Open Source vs Security
Added 2019-01-06 08:51:35 +0000 UTCI considered making this post an article on Medium but decided not to because I don't want to be seen as any kind of authority on this subject.
You may remember a post where I talked about making the infrastructure that powers Egee.io Open Source. Well, that was a fun experiment but I decided to Close it for security reasons.
In December, the test server I had running in Linode got hacked. Some bastard put a Bitcoin miner on it. Luckily, Linode has awesome default alerts and I was notified of unusual CPU usage within 10 minutes after the attack.
The attack actually had nothing to do with my infrastructure being on GitHub. I had foolishly left the port to the Docker API exposed to the internet and somebody found it and fired up a Docker container running a Bitcoin miner.
But it got me thinking about how the security measures of my infrastructure are public, and that's not a good thing. Anybody could go to my GitHub and see my firewall rules, my authorized users, installed applications, etc. Obscuring these details doesn't necessarily increase the security of my infrastructure, however revealing the details definitely decreases it.
I decided to close out the GitHub repo (because the Git history remained) and migrate everything to a private repo on GitLab. As great as Open Source is, I can't compromise my security over the ideal that everything ought to be Open Source.
