I want to access my personal diary from anywhere - and keep it as secure as possible at the same time. Here's my idea on how to do this...what do you think?
posted by jspierre to Computers & Internet (19 answers total) 7 users marked this as a favorite
I have a personal diary I want to set up on the internet for my use only - it will be private, but I need to be able to access it anywhere - from home, my phone, my laptop, etc., so I do realize there are inherent insecurities, but I plan to make it as secure as possible and well-hidden. Here's what I'm thinking of doind - am I'm being a total idiot or could this work given the limitations I agree to below?
1. The Setup
The server is a Linux VPS with sufficient power and RAM to run all necessary services; assume the server and VPS are sufficiently hardened. I am in complete control of the server and it serves only personal websites and email accounts (no one else's sites are on my server). The diary itself will be running the latest version of Wordpress. Software choice is not negotiable.
2. What I'm not concerned about
Obviously, administrators of the server the VPS is on can access anything on the VPS should they want to. I'm not concerned about that. The diary contains nothing illegal and it wouldn't interest anyone who doesn't know me. However, as with any diary, it would probably interest those who DO know me well, especially the things I may say about those people that would be unflattering or rude. Therefore, my concern is more that the diary itself is kept from (a) Search Engines, (b) The casual peruser, (c) those who know me well and might attempt to "break in" to the diary should they know it exists. I am well aware that a true "Hacker" could probably get at the diary and my server without much difficulty, but again, this information is not valuable, would at mose be embarassing if released, and would not really interest a hacker in any case. The security should just be enough to keep away people with only low-to-modest technical ability. Also, moving the diary offline or into my home is not possible or desired.
3. How I plan to set up security
a. It will be hosted on a directory within a subdomain of a domain; both the directory and subdomain will be nonsense words and letters. For example, http://x993zhd.mysitename.com/jjkda86111. This, I believe, will make it difficult to find when combined with the next item:
b. The subdomain itself will use .htaccess HTTP password protection and will have exactly ONE username and password that will be acceptable. Both the username and the password will be random, nonsense, words and letters that are not related to any other password or username I ever use. I believe this should prevent the site from being findable by search engines (since the spiders cannot crawl past the password authentication stage) AND should prevent anyone from getting in by trying to guess common usernames and passwords. Also, csf/lfd will automatically block the IP address of anyone who gets the username and password wrong five times in a row and will simultaneously notify me via text message if that occurs.
c. I will use the "Registered Users Only" plugin with Wordpress. This plugin will not allow ANYONE to view the diary/blog without first logging in (I've used this plugin before and it works perfectly). I will set up EXACTLY ONE username and password that will be, again, nonsense words and numbers that, again, are completely different from any previous nonsense words and passwords. Also, creating any new usernames and passwords will be disabled within Wordpress. That combined with the next item will ensure that no one can just randomly try guessing the user name and password to access the blog.
d. I will use the "Limit Login Attempts" pugin with Wordpress that will automatically permanently block the IP address of any user who attempts incorrectly to enter a user/password three times in a row.
e. I will use the "User Access Manager" plugin with Wordpress which will restrict the viewing of all posts to only those users I designate. If you are not on the "allowed users" list, you see nothing but a blank page. This is a catch-all solution in case either c. or d. above fail or are hacked past.
f. I will use the "Log User Access" plugin to keep a log of every time the blog is logged into. That way, I can review it periodically to see if there are any dates or times inconsistent with when I believe I actually logged in.
g. I will set Wordpress to "Block Search Engines"...just in case.
h. I will review the website statistics monthly to see what IP addresses successfully connected to the site and ensure that only my own IP addresses show up.
So, basically, to access my diary, I would need to first browse to the special, nonsense URL, then get past HTTP authentication using a nonsense user name and password, then log in to Wordpress with a different nonsense user name and password before I will even be able to see my diary or add to it.
Now, given the security level I'm after (keep it away from the general public, search engines, and those who know me well, none of whom are extremely tech-savvy), does this approach meet that goal? What am I not thinking of or should I add for additional security or peace of mind?