One of the main questions that interest the owners of crypto exchanges is how to make the exchange work as safe as possible. Exchange security consists of two critical components: the reliability of the exchange software and the security of the server infrastructure.

OpenCEX was designed with high security requirements in mind, and the code and dependencies are constantly being updated.

In this review, we have collected some practical tips on how to secure your server.

First, let's look at the main attack vectors that attackers can use:

The most critical type of attack is one that gives the attacker full (root) access to the server. This makes it possible to make any changes to the OpenCEX code, including replacing cold addresses for collecting cryptocurrency. Under no circumstances should this be allowed.

Using our simple tips will reliably protect your server.

Untitled

  1. Be sure to use a reverse proxy service like Cloudflare. This will protect your server from DDOS and bot attacks, as well as hide the real IP address of the server. It is IMPORTANT to immediately delegate the domain to the NS server of Cloudflare, otherwise the real IP of the server may be compromised and attackers may try to attack bypassing the protection.
  2. On the server firewall, disable external connections to all ports except 80/443 + the port on which you connect via SSH. 80/443 ports connection should be allowed only from the reverse proxy IP list (for Cloudflare https://www.cloudflare.com/ips/).
  3. Don't use the standard SSH port. It is better to change it immediately.
  4. Use a white list of IP addresses that are allowed to access the server on ports other than 80/443. This SIGNIFICANTLY improves security and makes it harder for attackers to do their job.
  5. Monitoring and auditing: Set up monitoring and auditing systems to track suspicious activity and changes on the server. You should also monitor the checksums of critical services such as SSHd. Regularly review log files for anomalies and suspicious access attempts.
  6. Disable direct connection for root. Use su / sudo.
  7. Use the key for SSH access. If you still want to use password access, then use long passwords. The complexity of cracking a password by brute force increases exponentially with each additional character.
  8. Update server software regularly. Vulnerabilities are regularly found in popular software, sometimes critical ones, and it is very important to fix them in a timely manner.
  9. Backup and recovery: Regularly create backups of all important data on the web server. This will allow you to quickly restore data in case of an attack or system failure.