Lest it disappear from the Intertubes

The sadly defunct crypto-currency "shares" exchange Litecoin Global has closed due to I guess not being able to fit a spanky new thing adequately into the current regulatory environment (whatever that may have been in Belize). The site has/had an offer up for anyone willing to buy its code base, as well as some sage advice on how to set a similar site up. The advice I reprint here, as many of the crypto-currency world's exchanges appear to have a lot of issues getting security right. In addition, I guess that at some point it will disappear.
Anyway here are the recommendations :

  • An apache / php / memcache / cronjob server
  • A hot wallet server. (behind a firewall that only allows incoming access from the webserver)
  • A MySQL server. (also behind a firewall that only allows access from the webserver)
  • A remote linux box to run the cold wallet / manual withdrawals. (has to run the apache/php stack, plus local cold wallet, should be able to be taken offline between withdrawal processing runs.)

I might also add that you should get an external company to pen-test your set-up .. expensive but worth it. I'm still weighing up whether kernel-based "security frameworks" like apparmor or tomoyo are worth the cost-benefit. The cost is many many hours debugging, the question is how many actually useable attack vectors are you really closing off.

social