Announcement

Collapse
No announcement yet.

Does vbulletin offer support for ddos and bruteforced sites?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Does vbulletin offer support for ddos and bruteforced sites?

    Ok just concerned if my legal vbulletin site got bruteforced or ddos, are there any support for it?

    And how do i prevent my site from being bruteforced or hacked in anyways?

  • #2
    Originally posted by Leon_Armageddon View Post
    Ok just concerned if my legal vbulletin site got bruteforced or ddos, are there any support for it?

    And how do i prevent my site from being bruteforced or hacked in anyways?
    DDoS? Those types of attacks should be addressed by your ISP at the network-level. If it reaches far enough to actually execute scripts it doesn't matter what scripts it runs.
    As for bruteforce and hack attempts, vBulletin comes with several builtin features to help combat and discourage such attempts.
    Toddler from Hell

    Comment


    • #3
      My site will never get ddos because it has unlimited bandwidth. As for brutefoce, does it mean as long as i install the latest updates for vbulletin, my site is safe from such attacks?

      Comment


      • #4
        Installing updates and security-fixes will ensure that you run the most secure version of vBulletin at any given time. That said, no software can ever claim to be 100% secure and be right. The best you can do is to password-protect sensitive directories (such as admincp, modcp and install) and use features such recaptcha to combat malicious users.
        As for you being safe from DDoS because you have unlimited bandwidth, sorry, you could not be more wrong.
        Toddler from Hell

        Comment


        • #5
          vB, like any other software, is only as secure as the server it's on.

          Comment


          • #6
            Unless you own the company, no host will give you truly unlimited bandwidth. There is always a ceiling.

            Comment


            • #7
              There is a whole debate about unlimited bandwidth versus unmetered bandwidth... I can write a paper on that discussion and it'll probably be as thick as any magazine you can pick off the shelve at 7-11, so that's probably debate for another date. I think what he meant is he has unmetered bandwidth.

              Long story short, unmetered bandwidth means you have an internet connectivity of some speed (typically, for servers, 100mbits) and they don't monitor / meter your usage; where as unlimited bandwidth means you have an unlimited amount of internet connectivity, summing up to infinity mbits/gbits/tbits/pbits/etc., which, due to laws of physics, are not possible to date. Due to this limitation, unmetered bandwidth are still vlunable to DDoS.

              Imagine if you have a water pipe of 2 centimeteres or so in diameter... common stuff you find in gardens for watering the lawn or flowers. Now, imagine if you're trying to feed water to it from a sewage drain that's big enough to have people walking in it... at full throttle... Either the flow will be very slow, or you'll damage whatever you're pointing your garden pipe at due to high pressure water being beamed out of it.

              That's pretty much what happens when you encounter a DDoS. DDoS stands for Distributed Denial of Service. In a nut shell, one or more server(s) / computer(s) with bandwidth connectivity greater than of yours trying to connect to your server at the same time (IE: You're probably on a 100mbits unmetered server; they have 100, 1000, or even 10000 computers on 4mbits DSL or alike). With that amount of traffic, you'll either A) find your server very slow because the 100mbits unmetered bandwidth is not enough to keep up requests from gigabits worth of bandwidth, or B) your server gets overloaded from all the requests it is receiving from all these people.

              As previously mentioned, this is not something vbulletin, or any software for that matter, can prevent. You will need support from your hosting provider, or even their service provider (IE: data center/bandwidth provider) to resolve that kind of problem.

              Brute forcing is a different story. If I try all the possible combinations, on a combination lock, I'll figure out what the combination to open it for that particular lock is. Same goes for username and passwords. In theory, if I repeatily try to login to an admin account, I can figure out what the password is.

              vBulletin prevents this by implementing a 15 minutes lock-outs for accounts that failed to login in 5 attempts. If I try to login to your account with password, a, b, c, d, and e, I will not be able to try f, g, h, i, and j until 15 minutes later, 15 minutes lock out again before I can try k, l, m, n,... Assuming if you are using fairly secure passwords, vBulletin can protect your forum account from being compromised by this type of attack. IE: 6 characters in length, a-z only would equate to 26^6 = 308915776 passwords to try, lock out for 15 minutes after 5 failed attempts: 308915776 / 5 attempts * 15 minutes ~= 1750 years; that's the maximum time it will take to use brute force attack to get your password on vbulletin forum. It may be significantly lesser if you use passwords like aaaaaa, but it gives you an idea

              However, your forum is only as secure as your server. If you're using a weak password, and your server does not automatically lock out accounts for duration, attackers can easily apply brute force technique on your FTP/SSH account, and gain access to your server directly. At which point, they will no longer need to know your forum's admin account password to make changes to your forum.

              Hope the above was helpful...
              For anyone else, please feel free to correct me on any errors if you see any
              Last edited by Andy Huang; Tue 23 Sep '08, 3:03pm.
              Best Regards,
              Andy Huang

              Comment


              • #8
                Originally posted by Andy Huang View Post
                As previously mentioned, this is not something vbulletin, or any software for that matter, can prevent. You will need support from your hosting provider, or even their service provider (IE: data center/bandwidth provider) to resolve that kind of problem.
                ...
                However, your forum is only as secure as your server. If you're using a weak password, and your server does not automatically lock out accounts for duration, attackers can easily apply brute force technique on your FTP/SSH account, and gain access to your server directly. At which point, they will no longer need to know your forum's admin account password to make changes to your forum.

                Hope the above was helpful...
                For anyone else, please feel free to correct me on any errors if you see any
                True, true.
                Pretty much DDOS mitigation is hardware related. VB is only a forum software. Not even the OS your server runs on can save you from a DDOS if you're getting hammered enough.

                Also, to add on to Andy's post, there are numerous ways that people can get access to your account (be it FTP or VB). If you don't use SFTP already, I'd suggest it. As well, if somehow a malicious user is able to get hold of your forum cookies, they could log in as you and do whatever harm they wanted, as well. On top of that, unless you're using SSL, they could do a man in the middle attack and sniff for information.

                There's not really anything such as a big bandaid that fixes all. You have to be careful on all fronts, and plan ahead.

                Comment


                • #9
                  Originally posted by Andy Huang View Post
                  Imagine if you have a water pipe of 2 centimeteres or so in diameter... common stuff you find in gardens for watering the lawn or flowers. Now, imagine if you're trying to feed water to it from a sewage drain that's big enough to have people walking in it... at full throttle... Either the flow will be very slow, or you'll damage whatever you're pointing your garden pipe at due to high pressure water being beamed out of it.
                  Thank you Ted Stevens

                  Comment

                  widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
                  Working...
                  X