In this post we want to share our experience on the issue of seizure of servers.
What we do, how we do and what we can encounter at all ...
Post written by my colleague and presented in the form of rules ...
Sometimes I read posts in the style of “keep projects abroad, keep money abroad, live abroad!”. Then it turns out that he writes all this frightened pioneer, from whom the district opera of the Ministry of Internal Affairs chose a comic with a pirated Windows and an Apache, who was distributing porn ...
The actual experience of operating data centers says something else. Servaki seized rarely and in a serious matter.
')
We have not seen a single attempt for 5 years. But paper appeals from the Ministry of Internal Affairs, the Federal Security Service, prosecutors, bailiffs, right holders - ten per month for every thousand physical servers. And the funny thing is that 99% of these calls contain: “… .on your website.ru there is a link to the yyy video on youtube. We thought that this video may be of a bad nature, we demand to remove the movie yyy from youtube. Examination of the video and the resolution may be, someday we will get, ”at the same time, we have nothing to do with this site or youtube (not with us, not even through our domain).
Once again we write about where and to whom we really need to turn. At the same time realizing that this will not give any real effect. Because not everyone knows how to use ping, not to mention the RIPE database and whois service. And one wonders, who will defend our rights to life and property?
Most of all, the district police and junior operas of the Ministry of Internal Affairs are pleasing: “here I’ve got some piece of paper down, I have to respond to it. Give me some piece of paper, so that I can cook something out of it and close the case, ”about the fact that the contents of the paper have nothing to do with us, I think we don’t have to say anything.
Are there any people who understand and understand? Yes, it happens ... but very rarely and, as a rule, in cases of the "terrorism" class.
So, the rules of good tone, or the security of Internet resources in Russia:
1. The server is
not in the office , it is very important. If you are able to independently fight back from employees, then at home. Or put the server (or rent) in a reliable data center of a well-known company, for example e-Style Telecom (
www.estt.ru ). But not in the office! An office in our country is like a street, a courtyard for any kind of ID. Data centers are supervised by employees of special departments of the FSB, who are an order of magnitude more adequate, and indeed there is a law on secret communications. Other procedures are much more complicated; they are used only when the truth is needed.
2. For VPN access, use only AES encryption with a key length of at least 256 bits.
3. All private data is on a virtual RAM disk, and use the maximum memory frequency in a server; allocate several GB of RAM per disk easily in any operating system. With an asymmetric encryption method, add each hour to the disk and copy to the data center storage system. While there is no second key, it’s impossible to pick up information from the disk in a reasonable time, but from the RAM on a working computer. Food in a good data center never disappears.
4. The front-end machine (or virtual machine) should be open-source * nix server. At least virtualka with proxy, VPN and forwarding connections. Configuring packet filtering on the principle of "just what you need." Access sheets for your IP can be partially duplicated on the network equipment of the data center (as a rule, free of charge, or for ridiculous money).
5. Backups with a depth of 5-6 at least, necessarily on a local disk and external storage. Private data is, of course, only with encryption in a robust asymmetric method.
6. The virtual machine mechanism allows, as a rule, to duplicate the majority of software services. And hardware problems on good servers are rare (we have only 1 failure according to the last hundred servers purchased in a year, the mother died ... Of course, we consider failures other than disks ... but here they save RAID and SMART).
7. Configure the servers so that you can do without constant supervision over him. And use it only on business. For terminal access of crazy users, you can create separate virtuals so as not to foul up the server.
8. For administrative access, use authorization by certificates or whatever you like, but so that the keys / passwords are not in the person’s memory, but on a flash drive, or a piece of paper. Physical security of a flash drive / piece of paper is much easier than finding a silent admin who, after hovering for handcuffs in the bullpen, or in some basement of a cottage near Moscow, will not remember passwords. We can break people even cheaper than encryption.
9. Do not post links, torrents and videos about terrorism, extremeism, child pornography.
10. If you are doing an open forum, you need to constantly monitor it for new posts. Do not use the less-popular modules for CMS-kam.
11. Separate business from other projects. If this is a server with important information, there should be nothing “to the heap” on it.
Actually like this ...