Snapt systems attempt to be as secure as possible at all times. By far the most secure system is one that in unreachable though – over the past few years there have been far more vulnerabilities in “standby services” such as SSH, PHP, webservers and so on than there have been in our Accelerator or Balancer. This means that the majority of the security patches we issue are only at risk to open servers.
Snapt images from 2015 and onwards include SSL on port 8081, and HTTP on port 8080 for legacy users. We advise completely blocking port 8080 on your firewall, and restricting access to port 8081 to local ranges, or at least a select few public IPs. This protects against an unknown vulnerability in the Snapt interface, or the web server it runs on, as well as prevents unauthorized access due to weak passwords and so on.
SSH access is provided purely for recovery and debugging purposes – in daily operations, there is no requirement for it. For this reason you can completely disable it in the interface, and we advise doing so. Firewalling port 22 is also a good idea.
If you are using your own operating system it is critical that you apply any system patches, especially for libraries used by the product, such as openssl. With the Snapt 2015 image you have a System Patches section where you can apply patches in the interface. These should always be checked and applied!