\[advise\] Server Security \* Advice
-
I’m planning on running some non web facing systems on one of my spare Linux boxes to deal with wallets and addresses so there will be links to the network via peers and maybe some https connection going outbound.
Do any of you guys have any knowledge of securing a server or network ? Its really not my area at all so some general pointers would be great.
Thanks in advance Kris
-
Best advice: Don’t. Security is the most non-obvious thing you can do in computer science and getting it right is VERY difficult. You’re much better off going with a PaaS provider like Heroku, and you’ll save a lot of time, money, and heartache in the long run.
Second best advice: Start from zero, then build up. Stop ALL the services you can, uninstall ALL the packages you can, and lock down anything that remains using a firewall so it can’t be accessed at all. Dedicate a virtual machine to nothing but running the app, and expose only the singular service to the internet. Update the packages that are required any time a vulnerability is discovered. Keep any critical data on a separate machine (like your database) that is not connected to the internet. Encrypt any sensitive data that you store. Expose only the critical services to only the app machine. Connect the two using an encrypted connection that requires authentication and enforces authorization. Encrypt the encryption credentials on disk and require a password to decrypt them on application start. Run an intrusion detection system like Tripwire that will alert you to changes on the system that you didn’t authorize. Set up a load balance and a database cluster and duplicate all your work to make the system redundant. Geographically distribute the redundancy to protect against natural disasters. Acquire a surplus of bandwidth to deal with traffic spikes. Cache your frequently accessed data to prevent overloads, but pay attention to your caching policies to prevent cache poisoning. Put a CDN in front of it to offload the majority of traffic. Set up monitoring services to alert you to any discrepancies or outages. Do penetration testing. Do due diligence with regards to your architecture. Document everything about your architecture and keep the documents up to date. Create a disaster recovery plan. Backup your data to offsite storage. Lay awake at night wondering if you’ve forgotten anything.
Or just go with Heroku or some other PaaS provider, and do everything I just listed by checking a few checkboxes in their web interface.
-
I’m guessing with my lazy disposition PaaS is going to be the way forward.
Thanks for the great advice.
Do you think having wallets etc on external servers this way is safe? From the huge list of security they offer this question may be self answering!
-
Hi Kris,
You asked a valuable question and I hope Kevlar’s answers were of use to you.
However, as this question was not directly related to the Technical Development of Feathercoin, I am moving it to the General Support board.
The Technical Development board has a very specific focus on Technical developments of the coin itself, and as such is very heavily moderated. Please feel free to pose questions such as the one you raised in the General Support forums in future, where you will get the same level of help, but in a more appropriate location.
Thanks again.
Kindest regards,
Stefan -
I understand your point but its a shame.
As I am actually about to develop something related to this coin my first point of call was what specific security measures I would need to take when doing this.
I thought this post would be very useful as a foundation for anyone undertaking development in this area as security when dealing with what is essentially a financial system is paramount and to overlook this when doing any development no matter how trivial would be a mistake.I am happy for this to remain outside of the Technical Development section.
But I had thought others like myself who do not currently develop for the financial sector would find this information very important.
(It has certainly made me evaluate my entire platform choice) -
[quote name=“kris_davison” post=“30772” timestamp=“1381320987”]
I understand your point but its a shame.As I am actually about to develop something related to this coin my first point of call was what specific security measures I would need to take when doing this.
I thought this post would be very useful as a foundation for anyone undertaking development in this area as security when dealing with what is essentially a financial system is paramount and to overlook this when doing any development no matter how trivial would be a mistake.I am happy for this to remain outside of the Technical Development section.
But I had thought others like myself who do not currently develop for the financial sector would find this information very important.
(It has certainly made me evaluate my entire platform choice)
[/quote]Kris, you make a good point. We were considering calling the board Feathercoin Technical Development for the avoidance of doubt so perhaps we should have made it a bit clearer.
However it sounds like what would be helpful is if the information contained in your post was made available to other developers both internal and 3rd party. In fact this would work quite well with our [url=http://forum.feathercoin.com/index.php/topic,3944.0.html]Developer Relations Role[/url] which has already had at least one very good applicant. Let me make a note of it and perhaps we can find a better home for topics like this.
And thank-you for your getting involved, let me know if there’s anything we can do to help for example featuring any of your work in the Weekly Newsletter.
-
Yes that’s a good idea maybe making just Kevlar’s post as a guide to development platform security.
I would certainly be very happy to get anything I produce featured but I fear this may be some way off.
cheers Kris