Erud wrote:XDM45 wrote: For example, I can SSH into my home machine, but you need to use port knocking along with an alternative port since using port 22 isn't advisable. I also have connection throttling setup in iptables and ip6tables, as well as fail2ban and denyhosts running and configured certain ways. (I would go one step further and lock it down to certain IPs or ranges, but I'm not always remoting into it from the same location with the same IP / IP range.) Of course I could really tweak it further like switching from TCP/IP to IPX/SPX and then back to TCP/IP to help mitigate any hackers since most wouldn't know how to deal with such an old and little-used protocol such as IPX/SPX, which like TCP/IP, is routable. I could also subnet and use VLANs to add in layers, but I don't. I know it's a computer and not a gun, but it shows layer of security, which I like. I also don't do everything I could, so again, middle of the road is key, for me at least. The hard drive is encrypted, and it's in somewhat secure room. Physical security is the weakest link in that chain. I like security, but not everyone does.
Do you think you could devise an internet security system so secure that even you yourself could not get through it? And then install it on this forum?
Now that would be sweet.
You really can't have a system on the Internet and be secure. You can do things to make it
more secure, but not 100% secure. I'm sure there are some things that could be done on this website to close up some of the security holes.
(every system and network has them, so updating to the latest code of the board system, updating and hardening the web server, doing some information gathering, would work for starters.) (Also, whoever installs it, obviously has root access to it along with Super Cow Powers.)
Step 1 would be to really diagnose the system and the network with pen testing from both outside and inside the network. For inside the network, an ExtraHop would do wonders, (
http://www.extrahop.com/ ), for outside the network, there's some good pen testing tools out there like BackTrack.
Of course even something like an F5 LTM device which is a true hardware proxy device (since it can create completely different TCP/IP stacks from each other on the ingress and the egress), would do a lot to improve security; but those are usually purchased in pairs and even some 1600 series would run close to $40,000 for the pair I believe. There's virtual editions of the F5 LTM, but they lack the hardware and performance. Also, making this site use SSL would improve the security of it by far, and with an F5, the encryption/decryption could be offloaded to the SSL Acceleration Card in the F5 unit. That's really going to be key since once the 1024-but SSL keys expire and can't be renewed and everyone must move to the newer 2048-bit key, you're going to see SSL traffic just bog down web servers that are directly handling the encryption/decryption of SSL certificates. Reference:
http://www.thawte.com/resources/2048-bit-compliance/It looks like as of October 2012, this site was/is running nginx/0.7.65 under Linux and 1.5.1 is the latest version of the web server daemon. I didn't look into the message board software, but I'm sure it's just as outdated. Maybe the owner of this site needs to do some work perhaps? Then again, there's idiots out there still running Windows XP online too and it's 12 years old.
These may be worth a read....
http://toolbar.netcraft.com/site_report ... untalk.comhttp://nginx.org/en/security_advisories.html
