The article points to one of the core equations every business should embrace: `cost_of_risk = unit_probability * unit_impact`.

If some measure can improve security metrics (time to discover, time to break, skill/power to break, etc.) then it can be considered a security measure. SSH server running on non-default port is not much more secure than otherwise equal server, but probability of random attack is lower.

> you've already done more work than it takes to actually secure your site

Finding and plugging RCE holes in every dependency you have deployed is way harder than making the host less discoverable. If running security-patched software, having non-default, hard to guess passwords are security measures that lead to lower chance of exploitation, why can't non-default, hard to discover hostnames/ports be considered security measures if they do reduce likelihood of exploitation? Relying solely on `apt upgrade` is similarly insecure as merely exposing software on non-default ports.

There is only a cost-benefit analysis there.

To me this reads as there is some inherently secure approach and then this obscure approach, slightly increasing security. I cannot agree with such assessment.

No layer of defense is useless. Hiding the host name is a pretty noticeable layer.

Running a private server only inside a VPN is, of course, even nicer, when you can afford it.

There are plenty of ways that your secret hostname can leak. It's just a weak, low-entropy, guessable password that can't really be rotated. And moreover, if you're going to choose one thing to do (or time box your efforts around security), it's the highest complexity I can think of for almost no real return. I mean, if you're so concerned about leaking the hostname from your HTTPS cert because your site is that insecure, why are you even using HTTPS? What are you even protecting?

Is that the best way to spend an hour securing your site? Even just slapping the six lines to put hard coded HTTP auth credentials on your nginx virtual host will do more than that.

Yes, they can and should also set up things like fail2ban or crowdsec, add geo-based ip blocking, etc, but many don't because it's not fundamentally required to make their services work. Even harder still, or even impossible, is making sure all of the backend services themselves are secure.

It’s all about risk/probabilities in my view. How likely is it to find the hostname? How likely is it to find the password?

The only real differences is that there are best practices ensuring passwords are never logged in clear text anywhere, whereas it’s not the case for a hostname.

But you haven't actually avoided it, you kicked the can down the road at best. Sometimes that's useful but it's not a sound general strategy.

How so?

Configuring your host to return 404 on invalid subdomains is just not a general solution, at best it just buys you some time until attackers find the subdomain, ie. kicking the can down the road, like I originally said.

So if Sarah in accounts once went to secret-webserver.internal.example.com from her laptop at home before turning on the VPN by mistake, her upstream DNS provider will tell any attackers with some $$$ that secret-webserver.internal.example.com existed, when it existed, what the A or AAAA records said and so on.

Targeted attacks will know about secret-webserver.internal.example.com even though only *.internal.example.com is listed in the CT logs.

We've been on the shifted port for more than 5 years.

FWIW, this is true of all public certificates right now, regardless of issuance method (ACME, manual, etc.) or CA (ZeroSSL, LE, DigiCert, etc.). I don't point that out to be pedantic, just to emphasize that that information is going to be out there when someone grabs a cert, regardless of how they do it. :)

> I saw a reddit post recently (which I won't link for the victims' sakes) where someone had searched for Heimdall (a popular dashboard) in a web-security-oriented search engine and found a bunch of insecure publicly facing instances, some of which contained credentials.

There were some instances recently of the same thing happening with Wordpress installations, as the default Wordpress installer would go get itself a Let's Encrypt certificate before the user had completed setup and set an admin password on the install. No vulnerability necessary, just hop onto it and set the admin password. I suspect this is going to be a frequent vulnerability discovered as more things bundle "get me an LE/ZeroSSL/etc. cert" into their software/OS installers.

So lets say you are going to be running a home server to be setup as a read only server to the outside world, but write capable through a separate port connected only to a laptop that has no internet access (or very restricted) which also has the nicety of being so obsolete it doesn't have IME or any other intel idiocy backdoors attached to it.

Would you still put a hardware firewall between each of these connections? And if so, would you also run it through a VPN on the read side of the server?

I personally don't trust VPN's, since I see them as middlemen you pay to pretend they don't keep logs of anything. Of course there is always the whole argument of 'not having anything to hide, so no worries'; but I see it as false, since the whole point of using a VPN is to hide your bits from attackers and snoops. Even if it's legitimate/legal data.

So, what would you do to avoid using a VPN, provided you can't own the VPN instance somehow somewhere due to being a bit of a cheapskate? Would some basic OpenWRT firewalled routers be enough for your purposes (and thus mine possibly) or would you go with some more complex setup where a person has to trust yet another company to not be trying to hijack data somehow?

Server intended:

Opteron build, DDR3 tech. 6 cores, hyperthreading (if any) disabled. All forms of speculation turned off. All that jazz.

