[Cc-webedit] Server stuff

Thu Nov 26 11:39:13 GMT 2009

Hi Jim,

On Tue, 2009-11-24 at 12:14 +0000, Jim Dog wrote:
> * Make a list of everyone who has access to the server, their contact
> email, level of privilege and the reason for them having access (admin,
> sftp for photo's, subsite access etc) - This would need to be in a
> secure place, such a a private group on crabgrass.
> * email everyone on this list giving a date a couple of weeks away when
> the change will happen and asking anyone who has questions or needs help
> to get in touch. Me and others can respond to these and get people ready.
> * Send a final reminder a few days before it will happen
> * Change the port

Sounds great to me. All the people who have access will be white-listed
in sshd_conf so we can just check there.

> This won't stop any concerted hacking attempts but it will cut off the
> script kiddies and bots out there and will be a good start.
> 
> I'd also like to propose the following couple of changes to tighten up
> security a little:

I'm all for having good security and good processes, but I also think it
needs to be in balance with the "cost" of the security and the "cost" of
a breach.

So for example, I don't support having an expiry on passwords. We
already have public key only login from the outside, which I think is a
pretty good and unobtrusive security measure, and from a personal
perspective it would just piss me off to have to keep changing my
password.

WRT better processes, I support this in principal, but unless there's a
specific need it's not something I have time or energy to work on
implementing. And I don't think processes with the server have been an
issue so far.

I think it's useful to look at what our risks are from attackers:

* Seizure by authorities. Quite unlikely, but if it did happen and they
got into the file system they wouldn't be able to do much (though I
think the disk is encrypted?) But if they *did* get in, they wouldn't
find much useful information either. We are already not logging IP
addresses.

* Attack from a corporate entity which feels threatened by us. Again
quite unlikely as it would be expensive/illegal for them to do. Also I'm
not sure what their objective would be - they could cause us a load of
hassle for a few days but that might be basically it. And they would be
risking exposure too.

* Script kiddies. These attacks are generally unsophisticated and so
just by implementing basic security procedures (keeping software up to
date, public key login, etc) we are making ourselves quite resilient. If
compromised they would probably want to use our server to send spam, as
part of a bot-net, to deface our website, or as a proxy for other
activities.

I think the biggest risk is that our website might get defaced. This
would be annoying and embarrassing for a few days, but would not be
devastating - we'd need to reinstall the server and get everything up
and running again, but there wouldn't really be any long lasting damage.
They might get hold of our database, but there isn't really anything
interesting stored.

In short, I think we should definitely be careful about security, but we
should also be aware that what we're doing with the server is not so
sensitive that we absolutely cannot recover if there is a compromise. We
certainly want to avoid it, but I would also like to avoid going "over
the top" at the expense of other things.

Cheers :)

Jon