Icy Phoenix

     
 


Post new topic  Reply to topic 
Page 1 of 1
 
 
Reply with quote Download Post 
Post Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
Because of the issues that my site discusses, there may be groups out there that might try and shut us down.  I feel pretty good about ICY but, I have never ask the questions so,

1.  How secure is Icy against hackers?

2.  What do I need to make sure is turned on or off in ICY to help prevent such activity?

A great answer to my question would be, "you shouldn't have to do anything cause ICY is the BEST".

Thanks,

Dave
 




____________
Another Pro Bono
Version of Icy Phoenix: 1.3.0.53a
Version of PHP: 5.2.9
Version of MySQL: 5.0.81-community-log
Board started: 2009/07/18 - 11:50
Registered Users: 123 as of 17 Sep 09
 
christmanrdSend private messageVisit poster's website  
Back to topPage bottom
Icy Phoenix is an open source project, you can show your appreciation and support future development by donating to the project.

Support us
 
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
For the first question, I will say that MG & devs have worked on security, but Icy could not be the most secure system. By the time being, I have not known any other phpbb2 series based CMS which could be more secure. But this does not mean that there is any system that IS totally secure, as even a error on the PHP engine could lead to the creation of a bug.

Sorry about the issue with this phrase, I even mis-understood myself when reading it. I guess I should not post at such times as 1 am in the morning


By the moment, the main dev (MG) triaggers a patch for a security issue when one is found.

Optimal config of the server to prevent server hijacking.... I will try to give some tips:

Quote:
Ability to set CHMOD permissions.

You should set the config to only read after installing icy. I have done so on my local and I had no problems with the board. You should also set the recommended CHMODs at the install procedure, for the user that runs the server daemon (and not all).

Quote:
These other requirements (even if not strictly needed) are suggested for optimal performance of Icy Phoenix:

    * Webserver with .htaccess capability.

IDK how much will it help.

Quote:
Register Globals set to OFF.

This will stop many atteps from successing.

And some tricks:
Have as less ports as you can opened. And if you can, make the services running on them not to send any data untill some kind of true credentials are sent (as user/pass or whatever). All other ports should not actively deny a connection in order to make this technique sucess.

Do NEVER post your sid(s). EVER. A hacker with one valid session id can change your credentials in minutes.

Use good passwords, not bad engough to be burteforced, or reversed-enginered.

Do not get a keylogger on your computer
Do not let a sniffer on your LAN.
Do use WPA2 keys on your wifi nets.
Do not be stupid engough to fall into a password change type scam.

And many others.... most of them basic ones...
 



 
Edited by novice programmer, Mon 21 Sep, 2009 20:17: Corrected the misunderstanding phrase. Sorry.
Edited by novice programmer, Mon 21 Sep, 2009 20:25: Corrected the bbcode.
novice programmerSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
novice programmer wrote: [View Post]
but Icy is not the most secure system

Basing on what are you telling that?

Are you a security expert? Did you find some breaches?

Please remember that such kind of phrases may be misunderstood... write only on things you are very confident on.
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
christmanrd,

I used to use a standard phpBB2 board with a simple portal system years ago.  My website was hacked at least three times a month until a friend recommended Icy Phoenix.  I've used Icy Phoenix for a few years and can honestly say my websites have never been hacked or defaced.

Rest assured if anything horrible did happen to your Icy Phoenix website that everyone here would do the absolute best to get you back up and running.

In Icy Phoenix I trust.
 




____________
| Icy Phoenix ColorizeIt! |
Bipolar Disorder - Not good for you and definitely not good for everyone else.
 
ChaoticSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
I´ll second this .

Icy in one of the most secure systems , due to CrTracker.

But sometimes the trcker drives the owner itself crazy
 




____________
Out of Order
 
spydieSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
Quote:
In Icy Phoenix I trust.


"Trust But Verify"

I trust it but, like I said, I never ask either.

Thanks for everyone's responses and your confidence building,  Chaotic

Dave
 




____________
Another Pro Bono
Version of Icy Phoenix: 1.3.0.53a
Version of PHP: 5.2.9
Version of MySQL: 5.0.81-community-log
Board started: 2009/07/18 - 11:50
Registered Users: 123 as of 17 Sep 09
 
christmanrdSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
If you parties with the condition of being afraid that your icy is defaced or hacked, you do not have the idea of having to put on a website.

In my opinion, one must put on a portal that puts just about without wondering why or other situations that might lead to doubts.
I started with this project and I never thought that anyone could ask such questions.

We are an open source project and plus we are a team that is devoid of his free time to design Icy and run it as simply and I think that sometimes claims of this kind leave things as they are and do not deserve sometimes and in some cases even reply.


Hi Fucile
 



 
fucileSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
fucile wrote: [View Post]
If you parties with the condition of being afraid that your icy is defaced or hacked, you do not have the idea of having to put on a website.

In my opinion, one must put on a portal that puts just about without wondering why or other situations that might lead to doubts.
I started with this project and I never thought that anyone could ask such questions.

We are an open source project and plus we are a team that is devoid of his free time to design Icy and run it as simply and I think that sometimes claims of this kind leave things as they are and do not deserve sometimes and in some cases even reply.


Hi Fucile



Sorry for my ignorance.  I was always taught if you do not know the answer to something, ask.
 




____________
Another Pro Bono
Version of Icy Phoenix: 1.3.0.53a
Version of PHP: 5.2.9
Version of MySQL: 5.0.81-community-log
Board started: 2009/07/18 - 11:50
Registered Users: 123 as of 17 Sep 09
 
christmanrdSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
I agree that sometimes responses aren't needed for this type of question aimed towards Icy Phoenix.  This was, however, an outstanding time for every Icy Phoenix user to share their opinions about how secure this project is.

