• schizo@forum.uncomfortable.business
    link
    fedilink
    English
    arrow-up
    3
    ·
    4 months ago

    Neat to see someone using TOR+IRC to make a secure messaging platform vs using some closed source/commercial/questionable alternative.

    Would say two things, though, regarding security on the system that didn’t get mention.

    First, enable a firewall. Or even better, if your provider offers it, use their firewall AND configure the firewall of your choice on your VPS too. Layers of security are good, because the more layers the less likely that all of them will fail at once, and in the same way, and allow an attacker access.

    And why does this matter? It matters because future software you add, or an update, or a configuration change, or any number of things could open a port for something you didn’t expect, and bam, you have something potentially vulnerable sitting on the public internet just waiting to be pwnt. (Also, if you start using Docker, it’ll happily open all the ports for you!)

    Second, don’t take their advice on how a weak ssh password “doesn’t matter”, because password auth is disabled. Same reason as the firewall: it’s perfectly fine and okay to do this, until something changes, then it’s not. I’ve seen way too many but-this-server-is-secure systems taken out by a bad password that someone forgot about or set for testing, or only used to expedite something else they were doing: if the password is weak, and it’s on a user account, you’re one configuration update away from a compromised system so pleeeeease don’t do that.