

Protecting your startups server from attacks - jitbit
http://blog.jitbit.com/2011/03/protecting-your-startups-server-from.html

======
Udo
The solution to the password/username problems in the Unix-like world would be
to use SSH with password login disabled, just using keys. Attackers can still
brute force a key, but it's a pretty unlikely scenario. If you've got SSH,
then you won't need FTP or any other admin ports open. Even more secure would
be to VPN directly into the data center and access your servers over the
internal network only - though that's probably overkill for most purposes.

I wouldn't put too much trust into obfuscation techniques such as using non-
standard portnames and URLs.

Backups are of course deadly important. There are a million things that can
kill or corrupt your servers. Most of the time, you don't really need to use
an online service for that. Another machine somewhere in the world capable of
cron, SSH and rsync will almost always do the trick.

It is also a good idea to establish mechanisms that enable the servers to
alert you of strange things going on. For example, you can set up the system
to message you every time a remote login takes place. If it's you, you can
discard the notification. If it's not you, you know instantly that you've got
a problem.

------
asharp
I think point 7 needs a slight bit of expansion. -> Don't allow anything
sensitive to be accessed from the outside world.

Creating a vpn takes seconds and provides a very strong wall between everybody
who isn't you and your vulnerable services (ie. sql server/etc.)

