

Tell HN: Simple Security tips - jacquesm

Simple things that you can do to increase your security without overhauling your whole system.
======
jacquesm
Drop signatures from servers and packages used to build your applications.

The reason is that there are malicious crawlers that build up databases of
version numbers and packages, then if a package exploit is announced you'll be
visited very quickly by some joker to try to subvert your code.

There are those who do it 'blind', but by giving them an exact target you make
it easier for them.

For instance, PHP puts a signature header in to Apaches headers by default, so
does apache.

Most frameworks contain a default backlink to the maker of the frame work at
the bottom of the templates and so on.

Removing these isn't going to make the vulnerabilities go away, but it might
give you a little bit more time to plug the hole if one is found without being
compromised.

------
alexbc
Quite easily done is moving ssh to a non standard port. Similarly force it to
use public key only authentication and/or only allow specific users/groups to
login. Furthermore fail2ban or similar systems help prevent brute force
attacks on ssh.

You can also use something like pound, which is surprisingly easy to
configure, in front of your main webserver and let is sanitise everything as
it comes in.

I would recommend having a firewall which allows only the bare minimum
required, ie. http(s) and ssh, anything else you can set up to port forward
through ssh without too much of an issue.

~~~
timanglade
While we're on the subject of SSH, you should also cut off password
authentication over it. Just require the use of public-private key pairs
instead.

------
blender
\- denyhosts

\- +1 Drop signatures from servers and packages used to build your
applications

\- run nmap against your own system to make sure you haven't left any
unnecessary ports open

\- run nikto against your own system and remediate

Cheers

------
timanglade
I try to keep a watchful eye on the 404s reported by nginx and the 500s
generated by the rest of my stack. Gives you an idea of which exploits people
are trying to use against you. And how frequent or big of a target you are to
them.

------
philfreo
Stopping SQL injections is obvious, but a lot fewer people remember to stop
CSRF attacks, which can be solved pretty simply with one-time use tokens on
forms.

