4

I've just moved web hosting providers and I want a fresh, secure start. To a certain extent, I don't mind what I have to do I'm just fed up my account being hacked or infected. I just wondered how to be as secure as possible!

My master password is very secure and I can remember without writing it down, but for various reasons I need to keep record of some other secure passwords relating to the account that I can not remember. I have these encrypted with 256 bit AES and the key to decrypt it is a file on my memory stick that I always keep with me.

I'm also going to be using SFTP, and SSL on one of my domains. Is this secure enough?

I was thinking about installing Ubuntu on a virtual machine or even an old computer. Is this overkill, or even pointless?

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Andy
  • 501
  • 1
  • 4
  • 10
  • Hi Andy - I have rolled this question back to its original form for two reasons - the original version haad good answers, and your newer version has already been answered on this site. See http://security.stackexchange.com/q/17471/485 or http://security.stackexchange.com/q/1992/485 or http://security.stackexchange.com/q/2107/485 or others. – Rory Alsop Jan 28 '13 at 23:00
  • its worth pointing out that the chances of you being hacked due to password disclosure is next to zero. you are almost certainly going to be hacked either because you didn't update something (a cms, a service), or because your site code is vulnerable (sqli, file upload, xss). – lynks Jan 29 '13 at 15:34
  • This is a subjective question. What you're really asking for is "How can I reduce the risk to a level that is acceptable to me?". What is your risk tolerance? – MCW Jan 29 '13 at 16:01
  • @RoryAlsop Thank you for that and the links to those other questions (which were also helpful) - it's fair enough. – Andy Jan 30 '13 at 19:45
  • @MarkC.Wallace I don't see that this is a subjective at all, and that is not really what I'm asking. To me the words "completely minimize" indicate my tolerance. I want to secure things as much as possible, which I'm sure is something most people wish to achieve – Andy Jan 30 '13 at 19:49
  • @lynks Thank your for making a point of that. I mostly use CMSs so I (will) make sure that they are up to date, etc. but I still think that it is worth securing my personal computer as best as possible, especially because I am suspicious that a previous attack originated from my computer – Andy Jan 30 '13 at 19:52

3 Answers3

5

The security of your Web server will entirely depend on the skill and commitment of the system administrators, both for the operating system and for the Web server software itself. It does not really matter whether the sysadmin is you or someone else; what matters is that the configuration is under control and security updates promptly applied.

Out of personal experience, I would recommend as OS one of the mainstream Linux distributions, e.g. Debian, Fedora or Ubuntu -- which one does not matter much as long as you regularly check for updates and apply them (by "regularly" I mean "on a daily basis"). The *BSD systems are also worthwhile alternatives (FreeBSD, NetBSD, OpenBSD) but they usually have less support from hosting services, and they require a bit more in-depth knowledge of what is going on in the OS entrails (however, their somewhat simpler, more traditional internal structure makes acquisition of such knowledge a bit easier than the Linux case). The relatively smaller user base of the *BSD systems also makes them less likely targets for attackers -- that's "Security through Attacker's Incompetence", which is even less reliable than "Security through Obscurity", but still works in practice.

If your are not the sysadmin of the Web server system, as you hint in another comment, then you rely on the actual sysadmins to do their job properly. This is one of these cases where you tend to get what you pay for. Luck will play a large role in that matter: when using shared hosting, you are nominally isolated from other customers of the same system, but in practice perfect isolation is not a given. Fortunately, most people are honest, as the continued existence of civilization tends to demonstrate.

For your access passwords, what matters most is that you use only "clean" machines. The longest password or the best "key file" on a USB stick will not save you if you type it or insert it in a compromised desktop system. Keeping a desktop system "clean" works along the same lines as keeping a server "clean": be wary of what you install, check for security updates. You do have a few extra possibilities with desktop systems; for instance, you could boot a "secure" system of a USB stick (or a USB external harddisk), without touching the internal hard disk. That way, you could maintain a separation of roles: the OS on the internal disk is for "risky" activities (Windows-based gaming, Web surfing...) while you the USB-booted system would be reserved for Web server administration.

SSL and SFTP are secure technologies, but only act as tunnels. They protect data in transit between two points (e.g. a Web browser on some user's machine, and the Web server) but they do nothing about the security of both end points. SSL and SFTP will not save your skin; it is more a case of not using them would create additional holes to contend with.

Disclaimer: I have presented fairly subjective opinions above about the comparative merits of operating systems. However, I consider that I have both enough experience and a sufficiently inflated ego to be entitled to make such assertions. Other people's experience may differ; I hear that there are some Windows sysadmins who are content with its security. The core assumption, however, is consensual: know your system. You won't get a lot of security as long as the OS and the software remain "magic" in your eyes. Knowledge dispels the magic.

Thomas Pornin
  • 320,799
  • 57
  • 780
  • 949
  • Thank you very much for your answer, very informative. I do generally trust my web hosts however I'm glad you mentioned that aspect as it helped to bring home how much I do have relay on them. Hopefully when it becomes necessary I will be able to host my sites in a truly isolated environment controlled by me, however that may be. I think that I am going to use a Virtual Machine with Ubuntu to keep access to the website isolated and help avoid infections, although I may consider USB (I'm just worried I may be tempted to use it for other purposes if I have to boot into another OS) – Andy Jan 28 '13 at 20:07
1

Some comments and suggestions:

  1. Why not use a proper password manager like KeePass?
  2. SFTP (as in, SSH File Transfer Protocol) is nice and secure for transferring files to and from the web host.
  3. SSL/TLS provides (some) security for visitors to your website (but does nothing to enhance the security of the web server).
  4. You have not mentioned what web server you're going to use (Apache?), and you've only hinted about the OS (Ubuntu Server?). You need to take steps to secure both the web server and the OS. It is very difficult to do either of those properly - consider web hosting with a reputable outfit where some of the security work will have been done already.
  5. Don't forget the usual precautions: make sure your personal machines are free of malware, and only use trusted devices to interact with your web server.
Community
  • 1
scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
  • @culix Added the clarification. Sorry I wasn't able to do that sooner. And as far the password manager, I'm currently using MobileWitch Pass Safe. I welcome any comments on this software. – Andy Jan 28 '13 at 20:23
1

There are some really good things being suggested above, so I'd like to just add a few more.

  1. Using some of the features that come bundled with Security Enhanced Linux (se-linux) would put you in a good light.

  2. Decide if you want to give your users SSH access, and if you do, make sure that you set up a strong chroot jail for them to use so you don't risk them jumping into directories or executing commands they're not supposed to.

  3. Minimize the amount of 3rd party packages you install on your webserver. Disable 3rd party repositories so that you don't accidently install them.

  4. Read this article from Cyberciti.biz

Josh Terrill
  • 303
  • 1
  • 3
  • 10
  • Thanks for your answer too, those are really nice links but just to clarify, these tips are for system administrators aren't they? I am actually talking about securing my personal computer for when I access and transfer files to the website, as my websites are hosted using shared hosting, so I have no control over the webserver(s) really – Andy Jan 30 '13 at 20:04