Knowledgebase: VisiChat Installation
VisiChat Security Best Practices
Posted by VisiChat Hosting on 17 February 2015 11:56 AM

Rename the Admin folder

To confuse the potential attacker, it could be useful to conceal where your chat admin panel related files are stored. The following instructions will change both where your admin panel is located in your server's directory structure and its web link, so make sure you write down the new name of the folder.

Log in into your server via SSH. Use the following commands to get to and rename the admin folder. This guide assumes you have root level privileges/admin access to your server.

[$]#cd /opt/red5/webapps/videochat/
[$]#mv admin newname


Your admin panel files will now be located in newname (you can use any legal folder name you prefer), and will be reachable via yourdomain.com/chatname/newname/.


Renaming the admin folder will not break your chat.

Add .htaccess file to the Admin folder

Log in into your server via SSH.

[$]#cd /opt/red5/webapps/videochat/admin/


Note:
If you renamed your admin panel folder previously, use that new name instead of admin in the command example above.


[$]#touch .htaccess


To edit your newly created .htaccess file, use a command line text editor like nano.


[$]#nano .htaccess


Alternatively, you can edit an .htaccess file on your computer, save it and upload it to your server via an FTP client. Use whichever way you are most comfortable with.


Here are some useful options you can add to your .htaccess file.


Prevent directory listing of folders which lack index pages:

Options -Indexes

Password lock the Admin directory

Log in into your server via SSH, as before. Password locking a web directory is accomplished via a combination of an .htaccess, created previously, and .htpasswd files. .htaccess will contain the necessary options to enable authentication for the directory, whilst .htpasswd will store the usernames and password of authorised individuals.


First navigate to your admin folder:

[$]#cd /opt/red5/webapps/videochat/admin


Create the .htpasswd file:

[$]#htpasswd -c .htpasswd exampleuser


Where exampleuser is the username of the person you want to authorise to access the directory. After you enter the above command, you will be asked for a password for the user and to retype it to confirm it. The username and password combination will be then stored in the .htpasswd file. You can repeat this step for as many users as needed, but generally only the chat admin or admins should have a need to use the admin panel.


Now we to setup a few things in the .htaccess file, so open it in a text editor like nano:

[$]#nano .htaccess


Add the following lines:

AuthName "Admin Panel"
AuthType Basic
AuthUserFile {PATH to .htpasswd}.htpasswd 
Require valid-user


Replace {PATH to .htpasswd} with a full path to the directory which contains .htpasswd; you can get a full directory path printed for the working directory using the following command:

[$]#pwd


In our case this is /opt/red5/webapps/videochat/admin/, so that's what we put in the field.


AuthUserFile /opt/red5/webapps/videochat/admin/.htpasswd


AuthName
is a label identifying what part of the site is being accessed. Since we are password protecting the admin folder, that's what we put down. Hence "Admin Panel" in the example.

Save and exit the .htaccess file. You can now verify if the authentication box appears by trying to access the admin folder via your browser.

Install, turn on and configure a firewall

On a Windows Server, Windows Firewall is available by default and is free. There's no reason not to have it enabled. It can be configured via the graphical control panel. If it is off, and you don't have an alternative or a hardware firewall between your server and the internet, turn Windows Firewall on.


In general we recommend closing down all unused ports and only opening the ones your chat really needs. This significantly reduces risk to your web application and server.

Under Linux/Unix, we recommend you install the free CSF Firewall solution. The remainder of this section will deal with how to do that under CentOS, how to configure the CSF Firewall and priority ports to close first.

Getting and running the CSF Firewall install script is not difficult, please see the official install guide and return when your CSF Firewall is up and running.

Installing CSF Firewall


CSF configuration can be accomplished through the SSH command line or WHM graphical management tool. WHM may not be available on all hosts, so we discuss the SSH way here.


To change settings for CSF edit csf.conf:

[$]#nano /etc/csf/csf.conf


To allow outgoing communication on a TCP port, add it to the TCP_OUT list:

TCP_OUT = "80,110,113"


Separate multiple port entries with a comma(,). To allow incoming communication on a TCP port, add it to the TCP_IN list:

TCP_IN = "80,110,113"


Again, multiple ports are separated by a comma(,).


Similar lists are available for UDP ports as well: UDP_IN and UDP_OUT; they are configured in an exactly the same way. To block/close a firewall port, just delete it from the relevant list.


When you are finished editing csf.conf, restart the CSF Firewall.

[$]#csf -r

Important firewall ports to close

  • Red5 HTTP port- TCP 5080 - should be closed if not used, remove it from TCP_IN and TCP_OUT in csf.conf if present to block it.
  • MySQL port - TCP 3306 - should be removed from TCP_IN and TCP_OUT in csf.conf to prevent external access to your chat's database.


Restart CSF Firewall afterwards for the changes to take effect:

[$]#csf -r

Set firewall flood protection for open ports


To guard against DDoS attacks and limiting connections per user, it is important to configure PORTFLOOD and CONNLIMIT variables in the csf.conf file to best serve the needs of your chat and the kind of traffic it gets. It's more of an art than a science, but a good explanation and sample settings for your to experiment with a given in the official configuration guide for CSF.

