I recently got a coment from someone asking how to defend against hacker attacks. So here is the post with some of my thoughts on that matter.
First of all, its important to note that on some articles the autor makes a difference if he says Hacker or Cracker. The difference would be that a hacker is hacking stuff like servers, phones, websites and so on to show the weekness and help both the owner and society to be more conceus of the problems assosiated with modern tecnology and how to protect against those. Whilest the clracker is also hacking system he is more focust on the criminal aspect like stealing account passwords or even moey from your bank account. For simplicity I will not make such a distinguishment in this article.
In order to know how we can protect against hacker attacks we must first understand two things.
- Why would anyone want to hack a system
- How can a system be hacked
The why question is a rather simple one. The answer to that is very similar if not equal as to that in the real, physical world. Its one or a combination of those: for funn, for profit (stealing money), and probably many more.
The how question involves a little knowledge of the system. The holywood style where no hacks seems to be impolible is of course bullshit. The are prettty good mecanisms in todays tecnology that prevent hacking attacks. A notable exceptions are industrie automation and CCTV those are verry verry easy to hack for someone with even moderate skill (If you want to know more on that just visit the DEFCON youtube chanel).
Making systems hacker proof
Well, forget about hacker proof you can oly make it harder but not imposible.
- Use an encrypted connection to your website. If you dont everyone can just sniff your network traffic and just read the password. Those connections are usualy indicated by the browser with a lock symbol next to the website adress. In order to encrypt your website you will have to get a TLS certificate which can cost quite some money. A free alternative is Lets Encrypt I suggest you check that out.
- Use strong passwords. Well that one is obviouse, the more charactes in a password the more time it would take to find a password by trying all posible variations. Also if your password can be found in a dictionarry it will be found. You should also avoid very common passwords like “love” or “12345” and so on. Also it is recomended that you use one password for one service or website. You could even go to the extreme and change a password every X month. However that is not practical. My personal opinoion is that its ok to have multible passwords for one kind of service for example one for all social media one for all online banking and so on provided those passwords are changed regularly and combined with One Time Passwords.
- Use One Time Passwords when ever posible. You remember the last time you did some online banking and Im not speaking of PayPal I mean the old feshioned one. You moast likely got a unique number send to your phone by SMS. Well, you can install a OTP Pluin in your CMS two. The advantage here is, that even if someone gets ahold of your password he still needs to know a unique number which is genereated by an app on your phone so only you can know. Google Authenticator is one such app.
- Also you should update your website frequently to get the moast recent security fixes. Now here some CMS have a auto update feature. The advantage here clearly is that you dont have to do anything to get the newest version…..except if the auto update fails. So my suggestion would be to not use this feature instead update manualy.
- Defenetly automatic backups are a great idea as freqent as posible. Manualy does not work because you cant do a backup by hand every day.
Your Linux Server
Wen it comes to your linux server theres an overwhelming mass on options you have. I do however suggest not to overdo those because the more security layers you add the harder overall managament will get. Usability usualy suffers from security so wheight that out very carefully you dont want to get hacked yet you want a system thas usable.
Here are some thoughts you could start with:
- Bruteforce protection (Also read: Fail2Ban)
- Disable network services you dont need
- Regular automated backup
- Get the file permissions right
- Do only install software form trusted sources. Every linux distribution has its own repository its like the AppStore for servers. It usualy has everything you need.
- When installing new software search for spesific security considerations.
If youre more advanced and wnat to have even better security you could also do those things:
- Install a sandbox like AppArmor
- Run regular integrity tests (Make and compare checksums of files to see what a hacker might have changed)
- If you run regular server integrity tests with cron and get the results via email. Those emails would be send in plain text for everyone to read – this includes the hacker who wnats to hack your server. So my suggestion here would be to use either GPG or S/MIME to encrypt those confidential emails. (Also read: Encrypt cron emails with S/Mime or Encrypt cron emails with GPG
Remember: Linux server security is way to large of a subject to fit in on one website. I encourage you to continue researching the entire internet on this topic.
Your Windows Server
Dont use a windows server if security is an issue. A Linux server might seem very complicated to maintain at the beginning and I promise you – that wont change with time. But its defenitly the secure version of both.
Go fore windows if you dont know linux and dont want to spend time on that. Windows is way easier to maintain and the licence cost isnt so bad if compared with the time you spend on linux servers.