POLL: How do you handle the security aspect for your private website/server?

For customer jobs, I always make sure to maintain a balance between security and user-friendliness. The main criteria was that visitors with outdated browsers should not be put off and that access to the content should be available to everyone. That’s why I’ve always strived for a healthy SSL Lab rating.

In contrast to my private servers/websites: Here I go uncompromisingly for maximum security - regardless of losses. I’m not satisfied with anything less than an A+ rating.

Of course, I’m aware that this is a fine line between resource-hungry and accessibility. That’s why I’m keen to learn your opinions! To keep the survey simple, we should look at private websites only, as official/government sites have to follow different (and stricter) rules.

How do you handle the security aspect for your private server(s)?

Security first for me.

Security and Stability - A friendly UX should still be possible (my customers consider my policies to be part of a good UX). Why can’t an experience be friendly when focusing on security and stability?

I have a pfsense router between the webserver and the internet and this is configured for security by the use of:

• DNSBL and IP block lists.
• Snort
• probably some other stuff

I am learning about running a web server and what that entails for security. But my Virtualmin setup where possible is rigged for security such as no plain text password storage.

Security first always.

Security 1st ALWAYS
Οtherwise it’s like having the door of your house open to everyone.
Would you want anyone to sit in your living room? To sleep in your bed? Should he eat your food that you prepared?
Virtualmin is set up like this from the beginning which gives you several security features.
The simpler a system, the safer.

And still, you can try the CSF firewall. It’s amazing.
Lynis - Security auditing tool also shows you what you can do to resolve all security gaps.
In the end , after you have secured the server well, you can then start removing what prevents the apps from working properly.
And, always be careful!

Security always 1st.
Websites are just fodder for the wide variety of net users - who cares who they are and what they want on a site. they can come, go and pass through. If they can not interact that is their problem. I only care about accessibility if they are the target audience.

It depends on what you mean.

ANY public-facing email server for example, MUST accept lower / outdated connection protocols if it wants to receive email from a wide variety of sources. That’s a requirement of the email RFC’s.

If we want to claim we “always go for maximum security”… really MAXIMUM? If so, then we need to accept:

• Auto-logout of all workstations within 60 seconds of going idle, to ensure nobody can jump in when I am not looking.
• Invest in 24/7 continuous human monitoring of all log files, NEVER accepting an unknown log file line.
• Very frequent physical security audits, both interior and exterior. You know exactly what is attached to every electrical outlet, every network port, etc. You have scanned every inside surface to ensure no bugs.
  And more.

There is a reason the real InfoSec experts can guarantee the ability to break in without being discovered. It’s incredibly hard to protect information assets perfectly. (My friends in that business measure on the basis of how long it took, not whether they succeeded. ;))

Bottom line: it’s always a tradeoff, unless you have unlimited time and resources.

Thought I was clear on the subject:

It always depends on what you are aiming to protect, and what the thread scenario is.

If only you use a service, you should put it behind a VPN, as “securing” your own tools (lets say gitlab for example) and so on is useless if you can just put it behind VPN.

Most websites these days set this google captcha terror to maximum setting for no reason what so ever, which just decreases usability of the site.

SSLlabs is a good start but only the very tip of the iceberg. If you run a wordpress with 20.000 weird plugins that are exploitable from the internet, a good SSLlabs score doesn’t help you much.

SSL in general assumes you have a MITM attack, which is more of a government thing. If you are up against a government that game has been lost about 10-15 years ago and you might just use a less restrictive SSL configuration so “everyone” of your users can use it, also those with windows 2000-something.

resource-hungry

Human ressource or CPU? Personally I’m not a big fan of stuff like WAF’s - just use well written open source code. Thats much more secure than putting a WAF in front of the some forum or wordpress.

Honestly, just deal with it. Is your data really that worth protecting? Or is security just a hobby? If its just a hobby enjoy it, but don’t take it to seriously. There is no (real world) downside to being hacked. So your server will send out emails to ask people to install spyware or buy bitcoin from elon musk or whatever. Thats ok. Deal with it

The only thing you really have to do to stay secure enough to pretty much never have problems is:

• install stable software
• use only open source software
• don’t use all this microsoft nonsense
• always ALWAYS patch your software right away
• on your servers, dont expose ports to public that dont need to (no 0.0.0.0:3306, make that listen to 127.0.0.1)

99.9% of “hacks” exploit well known CVEs with completely automated scanning of the internet, or fully automated malware campaigns with emails. 0.1% of hacks are targeted and the rest is government wise, which you cant do anything against anways.

Use reasonable security (the list I wrote above) and just forget about it, and if something happens just relax and fix it.

Appreciate if you could quote the source.

A few real world downsides to being hacked:

• You run an email server? You are now blacklisted for a long long time, unable to send email.
• Your server is on shared hosting? You now have a number of other hosted admins mad at you, and the hosting provider as well.
• You pay for your packet data? You are now part of a DDOS botnet, and paying through the nose for the hacker’s “fun”.
  

PS how long did it take you to take care of HeartBleed? I love OSS, but that one bug lasted a lot longer than many were comfortable with… and was embedded in firmware worldwide.