It makes me happy to read these past few comments and to read fucile's post made me feel even better.  It seems almost preposterous to think Icy Phoenix could be hacked and to write about it is almost heresy, LOL.

God save the Icy Phoenix!
 




____________
| Icy Phoenix ColorizeIt! |
Bipolar Disorder - Not good for you and definitely not good for everyone else.
 
ChaoticSend private messageVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
fucile wrote: [View Post]
We are an open source project and plus we are a team that is devoid of his free time to design Icy and run it as simply and I think that sometimes claims of this kind leave things as they are and do not deserve sometimes and in some cases even reply.

I totally disagree... every question asked kindly deserves to be read and possibly answered.

But answers must be on topics and possibly not misleading.

Icy Phoenix is an amatorial project... and this means that users cannot pretend the same level of security of professional softwares. Even if I'm doing my best to make Icy Phoenix secure, efficient and stable.

Plus every user should consider that Icy Phoenix is not stand alone... but it needs a webserver to run, and this means other products such as Linux, Apache, PHP, MySQL... this means that not only Icy Phoenix may be the problem if a site got hacked or defaced.

In novice programmer post there are some good advice regarding what is beside Icy Phoenix... server configuration, wifi configuration, passwords and so on...

When talking about security, there are several important aspects to be considered, each one being as important as the previous one...

Again... please speak about this topic only if you are really confident about the matter.

christmanrd wrote: [View Post]
Sorry for my ignorance.  I was always taught if you do not know the answer to something, ask.


Don't blame you... there is nothing wrong about your request. The answer is complex and I hate users being trivial when talking about this matter.

Best thing you can do is search the web for Icy Phoenix security issues... and report here if you have then specific questions.

Usually developers tries to hide securities issues, to not offer anyone "free lunch" on this important matter. So some good information can be found only through other resources, even if most of the time are outdated...
 




____________
Luca
SEARCH is the quickest way to get support.
Icy Phoenix ColorizeIt - CustomIcy - HON
 
Mighty GorgonSend private messageSend e-mail to userVisit poster's website  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
Suggestion 1.

Icy Phoenix has the ability to add a Cron Job I believe (but I've never had to use it) to back up the database automatically etc. But that's not going to be much use if one has been hacked out of their forum and can't get access to restore the Db.

MySqlAdmin could be used to restore a previous backup of the Db, but that has its limits too; depending on the size of the dump. And if the dump is large - then it's a going to be a lot of work to get it reinstalled.  

So! I recommend to everyone concerned about hackers that:

One should install MySqlDumper (aka MSD) to the root of one's site and password protect the folders - Which it WILL optionally require one to do after one installs it - Configure it to connect to one's database (Which is pretty simple for the uninitiated) and do a backup. Then set up a Cron Job to auto-backup one's Db as often as one feels it's necessary.

Then! if one is "Hacked" out of their forum, MSD can be used to restore the Db quite quickly and quite easily.

And if one does install MSD and needs any other instructions - Then I do believe it's well documented and also has a support forum.

This information is freely given on the assumption that MSD is in itself "Hack-Proof"  

Suggestion 2.

Something that's quite easily overlooked (Even by some MOD-Makers and Core Programmers) is to make sure that any folders that one add's to their forum which contains integrated Icy Phoenix script be protected with an index.html file.

But be WARNED! This doesn't apply strictly to ALL folders as sometimes the html file will result in a blank page under certain circumstances. And is another reason for people to NOT use blank index.html files, but rather to have something in them so that any "White" screen problems with html files is not mistaken for other problems that arise from time to time.

That's it for today!  
 
 
 
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
I would like to apologize publicly for the first post written. It was not my intention to bring the discussion into a flame and did not want to disrespect anyone.

Sorry all

Hi Fucile
 



 
fucileSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
Mighty Gorgon wrote: [View Post]
novice programmer wrote: [View Post]
but Icy is not the most secure system

Basing on what are you telling that?

Are you a security expert? Did you find some breaches?

Please remember that such kind of phrases may be misunderstood... write only on things you are very confident on.


First: I am not a security expert, nor a PHP expert. I've neither even a carrer degree, as my age can say.
Second: I did not find breaches, but I have not reviewed the source code, so...

Third: Yeah, I have made a mistake. I was tring to refer that Icy couldn't be the best system, mistake which I will correct just right now.

This means that it can be the best system or can be not.
 



 
novice programmerSend private message  
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
novice programmer wrote: [View Post]
but Icy is not the most secure system


You are probably correct, but it's not what you said that is the problem - It's what you didn't say.

But Icy is not the most secure system as professional and commercially audited software may be, but be assured that security is foremost in the minds of the developers when compiling the script.

And that is the truth!


You get in - You get out!  and cover your backside both ways!

And stop shouting! As it doesn't reflect on what is normally your somewhat more professional approach to all things that go wrong.
 
 
 
Back to topPage bottom
Reply with quote Download Post 
Post Re: Icy Phoenix 1.3.0.53a - How Secure Is Icy? 
 
Never forget: If somebody decide to hack u, (And if this man have goods skills in PHP/...), he will finished by hack u (I year, more, less, ...) ... Just remember that.

But yes, the ask is good because some mod of IP (KB, JA) is not secure at all.

I think that remove SID is a great idea (CH already do this in recent v.), but need to rewrite alot of things ... LOL (and just make that the function do nothing xD)
 



 
InformproSend private message  
Back to topPage bottom
Post new topic  Reply to topic  Page 1 of 1
 


Display posts from previous:    

HideWas this topic useful?

Link this topic
URL
BBCode
HTML




 
Permissions List
You cannot post new topics
You cannot reply to topics
You cannot edit your posts
You cannot delete your posts
You cannot vote in polls
You cannot attach files
You can download files
You cannot post calendar events