12 others
@Master
 
  • JFL
  • +1
  • Woah
Reactions: 2vi, MiserableMan, KKamikaze and 10 others
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said CIA security I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump , send it to Amazon S3 and restore it from a snapshot
Click to expand...
Water
 
  • +1
  • JFL
Reactions: 2vi, KKamikaze, Deleted member 130748 and 6 others
@Debetro @BeanCelll @5'7" 3/4s
 
  • +1
Reactions: 2vi, KKamikaze, Deleted member 130748 and 4 others
@optimisticzoomer
 
  • +1
Reactions: 2vi, KKamikaze, Deleted member 130748 and 3 others
@Luca_. @BigBallsLarry
 
  • +1
Reactions: 2vi, KKamikaze, Deleted member 130748 and 3 others
too long DIDNT READ lol u indian. i ztill respect thT tho Nd thiz iz botb worhy
 
  • JFL
  • +1
Reactions: kiing_ronk, 2vi, KKamikaze and 5 others
His fat ass will fall asleep in his kfc cave by the time he reads the first paragraph
 
  • +1
  • JFL
Reactions: isis_Bleach, kiing_ronk, 2vi and 7 others
@Master if ur gonna dnr my threads atleast read this
 
  • JFL
  • +1
Reactions: kiing_ronk, 2vi, KKamikaze and 5 others
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too with iptables. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said this forum isn't going down. I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We have need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.

AOP doesn't stop DDOS style volume attacks so you need network-level defenses for that built-in DDoS protection is good enough but I suggest Magic Transit. It is again overkill for a forum and the standard ddos protection is more than good enough but we are building for an end of the world scenario so you might aswell throw this in.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump daily or weekly basis , send it to Amazon S3 with versioning and in the takeover scenario. Wipe everything and do a rollback to start new.
Click to expand...
no way theyre not doing this already tho
 
  • +1
Reactions: 2vi, KKamikaze, Deleted member 130748 and 4 others
  • +1
Reactions: 2vi, MiserableMan, KKamikaze and 5 others
  • +1
Reactions: 2vi, KKamikaze, Deleted member 130748 and 4 others
  • JFL
  • +1
Reactions: 2vi, MiserableMan, KKamikaze and 5 others
  • +1
  • JFL
Reactions: 2vi, MiserableMan, KKamikaze and 5 others
Buml
 
  • +1
Reactions: 2vi, Deleted member 130748 and Jager
inb4 Master leaves you in
IMG 0843
 
  • +1
  • JFL
Reactions: 2vi, KKamikaze, Deleted member 130748 and 2 others
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too with iptables. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said this forum isn't going down. I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We have need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.

AOP doesn't stop DDOS style volume attacks so you need network-level defenses for that built-in DDoS protection is good enough but I suggest Magic Transit. It is again overkill for a forum and the standard ddos protection is more than good enough but we are building for an end of the world scenario so you might aswell throw this in.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump daily or weekly basis , send it to Amazon S3 with versioning and in the takeover scenario. Wipe everything and do a rollback to start new.
Click to expand...
Nigga is not reading this
@Master
 
  • +1
Reactions: 2vi, Deleted member 130748, Jager and 1 other person
imontheloose said:
Curry brah can’t resist tech assistance.
Click to expand...
Apparently can't resist to take the hard working and genius Americans' jobs too, while they rot seething about that @Jason Voorhees
 
  • +1
  • JFL
Reactions: 2vi, MiserableMan, SoNotFunny and 4 others
jeoyw9192 said:
Apparently can't resist to take the hard working and genius Americans' jobs too, while they rot seething about that @Jason Voorhees
Click to expand...
I literally didn't steal anyone's job nigga. My role was literally empty for months
 
  • +1
Reactions: TechnoBoss, 2vi, MiserableMan and 3 others
Jason Voorhees said:
I literally didn't steal anyone's job nigga. My role was literally empty for months
Click to expand...
Watch ur tone when you speak to me son.

Anyways I was being sarcastic dumbass, these fucks seethe about immigrants "stealing" their jobs and also have the same reactions as the guy I responded to when a high IQ theory/etc is presented
 
  • +1
Reactions: 2vi, Deleted member 130748, Htautistgymmaxx and 2 others
@Jager @Shahnamehgymmaxx @Alias!
 
  • +1
  • Love it
Reactions: 2vi, Deleted member 130748, Htautistgymmaxx and 1 other person
@Master is not gonna be read this and be busy munching on kfc buckets high effort tho botb worthy
 
  • +1
  • So Sad
Reactions: 2vi, MiserableMan, Deleted member 130748 and 2 others
Jason Voorhees said:
@Jager @Shahnamehgymmaxx @Alias!
Click to expand...
Very good thread, I can say personally that I’ve been very hesitant to buy lifetime vip because of the possible lack of longevity this forum has. Dunno if he will but I genuinely hope master implements this shit.
 
  • +1
Reactions: Deleted member 130748 and Jason Voorhees
Shahnamehgymmaxx said:
Very good thread, I can say personally that I’ve been very hesitant to buy lifetime vip because of the possible lack of longevity this forum has. Dunno if he will but I genuinely hope master implements this shit.
Click to expand...
“Buying lifetime VIP”
1759543689572
 
  • JFL
Reactions: KKamikaze, Jason Voorhees and Htautistgymmaxx
@Vazelrr
 
Looks like he didn't listen
 
  • +1
  • JFL
Reactions: browncurrycel and Jason Voorhees
Was down a few minutes ago
 
  • +1
Reactions: Jason Voorhees
You should make forums urself Preston
 
  • +1
Reactions: Jason Voorhees
@DrunkenSailor
 
Bump
 
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too with iptables. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said this forum isn't going down. I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We have need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.