1 nic port is to be setup to be downloaded data only, no upload allowed.

Other nic port is access point for SSH via old laptop setup for security purposes.

Everything running on linux, as much as possible. No windows allowed.

If your laptop and your server are on the same network, which presumably they'd have to be if the laptop has no internet access, you shouldn't need any kind of firewall or VPN.

I would also be hosting a webpage or two, for blog and possibly web-shop purposes. The blog would again be "read-only", but the web-shop would require some semblance of 'write' permissions available for users. So the blog would share the 'read-only' connection ideally. The Web-shop would share the write capable connection instead.

Finally, the laptop being able to SSH into the server solely is for security purposes due to not wanting to use any form of IPMI due to some security concerns over it. I would instead being using a dedicated network card for just its purposes only. This laptop would not connect to the internet through anything, even the server. No shared connections between the network nics at all.

And I realize it may seem overkill to some people, but I don't care if it is overkill. It's when people get sloppy and cut corners that backdoors and security vulnerabilities arise. IMHO.

If I had a million dollars, I would have the most secure server in the world, lol.

The firewalls/VPN's are essentially there to act as a stop-gap measure just in case anyone decides to poke their nose in where it doesn't belong. Partially to catch them in the act, partially to stop them in the act. Ideally.

Here is a simple text explanation of sorts of my setup I have in mind.

- Nic 1: Blog/FTP, Read only. No copying files to the FTP, just copying files from it. You can only read the blog, not comment, or anything like logging in. The only person who ever needs to 'log in' is me, from my laptop.

- Nic 2: Web-shop and maaaybe a game server for testing purposes.(Considering making a simple game that will need some net code tested in the future.) This will have full read and write capability, since it will need to. This is the network that will require all the extra firewalls and VPN connections, if I use them at all. The other one might be able to get away with not having them, but this one will need them in my mindset on the matter. Logging in is definitely a thing on this part of the server.

This server will have (and maybe I should have mentioned this before) a virtualized instance for each service. This way I can sandbox each, and kill each sandbox if ever needed due to whatever malicious actions some dingus decided to do.

The laptop is essentially going to be my monitor, keyboard, and mouse; so I don't need to run multiple of each for yet another machine. (I have 2 desktops, and another laptop. I need to simplify things down a bit, even if this seems more complex, lol.)

All of this is getting its own intranet essentially, completely separated from my main internet connection. It will also be getting its own business connection instead with a static IP address for any sort of connections to the outside world. The only way my two networks will ever talk to each other, is either through the internet itself, or via a firewalled connection between the intranet I have setup, and my other computers. In this way, it will act like a local NAS for my other computers, but also for when I am out and about, and need a certain file suddenly.

I should also mention I tend to live with roommates, so I like having an extra layer of security here and there when doing so, since you never know when your roommate is going to try to do something sneaky. Like my current one who decided to give our password to the neighbors downstairs... and across the wall... Why? Because they lied to him and said they pay for the internet here too.(They don't.) Or so he claims. Quite frankly, I have found out rather recently because of this and some other things that he has a habitual need to lie and deflect. Fun stuff.

Again, this may all seem like overkill to some people, but I have long learned from experience that what one person considers overkill, another considers underkill. I would much rather do things to a point where people go "jeezus" than be the one going "ah damn".

With that note, there will be absolutely zero windows operating systems on this machine, and any machine that directly connects to it, like my laptop; will also be running non-windows environments.

The machines that do need to run windows, due to things like my capture card from Avermedia not supporting linux basically at all... they are going to be locked behind the firewalls, and allowed to connect only to the basic internet connection I already have setup. Everything else is linux. Everything. Even my 'other' laptop that currently has windows on it, only has it, because it came with it. That changes, very soon.

And besides, you wanna see real overkill?

I'll be setting up my own version of Kali essentially on the first laptop for SSH and stuff into my server, so I can also do security audits. But it's either going to be Arch based, or Gentoo based. Why?

Because I don't trust the folk who made Kali, otherwise used to be known as Backtrack. Why?

Because they still use torrents, and not magnet files, to start. And while even Arch has a way to be used on Windows now; I can at least install it via Bash on my own without needing to use some pre-made packaged installation. Hence why I might move on to Gentoo.

And I realize that no OS is perfect, and security flaws exist everywhere.

That's why I am going overkill. Also, this is how I learn things. By doing them. And I basically want to learn how to make some of the most redundantly secure servers, so that people who come to me for my services get something they can trust isn't going to be easily hacked by some script kiddie.

Yes, if I own the VPN in question and no one else has any access to it, or maintains it; then there is no issue.

But I was talking about paid service VPNs. The kind you see being advertised on YouTube and etc. I don't trust those one bit.