Securing a forum -- Need Assistance

dash-crypto
#1

Greetings fellas. I’m running a forum using cloud flare premium. Our first attempt @ the forum we used apache2 which we believed leaked our back end server due to the way it talks with CF. We’ve now switched to NGINX and believe it’s configured properly. Doing a simple IOT search using censys.io our back end appears. Now, I’m almost absolutely sure we’ve configured everything properly w/ our VPS provider, registrar & CF.

Can anyone offer any guidance in resolving this issue? We plan to switch the ip address of our server hoping that will stop it from being exposed, what stops it from showing up on an IOT search once again? In the past with other hosting providers I’ve never had any issues with our back end being visible to the public internet. Any assistance in this matter would be greatly appreciated.

Notes: Our website is running an official copy of Invision power board 4.4.
Nginx version : 1.14.0
PHP : 7.2.17

Cheers!

#2

Correction: We’re using the free version of CF but plan to upgrade to pro*

1 Like
#3

Try using either iptables, or your VPS’s own firewall to block all connections that aren’t Cloudflare-owned IPs. If you use something like nginx to limit who can connect to your server, your SSL certificate might still leak, exposing the hostname for the IP. I also have this if you use AWS. GCP, or DigitalOcean:


Finally, upgrading to Cloudflare Pro and enabling the WAF is generally all you need to do. Of course, you should keep your forum software and nginx up to date in case there are security exploits that CF doesn’t know about yet.

2 Likes
#4

Thank you very much for your swift response, greatly appreciated. Do you happen to offer 1 on 1 tech support on such things? We want to make sure we have our ducks in a row especially when it comes to the above mentioned. Cheers.