Protect against hijacking.
Luckycat
New
Hi,
I`m switchting to Vanilla from phpBB3. My last messageboard was hijacked more or less by some piratecompanies in Russia, China and Korea mainly.3000 "different" users = adresses. To reach my messageboard you were supposed to register and log in at my memberpages (none of these users did) and then there was a link to the messageboard where you also had to register and log in. I found out that you could bypass the member-part if you just wrote: http://xxxxx.zz/phpBB3 . Inoticed that it works the same way with Vanilla. How do I stop someone from reaching Vanillamessageboard without first becoming a member and then reach the messageboard from the memberpart of my site?
Can anyone help me and I hope this is the wright category. I think it might be aquestion of localization of Vanilla.
Best Answers
-
businessdad
MVP
If I got it right, I'm afraid you can't prevent people from accessing a Vanilla's URL if they are not registered on your website. That is, you can't easily stop their browser from opening a website just because they are not logged in on another one. Keep in mind that, embedded or not, Vanilla is still an independent software (i.e. it's not like a WordPress plugin, which lives inside WP and can be fully controlled by it).
What Vanilla allows you to do, out of the box, is to disable all permissions for Guests. They will still be able to open the forum home page, but they won't be able to do anything else, except for registering.
To "lock down" the forum a bit more, you could disable registration on Vanilla, and use exclusively SSO for account creation. This means that your website will be the only one where Users can register, and Vanilla will talk to it to authenticate the Users. For this purpose, you can use the JsConnect plugin.
If you wish to really prevent anyone who is not registered from even viewing the home page of forum, you will have to implement a plugin that does it. Just beware that, by doing so, you risk to interfere with JsConnect Single Signon, which occurs after the home page has been rendered.
6
Answers
What do you mean with that? Could you please make an example?
My shop | About Me
You should only be able to reach the messageboard from a link at my membersection (You have to register and log in before reaching the membersection at my site). It will be like doublesafty= You have to register twice before using the messageboard. I do not want anymore russian, chinese IP:s to be able to go straight to my messageboard like typing: http//mydomain.xx/vanilla/
Luckycat
then ban them via country ip ( isnt a failsafe model ) but dooable. Also set requires approval by admin before they can proceed on the forums.
There was an error rendering this rich post.
Thanks 422,
But I did use "approval" when i used phpBB3 but somehow they bypassed that and register at my membersection. In 3 weeks I had 0ver 6000 posts. I had blocked email and got about 2500 "Delivery failed/delayed in my mailbox. So I am
" a little cautious" now. I want to embed vanilla on a page at my membersection and stop someone going directly to vanilla the way I mentioned.
It is about setting it up correctly. You also probably want something like botstop, for the membership requests.
You can also benefit from some the cdn security services, which are somewhat more intelligent that most people can achieve on their own.
grep is your friend.
most likely those russians used an exploit like injection.
grep is your friend.
if you don't want non-members to view profile, you don't give guests profile permissions.
grep is your friend.
Many thanks x00,
It seems like "botstop" is the answer to my problem. If you should have the time you could check - byairmail.eu - there is a memberpart under BAM-menu That`s where I would like it to be the only chans to reach vanilla. I have vanilla at my server but it is not registered yet. Once more thanks for the tip about botstop. Anything special I should think about when installing it?
I think that there's something misconfigured on your setup. If I type "byairmail.eu/vanilla" I get Vanilla Setup page.
My shop | About Me
Hello businessdad,
I have not registered vanilla at this server yet. I only put the vanilla catalogue there. But as you noticed you can bypass everything by typing http://mydomain.zz/vanilla/ and that
what I do not want. You should only reach vanilla via register at BAMs memberpages. You can try: byairmail.net where I have vanilla up and running incl. botstop at least I put it up. I hope to hear from you.sorry what do you mean bypass? I think there is some confusion. What is it you don't want them to access, and is you forum installed in web root or in a folder.
A webmaster is still responsible for securing a site, no script can do that on its own.
grep is your friend.
With bypass I mean that you can type: http://anydomainname.zzz/vanilla/ and reach the vanillaforum. ( There is no link to the forum at website other than at the memberpages - You have to register and log in to get to the membersection). That is what I mean with bypassing. So when you type: http://anydomainname.zzz/vanilla/ you must have done some research with the intention to Hijack,use the forum for spam and son. That is what iwant to prevent.
The website; http://byairmail.net is a testsite except fot the store.
The Vanilla folder is in the root as are the website-files. (-html + php-files).
If I got it right, I'm afraid you can't prevent people from accessing a Vanilla's URL if they are not registered on your website. That is, you can't easily stop their browser from opening a website just because they are not logged in on another one. Keep in mind that, embedded or not, Vanilla is still an independent software (i.e. it's not like a WordPress plugin, which lives inside WP and can be fully controlled by it).
What Vanilla allows you to do, out of the box, is to disable all permissions for Guests. They will still be able to open the forum home page, but they won't be able to do anything else, except for registering.
To "lock down" the forum a bit more, you could disable registration on Vanilla, and use exclusively SSO for account creation. This means that your website will be the only one where Users can register, and Vanilla will talk to it to authenticate the Users. For this purpose, you can use the JsConnect plugin.
If you wish to really prevent anyone who is not registered from even viewing the home page of forum, you will have to implement a plugin that does it. Just beware that, by doing so, you risk to interfere with JsConnect Single Signon, which occurs after the home page has been rendered.
My shop | About Me
Can I recommend you not to worry about ppl reaching your forum that way? Second thing is that when you install Vanilla in another directory, people will have difficulty finding the direct link (that's what you mean, you don't want the ppl to reach your forum using the direct link to Vanilla).
Install vanilla in http://anydomainname.zzz/thisismyforum/ and the bad people can not easily guess that address...
Vanilla is better protected against 'hijackers' than phpBB, I know that's a dangerous thing for me to say, but botstop does its work correctly and there's a couple of other plugins that are nice. Have fun using Vanilla!
There was an error rendering this rich post.
their is a plugin
http://vanillaforums.org/addon/privatecommunity-plugin
which gives you a private community
ther is more lock down you can do. Some plugin may need block exceptions to work.
grep is your friend.
short of at server level detecting the precedence of cookie, you may not completely prevent sniffing. The point is that sniffing is only sniffing, and not more than that.
grep is your friend.
Hello,
TO ALL OF YOU who helped me with this problem.
THANKS!!!
You have been of great help to solve my issue.
Luckycat