We try to keep our services as secure as possible via the following means:

• Restricting shell access for SSH users
• Preventing password only authentication for SSH
• Restricting permissions on sensitive files (e.g. SSL certificates, NGINX configurations)

We have gone out of our way to patch the following CVE's

We have not needed to patch anything yet for a new server.

These applied to previous servers and major versions:

• Shellshock - Patched by upgrading bash (default is fine on Ubuntu 14.04)
  • https://krebsonsecurity.com/2014/09/shellshock-bug-spells-trouble-for-web-security/
• Heartbleed - Patched by upgrading NGINX (default is fine on Ubuntu 14.04)
  • https://heartbleed.com/
• POODLE - Patched by restricting SSL methods used by NGINX
  • https://access.redhat.com/articles/1232123
  • https://cipherli.st/
• Logjam - Patched by using new Diffie-Hellman group
  • https://weakdh.org/sysadmin.html