

Ask HN: How do you keep your servers/sites safe from hackers? - cdvonstinkpot

Hi,<p>This week I expect to receive delivery of a server with which I'll be building a prototype of an OpenStack server whose purpose will be to rent VPS instances to the public. I haven't yet figured out how, but somehow there will be a public facing customer portal providing management access to the rented server instances, and I'm interested in making the security which protects this management panel strong enough to be a selling point when I go live.<p>I'm a little concerned that by making it a selling point I may be inadvertantly inviting hackers to come attack my site, but its a chance I'm willing to take.<p>I haven't figured out how OpenStack handles its customer portal yet, but I imagine however it works, it would help to protect it by placing it behind my own customer login system of some sort. I don't know how to code, so I'd have to figure out how to write something to implement this sort of thing- maybe I could crowdsource its development, but even then I would need to know enough about how it would need to be designed so that it would be secure from hackers.<p>All I know about hacker-proofing is that there's an app that exists called fail2ban that locks out repeated ssh login attempts. I don't know if it could be adapted to work for a site somehow.<p>How would HN readers make hacker safety a selling point in this case?<p>Many thanks in advance.<p>-c
======
t0
There are a lot of misconceptions about hacking. If someone were to target
your site and try to "hack" it, they'd simply be checking for vulnerabilities.
A few simple steps can secure you from 99% of them. For example, securing
inputs. Any time data is sent to your site, check it for injection attacks or
password guessing.

>I don't know how to code

That might be an issue. But, a management console isn't too complex. You just
need to offer the ability to turn off, turn on, reboot, and a couple of other
functions. I personally use <http://www.proxmox.com/proxmox-ve> that has an
API you can perform most server operations with a line of code.

~~~
tptacek
Would that it were so that simply checking inputs would eliminate 99% of
vulnerabilities; the diversity of different "checks" you need for every input
reduces that suggestion to the moral equivalent of "just program better".

------
mike-cardwell
Work under the assumption that it will be hacked, and try to minimise the
damage that will occur when it does.

Hashing/salting passwords is a commonly used example of doing this.

------
cdvonstinkpot
I was thinking to use Yubikey MFA, and _not_ to make there be a link to bypass
it if you don't have your key with you, so that no one can brute force
anything ever.

