How to secure your web server?

Are you afraid that a security problem will affect your server and that someone with bad intentions will find out about it? Nothing could be more normal: the number of security holes is exploding. Securing servers is critical because cybercriminals target these servers first. This is where the most sensitive data is stored. It is important to ensure that robust security measures are built into systems and applications to maintain a secure IT network. With the rise of telecommuting, and even more so since the Covid-19 pandemic, hacking issues have increased dramatically. Yet, there are a number of measures companies can put in place to ensure a higher level of security. We thought it would be useful to take a look at some of these measures, which you can take to ensure the security of your server.

1. Establish a password policy

You need to define a password policy, which must be scrupulously respected by all members having access to your server. Among the most common recommendations, you can find these:

  • Enable two-factor authentication;
  • Do not use dictionary words or personal information in passwords;
  • Use complex passwords of at least 10 characters, including numbers, symbols, and punctuation marks;
  • Don’t store passwords on laptops, smartphones, or tablets (anything that is easily stolen or lost);
  • Use a secure password generator to generate the password;
  • Set an expiration date for a password;
  • Do not use the same password for multiple accounts.

2. Securing your website with HTTPS

HTTPS is the secure version of HTTP. It is used as a communication protocol to secure the communication between two systems; for example, for a browser and a web server. All information entering and leaving your server is automatically encrypted when SSL is present on the web server. This prevents a hacker from getting his hands on the sensitive information of your visitors. The HTTPS protocol uses the SSL/TLS protocol for encryption and authentication. It encrypts HTTP requests and responses, so that attackers only see random characters instead of credit card details, for example. You can make your server use SSL for its web server by purchasing a premium SSL certificate (such as Komodo) and configuring your server to use it, or by using Let’s Encrypt to apply a free SSL certificate. Their command line tool “Certbot” can help you set up SSL in minutes. I’ve written an article that can help you, if you don’t know how to choose your SSL certificate.

3. Regularly update the server

It’s always a good idea to regularly update your server to protect your operating system from hackers. Unfortunately, this is not enough: you also need to make sure you regularly update your content management system, such as WordPress or Prestashop, as well as their themes and extensions. Outdated software or plugins may contain security holes known to malicious users. Often, the public disclosure of a security hole precedes an update. In other words, the flaw is known to everyone, all that remains is to exploit it…

4. Disable unnecessary services

It is also recommended to disable and even remove all unnecessary services that are not essential for the functionality of your server. By default, most (Linux-based) operating systems come with a service management tool. You can use it to disable and remove relevant services. Another example: if your website is powered by WordPress, you should remove all unused plugins and themes to protect it from attacks: the less information you provide about your site, the smaller the base on which a hacker could launch an attack.

5. Disable unused ports

This passage directly echoes the previous one: keeping ports open does not pose any particular security risk, and they are sometimes necessary for communication between different services or applications. It is even mandatory that some ports are enabled, like ports 80 and 443 for HTTP or HTTPS connections, or the SSH port you selected. If you have made a minimal system installation with only a few third-party applications, the number of additional ports required is limited. These open ports only become a risk when the program using them has a security hole and an attacker takes advantage of it. As we have seen above, the more applications there are, the greater the potential danger. So it makes sense to protect your server against such attacks by blocking all unnecessarily open ports. Almost all operating systems already have a tool installed by default to create fixed rules to regulate traffic, or to define desired and undesired ports.

6. Install malware scanning software

It is also recommended that you scan your server regularly for malware and remove it before it compromises the security of your server. While malware is rare on Linux distributions, it is not non-existent. ClamAV is one of the best malware scanning tools for Linux. It scans your server and automatically removes malicious software or files. It supports multiple file formats, including documents, executables and archives. Also read: 7 best practices to secure your data and your employees’ uses

7. Install a firewall

You can install and configure a firewall to prevent unauthorized connections to (or from) your server. Almost all Linux distributions include firewall software or can easily be added. CSF, also known as ConfigServer Security & Firewall, is a free firewall that can be used to protect your server against various types of attacks. It checks for connection authentication failures on your SSH server, mail server, FTP server, cPanel, DirectAdmin and Webmin and can block them immediately. CSF is also capable of detecting many attacks, such as port scanning and brute force attacks for many services.

8. Secure the server against brute force attacks

A hacker who wants to gain access to your server (or the applications running on it) has several remedies to do so. One of the simplest and most common types of attacks is the so-called brute force method. In this case, the hacker tries to gain access to passwords using a tool that tries one option after another. The more forward-thinking and careful you are with your password policy, the less likely this method will be effective. Keep in mind that if you offer a service with an account creation option, not all users will be as conscientious and careful as they should be. Fortunately, no complex and expensive software is needed to protect against such attacks: since every login attempt is recorded, processed and then saved in log files on your server, simple analysis tools can help. Fail2ban (Linux-/POSIX-System) or RdpGuard (Windows) check log files, detect unusual behavior and block the IP address of suspicious users. You can set the number of unsuccessful attempts needed before the IP is blocked and the actual duration of the block.

9. Change SSH port

SSH is the most used protocol to connect to a remote server. Most people use SSH to connect and manage their remote servers, using a password. To access a server via SSH, port 22 is dedicated: it is automatically configured when you installed your system. A hacker looking for a permeable system will therefore mainly attempt to attack via this port. However, by defining a different port for these connections, you considerably minimize the risk of unwanted access. Simply open the SSH configuration file with the text editor of your choice, then search for the appropriate line and replace port 22 with a number of your choice. Warning: Remember that there are several other “standard” ports that are useful for other services (such as port 80 for HTTP), and you should not use them. First take a look at the list of software ports (RCP and UDP) maintained by the Internet Assigned Numbers Authority (IANA).

10. Using public key authentication for SSH

To finish with SSH, you can, instead of using a password, use key authentication to connect to your remote server: each user then has a public key and a private key. The private key is kept by the user, and the public key is placed on the server. An SSH key has more bits than a password, and is not easily “cracked”. You should keep your private key safe – don’t share it with anyone!