What is your site security like?

[x-te]

as title states, i am interested to know how often you keep up to date the software that you use?

i ask this because i have just found a website that operates a version of nginx that is significantly out of date, thus, allowing naughty actors to abuse those *public* exploits that are readily available for anyone to duckduckgo (don't use google!)

when was the last time you updated your distro?
when was the last time you checked you are running the latest version of your software/plugins that you have installed?

let me know your thoughts.

do you go above and beyond the status quo? share with us how you do that!

 

[Nomad]

I have installed SSL and I have also protected by site with Cloudflare. I update software and plugins whenever new versions are released. I do not know what security measures I need to implement beyond these steps

 

[desbest]

when was the last time you updated your distro?

I'm not a sysadmin so I don't manage servers. One time I had an unmanaged VPS which means that all that came pre-installed was the linux distribution and there was no webhost control panel (cpanel, plesk, directadmin) and there was no LAMP stack (linux, apache, mysql, php).

As I couldn't afford the cpanel license and directadmin wasn't compatible with WHMCS, AccountLab and ClientExec at the time (billing scripts), I tried to install a free control panel called ZPanel that already had a suitable billing script for it.

I couldn't get it to install. Me searching Google for tutorials for how to install zpanel, apache httpd, php and mysql all failed. I ended up getting the server bricked and I had to pay the webhost $10 to get it all wiped out and reinstalled, which would take them one hour.

I never tried being a sysadmin again. I'll stick to being a web designer and web developer.

when was the last time you checked you are running the latest version of your software/plugins that you have installed?

Yes I upload the scripts and their associated plugins.

However because I also code things from scratch and from MVC frameworks like Codeigniter, I also have a spreadsheet with lots of different hacking methods as columns, with the names of all my websites on the left hand side for each row, so I can colour in from red, to yellow, to green, which websites I've coded, that I've already secured from various hacking methods and which are left to do more to make even more secure.

As a web developer, I know ruby, php and javascript.

 

[Tracy]

OS level I check for updates every 3 days manually (allows me to do other housekeeping on the server also). HTTP server and PHP within a few days of the mainline releases.
Software scripts, usually a week or so after release unless it is a security release.
XenForo will be an exception. Not even contemplating 2.3 until it has 1 or 2 point releases under its belt, especially seeing how the RC candidates are flowing out like cheap wine.

 

[Tracy]

Also, forgot to mention, my SSH access is not only limited to keys, but I restrict all access to the port by IP address.
I have static IP addresses where I normally access from, and then I also have a dynamic DNS entry for use in case those change. I can change that dynamic DNS entry to reflect whatever new IP address I might get stuck with (even though that should not happen) and then give it a few hours to replicate and can still SSH in (this is from using CSF).
So often folks on VPS/dedicated servers don't really think about the lower level access. They tend to concentrate on the higher level stuff if they do not have a history if server administration.

 

[Jason]

I'm not obsessed with security. In fact, I only use the SSL on my domain and also the spam prevention stuff on my XenForo forum. Anyway, I don't see the need for more. Why would that be needed?