• KeyDog
  • KeyDog
  • Global Moderator
  • Offline
  • Registered: 2008-12-12
  • Posts: 1,693

Topic: Confidential Forum Discussion Boards

I'm thinking of creating a board where only a dozen or two users which I have personally selected can exchange ideas and discuss confidential topics.

My questions:

a. Is this something I should/could do with Pun?

b. It's important to me that I not have google or any other bots accessing the site, best way to implement that?

c. Loggin in authentification; should I be using SSL and longer/different password protection?

d. Maybe add a third authentification step like you know from your ebanking?


Thanks for input on this.

  • KeyDog
  • KeyDog
  • Global Moderator
  • Offline
  • Registered: 2008-12-12
  • Posts: 1,693

Re: Confidential Forum Discussion Boards

deadram wrote:

a) Sure? Just disable guest and member viewing permissions. Maybe give members access to one forum, soes they can remind you their one of the dozen or so, and should be moved to the 'privmembers' group, with full view/post permissions.

b) Look up robots.txt for the search crawlers. AFAIK google, yahoo, msn, all the big ones follow these rules, and doing it with robots.txt will limit bandwidth usage! smile

c) I always run my forums over https. www.cacert.org is a good place to get a free signed cert, but your users will have to add that CA if they dn't want the un-signed cert warning (There's directions on cacert.org). There's a way to redirect all http://URL/PATH to the https equivalent in apache too (Though I use lighttpd, so I can't help there tongue). Also, fluxbb's install.php (at least 1.2; havn't used 1.3) doesn't install erm... pleasantly when only https is allowed. Remember to set your Base URL to https when you do the install! Otherwise your admin panel will not work.

d) You could set-up password protected paths on your web-server; but this would be overkill IMHO. https connections only to fluxbb, and all passwords are sent and received encrypted, so there's really no need. Get your cert signed to prevent hi-jacking though tongue I would also suggest you do not send random passwords to users via e-mail, and instead only send activation links (for registration); this is the default IIRC. You could run a simple password cracker on your user database (either from the server, or on your own box after a download of the user tables); if a password is cracked, then force that account to change their password. Easier still, maybe swap the meaning of the 'censoring' option, and use it to censor passwords like 'qwerty' or '123456'. I'd guess there is already mods/extentions like this on punres. Still... if your users are using weak passwords, they'll probably continue to find ways to do this even with your help.


got this feedback till now.
will take it from there big_smile need to do a lot of reading.

  • Registered: 2008-11-16
  • Posts: 528

Re: Confidential Forum Discussion Boards

it's just a matter of creating a new forum category, creating a new user group and then only giving that group permission to view/post in that new forum.

4 Reply by KeyDog (edited by KeyDog 2009-01-31 13:36)

  • KeyDog
  • KeyDog
  • Global Moderator
  • Offline
  • Registered: 2008-12-12
  • Posts: 1,693

Re: Confidential Forum Discussion Boards

couple of questions:

a. robots.txt   
if I don't want anything crawling it at all I should do this right?

User-agent: *
Disallow: /forum

b. if I'm worried about someone monitoring one of the posting users traffic (by breaking into his wireless connection - which seems to be childsplay even with WEP?) - does SSL solve that issue?

c. if I don't want anyone to even be able to access forum page without FIRST entering a password and username - what should my port of call be on that subject?

d. if I send the user a physical copy password or by mobile text- an additional one to the username password already in forum by default - is that do-able? or really overkill....

e. should I be trying to get an own server so that I can also white list IPs should I or they still be worried? at the moment I'm familiar with my shared hosting - but is that a big security risk?

f. what weak points does that leave?

thanks


EDIT: gues I shouldn't be doing a. and instead this
http://www.thesitewizard.com/apache/pas … tory.shtml

  • KeyDog
  • KeyDog
  • Global Moderator
  • Offline
  • Registered: 2008-12-12
  • Posts: 1,693

Re: Confidential Forum Discussion Boards

TrueCrypt Forum wrote:

SSL does not only solve the insecure WLAN question, it is an absolute must when wanting to access something over untrusted networks (internet is insecure). When correctly used it will bolt out any man in the middle.

Depending on your requirements you must choose if you want to use a SSL certificate signed by an authority or if you prefer a self-singed SSL certificate where your users need to validate this itself. (by a given hash over a pre-secure channel)

Keeping the forum private and password protected is also a good idea. Robots not listening to robots.txt will only see the public part which isn't a big deal if there are only two boxes for username and password even without description.

Someone (the hoster, the user or whoever) want to stay anonymous you must use some anonymizer (like tor).

this helped me quite a bit.

  • KeyDog
  • KeyDog
  • Global Moderator
  • Offline
  • Registered: 2008-12-12
  • Posts: 1,693

Re: Confidential Forum Discussion Boards

thought I share these comments I got aswell


TrueCrypt Forum wrote:

If you have a small amount of users, I'd consider client certificates. This way, you can configure your Web server's SSL port to only give access to those users with those certificates. No cert on the authorized list? No access, period. A would be intruder won't be able even touch any file past the webserver, much less try guessing passwords.

This is independant of the forum's authorization, so you can have users use the normal username/password authentication.

TrueCrypt Forum wrote:

My suggestion is you get hold of GnuPG and learn how to use it.

Even if your site is hacked and copied, or someone breaks in and physically steals the server, the data is still secured.

SSL, username and password are good for stoping drive-by attempts at your site or snooping of your connection as you use it, but ultimately, your comms should be encrypted using something much stronger.

Have you considered using a VPN? You can use stronger authentication/encryption for the link itself, and this cuts out any possible spoofing. SSL does NOT guarantee that you are talking to your server directly. VPN will also secure comms from your client, across WiFi and the internet, so there are no snooping issues.

This will enable you to have the convenience of the forum format, with all the security you could want.