AOP doesn't stop DDOS style volume attacks so you need network-level defenses for that built-in DDoS protection is good enough but I suggest Magic Transit. It is again overkill for a forum and the standard ddos protection is more than good enough but we are building for an end of the world scenario so you might aswell throw this in.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump daily or weekly basis , send it to Amazon S3 with versioning and in the takeover scenario. Wipe everything and do a rollback to start new.
Click to expand...
tag me when your done
 
Jason Voorhees said:
While this forum was down I had nothing to do so this is a small write up/report that I did for master to read and then implement to ensure that this dredded screen never appears

View attachment 4170790


I want to preface this by saying in not a cybersecurity expert but I do know a thing or two about keeping some malicious aliens at bay

A truly secure setup isn't about one magic bullet. So I propose creating layers of defense. If one layer fails, another catches the threat. In IT we call this "Defense in Depth"

View attachment 4170847


Layer 1: Rock solid Foundation (Hosting & DNS)

Get a VPS from a reputable provider. I personally recommend DigitalOcean have used it before.. They give you a clean slate and full control. You could also use Azure and AWS instances if you for some reason want even more granular control also plz no sharing of resources with incels.is keep them both seperate.

Use the "Full (Strict)" SSL/TLS mode on cloudfare


Layer 2: The Impenetrable walls

Idea is simple. Block every fucking thing and then only open the specific doors we need. It's like throwing all niggers in jail and only letting them out if they behave.

Choose any OS tbh. It doesn't matter. They are all good. Just don't use retarded legacy shit. Also use SSH Keys and disable passwords. Password logins can be bruteforced. Keys cannot also an important lesson that I learn is changing the port. Many bots scan port 22 the default all day looking for a loophole. Change it to something else.

The VPS provider already has a cloud firewall just use that but I also suggest to add one on the server too with iptables. Only allow incoming traffic on ports 80 and 443 ( and only from Cloudflare's IP Ranges. They can't hit what they can't see.

Install Fail2Ban. The automated watch dog that scans logs for repeated failed logins and exploit scanning and automatically blocks the offending IPs immediately. The gold standard. I am linking the GitHub Link

github.com

GitHub - fail2ban/fail2ban: Daemon to ban hosts that cause multiple authentication errors

Daemon to ban hosts that cause multiple authentication errors - fail2ban/fail2ban
github.com github.com

Do the above and you've already eliminated 99% of automated attacks but we are not done yet when I said this forum isn't going down. I mean it.


Layer 3: The Ever watching Gatekeeper

User Ngnix with PHP-FPM. This is something I learnt recently so I am linking the article just configure it to run PHP processes as non privileged user

How to Configure PHP-FPM with NGINX for Secure PHP Processing | DigitalOcean

Learn how to configure PHP-FPM with NGINX for efficient, secure PHP execution. Explore installation, setup, and performance tuning best practices.
www.digitalocean.com www.digitalocean.com

Generate a SSL certificate on your server. I like to use this one because it's free

letsencrypt.org

Let's Encrypt

Let's Encrypt is a free, automated, and open Certificate Authority brought to you by the nonprofit Internet Security Research Group (ISRG). Read all about our nonprofit work this year in our 2024 Annual Report.
letsencrypt.org

This is for encrypting traffic between Cloudflare and your server ensuring there are no weak links in the chain.

The final guardian-Authenticated Origin Pulls. Many people will say this is overkill but who tf cares. We have need extreme security because we looksmaxers are all at danger due to trannies on IT always trying to ruin our lives

What is basically does is creates a cryptographic handshake that proves a request is coming from Cloudflare. If an attacker discovers your real server IP, they still can't access your website because their requests won't have the secret handshake.

AOP doesn't stop DDOS style volume attacks so you need network-level defenses for that built-in DDoS protection is good enough but I suggest Magic Transit. It is again overkill for a forum and the standard ddos protection is more than good enough but we are building for an end of the world scenario so you might aswell throw this in.


Generally good practices/advice

-Always run the latest stable version of XenForo and your add-ons

-Require Two Factor Authentication for all admin and moderator accounts. This is already being done I think but this is a must. A stolen password should not be enough to compromise the forum

-Every add-on is a potential security hole so vet them regularly for bug/vulnerabilities. Only install reputed ones

-Your last line of defense is a good backup. If the worst happens and all the IT trannies takeover the forum. You can wipe the server and restore from a known good state. Just run a script to perform a SQL dump daily or weekly basis , send it to Amazon S3 with versioning and in the takeover scenario. Wipe everything and do a rollback to start new.
Click to expand...
Dnr but I’m sure it’s good
IMG 2991
 
  • +1
Reactions: Jason Voorhees
You must log in or register to reply here.

Similar threads

Greypiller
LifeFuel How to make your own forum for less than 500$ a year (Resources)
Replies
37
Views
610
Greypiller
Greypiller
Jason Voorhees
Mogs My entire journey of becoming an ITcel
2 3 4
Replies
153
Views
3K
einzigartig
einzigartig
prhmq
Guide The only real ways to make to make money on this forum (not cope)
Replies
16
Views
2K
emogymmaxx
emogymmaxx
chromednash
Guide {HIGH EFFORT} ranking ALL “YN”🥷 MONEY methods. (MEGAGUIDE)
2
Replies
90
Views
10K
remarrked
remarrked
D
Theory The truth about Protonmail (GTFIH)
Replies
26
Views
755
Deleted member 151854
D

Users who are viewing this thread

Total: 2 (Looksmaxers: 0, Bluepillers: 2)
Back
Top