HackersBait

How to secure your Website and App in 2024?

From the moment your project goes live on internet, it's visible not just to your potential customers, but also to attackers looking to exploit any vulnerability they can find. Here's a comprehensive guide on securing your new project against common threats.

0. Don't Manage Your Servers

We've been working on infrastructure for the past 10 years, and we believe "The best infrastructure is no infrastructure." This typically means not managing any servers because it requires special expertise and is time-consuming; you will need someone like Bob, who is not cheap and most of the time, not needed when you start a project.

In 2024, widely used managed services allow you to deploy your code without spending time managing a server. They offer out-of-the-box security, come with good security defaults, and will save you a lot of time, money, and headaches.

Recommendations:

You can explore different solutions that are usually free or come with generous free tiers:

1. Domain and Subdomain attacks

As soon as your project goes online, information about your domain and any subdomains is readily available. Each new domain with an HTTPS will appear in the Certificate Transparency logs. Attackers monitor these logs to target newly issued certificates, gaining knowledge about new domains and subdomains specified in the certificates. This exposure makes your project an easy target right from the start. You can check what hackers could see for your own domain name on crt.sh

Recommendations:

Don't reveal your subdomain in your HTTPS certificates: Be cautious about the details you include in your SSL/TLS certificates. Don't specifying subdomains that will be visible to hackers with CT Logs. For example for hackersbait, we won't use my-subdomain1.hackersbait.com, blog.hackersbait.com, etc... We will use the wildcards: *.hackersbait.com that will cover them all and won't tip hackers.

2. Bots and Automated Tools Exploiting Domains

Automated tools and bots are constantly scanning the web for vulnerabilities to exploit, including SQL injections, XSS vulnerabilities, and more. These can lead to data breaches, DDoS attacks, and other security incidents.

Recommendations:

  • Use a Web Application Firewall (WAF): A WAF can help detect and block malicious traffic aimed at exploiting web vulnerabilities. Cloudflare offers a robust (and free) WAF that is easy to integrate into your project. As soon as critical security issues arise, Cloudflare is really quick to protect websites behind their WAF. You don't have to be aware of these issues; Cloudflare does it for you.

  • Use a VPN for Sensitive Access: For parts of your website or admin areas that shouldn't be publicly accessible, restrict access to those through a VPN. Services like Tailscale make it easy to set up a secure, private network.

3. Server Access Exploitation via SSH

SSH services, if not properly secured, can be a gateway for attackers to gain access to your systems. SSH scanning tools are prolific, and the vulnerabilities of exposed SSH services cannot be underestimated.

Recommendations:

  • Key-Based Authentication: Disable password-based logins and use SSH keys for authentication. This significantly reduces the risk of brute-force attacks.
  • Restrict IP Access: Where possible, restrict SSH access to known IP addresses. This can be managed through your cloud provider (or with iptables rules) on your server. You can use a VPN and your users would need to be connected to the VPN to be able to access to your servers.
  • Access Management: Use tools like Teleport for secure access management, providing an added layer of security and visibility into access and activities.
  • Centralized Log Management: Use tools like Datadog or ELK to forward you logs. These tools offer powerful analysis features, alerts, and dashboards to understand what's hapenning with your logs.
  • Use Honeypots: A honeypot is a bait you place in your systems. They're useful to know if your servers have been compromised. HackersBait provide non-intrusive honeypots we monitor for you.