Comment on page
Security Best Practices
Good security starts with the person's actions behind the keyboard. Your actions and the risks you take are more likely to increase your likelihood of compromise more than any Operation System or piece of code ever would. Keep that in mind when you are in the world of crypto. The best of the best are involved in parting you with your coins or the coins on exchanges.
Let's start on where the likely compromise point is going to be - your local workstation or laptop. Let's focus on behaviour first.
- Don't open attachments from a source you don't know
- Don't click on links from sources you don't know
- Don't ever install anything unless you are sure you know where it is from
- Don't ever give anyone access to your device over the phone - no passwords, usernames, etc - no one will ever ask for this except a scammer.
Be sure to keep your system and applications updated. Don't slack on this, because it leaves you at risk unnecessarily. Also, don't auto-logon. Make it more difficult by requiring a logon on to start the computer at boot or at least a logon to the OS. You're basically buying yourself time to recover when you realize you've been compromised.
Install you wallets on trusted computers and then encrypt them with a good password (that you know and don't use all over the place.) If you need to write it down, lock it in a safe, and tell a trusted someone special about the paper.
Back up your wallets often and keep them in a safe place - use the safe with the USB drive or something. Wallet locations differ on operating systems.
- Windows - %APPDATA%/Lytix/wallet.dat
- Mac OSX - ~/Library/Application Support/Lytix/wallet.dat
- Linux - ~/.lytix/wallet.dat
Take precautions with this like you would with a handful of cash in a really bad neighbourhood. It's important. Stuff happens and it might get corrupt somehow. Backups are a must.
Ok, so you're operating environment is in good shape. You've got a healthy does of paranoia and you're ready to start on your server security or VPS (virtual private server.)
Just keep in mind that you are already protecting the prize (your cold wallet - that's where the coins are) and that is what an attacker is really after. However, you owe it to the community and others to take care of your online assets. There's no need to have your box poisoning the network or be a launching point for attacks against others.
First thing is to use an operating system that you are familiar with and use the practices above to keep that safe. Keep the software updated regularly (really do this at least once a week.) Keep your applications updated as well. Possibly, have a test server to test changes first to see what the impact will be. It's no good to have a secure server if nothing works.
Don't run anything that has remote access as a privileged user - don't have web, sql, or other applications running as root or Administrator. If an attacked compromises that service then you don't want them to immediately have privileged access right away. Remember, you are buying time here. The longer it takes and the more difficult you make it then the more likely they will make a mistake and you have a chance to stop them or recover.
If you are running Linux make sure you preform root level access to things as sudo. sudo logs who has done what and those logs can be beneficial in the future. Make sure you create a regular user to run your daemons. Don't use a password you use everywhere.
Limit the attack surface. Most providers will let you use a firewall. If you are running Lytix then the only port you need open is:
Limit ssh or remote desktop (TCP 3389) to just your networks. Also, a good practice is to change the port ssh listens on in the /etc/ssh.conf file from 22 to something that you know. This will keep the scanners off your back. Less eyes on your system is better.
Keep an eye on your log files and on disk space. Any variance in these or several logon failures could mean trouble is on the way. Prepare for the worst. If you can make a backup of your server or create a snapshot it will help in case of failure. I do this often.
Just remember to not use the same passwords everywhere and not use them based on any information that is out there in your online social life. Attackers will go through all of your postings and online info to build a good password database of passwords that you use. Also, bitcointalk is a fun place but is frequently hacked (remember best of the best.) Change that password often and don't use it anywhere else.