Please see ConfigServer Security & Firewall; 16. Flood Port Protection.

Use Strong Passwords


You must set a password wherever appropriate. Having open access to your chat or its vital underlying parts is asking for trouble on the Internet!


Picking a good password is a balancing act between something that is convenient and something that is effective at preventing unauthorised access. Above all else, you must avoid taking the easy route. A short, one word password that isn't difficult to guess, link to you or find in a dictionary is convenient but very easy to break for an attacker. True, using some password is better than having none, but it won't do you much good in the long run. We will explain why this is the case after providing you with a few examples:

Bad password: password
Even poorer password: chat
Terrible password: Bill
Worst password: ppppp


The first example is reasonably long yet obvious - almost anyone would try it as one of their first guesses. It is a dictionary word which can be found using an automated trial and error approach within a reasonable time frame. The word itself uses only lower case characters, drastically reducing the number of letter combinations a brute force attack would need to eliminate. Definitely not something we would recommend!


Why the second option is even worse? Well, it is shorter for one and still effortless to guess - if you are running a chat, an attacker will always try obvious combinations with this word and the word itself. It is also a dictionary word which would appear earlier in alphabetical dictionary order, making it easier to find. And as mentioned above, using only lower case characters may be convenient to type, but offers the poorest protection.


Why is Bill the poorest password? It is a common name, it's short and alphabetically comes early in a dictionary (that of names or standard dictionary). However, if it happens to be the name of the chat administrator, that of his friend or active community member, it will be very simple to guess. You should never use easily identifiable personal details to base a vital password on.


Lastly you should avoid the urge of simply repeating a single, lower case character - it's the easiest combination to take apart automatically.


Now let's look at how Visichat handles password and what you can do to keep a potential attacker at bay.


Visichat requires you to set an admin panel password that is at least 8 characters long. All alphanumeric characters, including capital letters, and some special characters are allowed. A password cannot begin with a space or another non-printable character. A good mix of characters of varied case in a word or phrase of 8 letters or longer is the way to go. Unattractive as it may sound, such a combination can still have meaning and doesn't have to be totally random (although that's the best kind). Here are some examples:

Normal password: RedBox02
(red box - a red post box that's collected from on Tuesdays)
Better password: Rebm9e9tpeS 
(September mirrored and with first and last letter capitalised, number nine inserted before and after the middle character)
Good password: D0G|\|T]-[0USEs0m3sMl 
(small dog next to some house - nonsensical phrase jumbled up with letters swapped for numbers and special marks)
Long random password: <058*(dDzkjHHioe4'@!*/sd\


To summarise, a strong password is:

  • Long
  • Difficult to guess
  • Not a predictable pattern (random if possible)
  • Something that will stay in your mind and won't need to be constantly written down
  • A good mix of letters (capital and lower case), numbers and special characters to make brute force attacks computationally expensive
  • At least a bit imaginative
  • Changed frequently


Users without administrative privileges can use simpler combinations, although they are still recommended to avoid the poor options above.

Enable Email Activation


Go to Admin Panel->Config->Settings


Enabling email activation will request all new members to verify their email address before gaining chat access with user privileges. This is a good way to deal with spammers and bots.

Visichat Registration
Registration and login email activation settings.

 

Enable/disable email activation
Toggles email activation on and off.

Automatically delete users who don't activate their email in 2 days
An associated setting which can make it easier to tackle new user registrations; when enabled, your database will be automatically purge all dormant newly registered accounts that weren't verified within 2 days.

Press Submit button at the bottom of the page to update your chat config.

Will I still be able to manually active user accounts?
Yes, as the chat administrator, you can override email activation at any time, by manually activating the new account via Users->Users.

Stop duplicate IP registrations

Go to Admin Panel->Config->Settings
Visichat Duplicate IPs
Registration and login disabling multiple IP registrations.


Banning multiple account registration attempts from the same IP is also a good way to combat spammers and other user account abuses in your chat.

  • Allow registrations with duplicate IPs - deselect to stop more than one user registering multiple accounts from the same destination IP.

Press Submit at the bottom of the Settings page to save changes.

Deploy spam flood controls

Go to Admin Panel->Config->Settings->Messages

Message flooding is a common exploit a spammer can try to disrupt normal chat room operation. To address this, GChat introduced the following three message flood control settings into the Admin Panel.

Visichat Flood
Controlling text flooding in Visichat.

 

Flood polling time limit in seconds (0 to disable)
Time interval for flood limit checks.

Flood message limit (0 to disable)
The limit of consequent messages used to identify text flooding behaviour.

Flood gagging time in minutes
The duration for which the spammer's messaging ability will be interrupted.

Flood control will check if the flood message limit has been reached in a given polling interval and will gag the offender, thus interrupting the text flood. Admins and moderators can then clear the screen and take action against the spammer.

When you are finish setting up Flood control, press Submit button at the end of the Settings page to save your new settings.

(0 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments:
CAPTCHA Verification 
 
Please enter the text you see in the image into the textbox below (we use this to prevent automated submissions).