Sign in to follow this  
polyfrag

[web] Secure server

Recommended Posts

polyfrag    2504
This is a continuation of http://www.gamedev.net/topic/608268-do-i-need-a-gambling-license/page__pid__4847510#entry4847510

How do I maintain a secure server?

Does anybody know how BitCoin was hacked?

Are there any good security websites?

Share this post


Link to post
Share on other sites
Hodgman    51334
[quote name='polyfrag' timestamp='1313548547' post='4850120']How do I maintain a secure server?[/quote]Have it be designed by someone with experience in [url="http://en.wikipedia.org/wiki/Computer_security"]computer security[/url] [img]http://public.gamedev.net/public/style_emoticons/default/wink.gif[/img]
There's a lot of concepts that are subtly important in security -- e.g. I was initially confused that [i]authentication[/i], [i]authorisation[/i] and [i]identification[/i] are all completely different ([i]and very important[/i]) concepts, when to me, they seemed to be almost the same thing.

That wikipedia link and it's "See also" section makes for a good self-education resource.[quote]Does anybody know how BitCoin was hacked?[/quote][i]BitCoin itself[/i] wasn't hacked -- many users of BitCoin had a trojan on their computers, which stole their bit-coin wallet and sent it to the "hackers", who could then use this information to initiate BitCoin transfers from other people's accounts.

This is [url="http://xkcd.com/932/"]the same as[/url] stealing someone's real-world wallet and saying that you've hacked MasterCard.

[url="http://en.wikipedia.org/wiki/Multi-factor_authentication"]Multi-factor authentication[/url] could've stopped this particular kind of attack.
e.g. if someone steals my online banking card, they also have to know my password. Plus, when they try to transfer money, the bank sends an SMS to my mobile phone, which you need to complete the transaction. So for someone to impersonate me, they have to steal my card, my password and my phone ([i]and my phone's PIN?[/i]).
In the case of bit-coin, there was only a single 'item' that had to be stolen by the attackers.

Share this post


Link to post
Share on other sites
The basics include keeping strong passwords, keeping all software updated and patched on the server including the OS, keeping and maintaining a hardware firewall separate from the server so as not to slow down the server itself, changes software defaults as much as possible (port numbers used, URLs mapped to, default user names and passwords, etc), keeping a reliable anti-virus solution on board and updated, never installing software from questionable places, don't use the server for "casual" web browsing, don't install a ton of software that opens up ports and accepts data from the internet, block all software ports not necessary for the server's operation on both the firewall and OS, limit the number of OS users, implement IP sec, password, physical device, etc group policy on the server, change default OS usernames (administrator should NEVER be administrator and even then you should almost never use that account), perform all usual server interaction with a less-privileged account.

Yup, those and more are just the basics. That's what I could just think of in the span of about 1 minute and a half.

Share this post


Link to post
Share on other sites
krez    443
Don't roll your own security. Use well known and well tested security (e.g. use SSL instead of trying to encrypt your connections yourself).

Share this post


Link to post
Share on other sites
polyfrag    2504
Thanks all. This is what I was looking for:

[quote][font="sans-serif"][size="2"]Common software defects include [url="http://en.wikipedia.org/wiki/Buffer_overflows"]buffer overflows[/url], [url="http://en.wikipedia.org/wiki/Format_string_vulnerabilities"]format string vulnerabilities[/url], [url="http://en.wikipedia.org/wiki/Integer_overflow"]integer overflow[/url], and [url="http://en.wikipedia.org/wiki/Code_injection"]code/command injection[/url].[/quote][/size][/font]

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this