Ask HN: Securing a server - Balance between being paranoid and wasting time?

Greetings,<p><pre><code> Basically I would advise to follow some simple guidelines (back to basics): -&gt; Don&#x27;t run stuff with more permissions than needed (ergo, create a user for the services, lock them down, etc) -&gt; Make sure you can check the logs to monitor for weird stuff (really, this is important, if you can react quickly you can mitigate many issues before they become serious) -&gt; Don&#x27;t run unnecessary services (do a cleanup on the host) -&gt; As best as possible use repository stuff; much easier to be up-to-date (security patches and so on) -&gt; Prepare an &quot;emergency lockdown&quot; script. Imagine something you can run that will lock nearly everything and put a nice page for the users, stating &quot;We are performing some super-duper maintenance, blah, blah&quot;, don&#x27;t scare the hell out of them, but allow yourself to carefully check what is happening without worrying with extra leakage. This can allow you to change passwords, block some suspicious IPs, etc (bonus points if you prepare a script to block IPs) -&gt; Encrypt passwords and salt them. Really. This is a must, respect your customers. -&gt; Extra bonus for a system that emails you as soon as there is a login in the system. </code></pre> Just common sense I would say.<p>Oh, and <i>DO</i> change passwords every 90 days, at least.<p>PS: There is a script for MySQL that does some security check-ups. Google for mysql_secure_installation<p>Best regards and best of lucks.

The basic idea is good; I&#x27;m not convinced Squid buys you any security, though. If everyone can operate that way, consider allowing access via SSH only.<p>Oh, and don&#x27;t forget chroot (or something more modern, like jails or even SElinux).<p>Having said all of the above, for the typical startup, the main threat is not an attack on the server but some shoddy application code committed under yet another tight deadline.