Security Audit
Security is not a product; it is a state of mind. Just because your software has a reputation for being secure does not make it secure. You and your users can be attacked by crackers, script kiddies, spammers, and thieves. You must have a pro-active approach towards defense!
No system is perfectly secure. You must constantly work to improve security. The more users and the more important your data is, the more effort attackers will spend to harm you. On the other hand, the more security you add, the more difficult the system becomes to use. For example, if you make your firewall too secure, you might lock yourself out.
Security is extremely important for IRCNow's reputation. Here are some possible disasters when you don't secure your servers:
- All our servers could be DDoSed offline
- Customer emails, passwords, credit card info, private chats, and files are stolen
- Your personal IP and name are leaked on the Internet
- Your website is vandalized or loaded with illegal files for filesharing
- Your server is used for phishing, DDoS attacks, or shell injection attacks?
- A rootkit? is planted in your server and backdoors? are placed in your source code
Attack Types
- Phishing: An attacker does not have to use advanced high-tech hacking skills. It's much easier for him to lie to you or pretend to be someone you trust. He can use a fake nick or use a fake email to impersonate one of our teammates. This is called phishing.
- Denial of Service?: An attacker can cause your systems to fail and deny service. This doesn't require as much work as exploiting bugs or vulnerabilities in code.
- Spamming?: An attacker can spam your network, it is similar to a denial of service.
- 0days?: An attacker may exploit 0days
- Rootkits?: Planting rootkits
System Vulnerabilities
- Are your public services secure??
- If the software is not secure, have you taken basic mitigation steps? For example, you can set up a chroot or consider pledge? and unveil?
- Are your public services properly configured?
- Do you have a firewall enabled to block private services?
- Can an intruder read files, write to files, or execute files he is not supposed to?
- Can they read databases? they should not have access to?
- Can they steal your password or ssh keys??
- Are your web apps secure??
- Do you have proper logging? An intrusion detection system? in place?
- Who can you trust??
Default Deny
The best security policy is to deny everything except what you expressly permit?.
Improving Personal Security
If your personal security is bad, an attacker could use your PC to steal your passwords and ssh keys to log in to your server. To make sure your own personal computer is safe:
- Upgrade to the latest version of your operating system
- If you are using Mac or Windows, please consider switching to OpenBSD or Linux
- Never download warez or any untrustworthy files
- Use TLS and try verifying the signatures of software that you download
- Use good passwords
- Use SSH keys
Isolate Hosts
If you have hundreds or thousands of computers you manage on a network, it's impossible to secure them all, so try to isolate each one to prevent one compromised system from affecting another.
Reduce Attack Surface
You can make it harder for an attacker to compromise your system by reducing the attack surface. For a public server, this means reducing the amount of public services that users can connect to from the Internet.
Attackers Aren't Stupid
Simple "fixes" like changing the port number for SSH is not going to stop attackers.
One type of security that must be discussed is "security through obscurity". This means, for example, moving a service that has known security vulnerabilities to a non-standard port in hopes that attackers won't notice it's there and thus won't exploit it. Rest assured that they can determine that it's there and will exploit it. Security through obscurity is no security at all. Simply because you may have a small site, or a relatively low profile, does not mean an intruder won't be interested in what you have. We'll discuss what you're protecting in the next sections.