Server security is a key aspect of server management for web hosts and server administrators. Here, we discuss ten techniques for hardening servers and monitoring them for security vulnerabilities.
1. Use Public Key Authentication For SSH:
Remove unencrypted access. Nobody should use telnet, ftp or http to manage servers anymore. SSH, SFTP, and https are the accepted standards. For even better security, remove password authentication in SSH entirely. Instead, use SSH keys. Each user has a public key and a private key. The user keeps the private key. The public key is stored on the server. When the user tries to log in, SSH makes sure that the public key matches the private key. Once password logins are disabled, there is no risk of a successful brute force attack against a weak password.
2. Strong Passwords:
A hardened firewall is challenging for criminals, but you'd be surprised how many server administrators leave the front door wide open. People, including those who should know better, tend to choose passwords that are easy to guess. Last year, brute force attacks against servers with weak SSH passwords resulted in a series of ransomware attacks. Use long, random passwords - Long passphrases are better and ultimately restrict users with login type access.
3. Install And Configure The CSF Firewall:
Config Server Firewall is a free, feature-rich firewall that can protect a server against a wide variety of attacks. Its features include dynamic packet inspection, limiting the authentication failure rate, flood protection, directory monitoring and the use of external blacklists. CSF is a fantastic tool and much easier to administer than iptables.
4. Install And Configure Fail2Ban:
Every server on the web is riddled with bots looking for weaknesses. Fail2Ban scans your server logs for patterns that indicate malicious connections, such as too many failed authentication attempts or too many connections from the same IP. You can then block connections from those IPs and notify an administrator account.
5. Install Malware Scanning Software:
Ideally, you want to keep malicious people off your server, but if they manage to breach server security, you'll want to know asap. ClamAV is an excellent Linux malware scanning tool and rkhunter is useful for finding rootkits. In combination, they are very likely to find some malware that a hacker can install on a server. AIDE can be used to generate a hash table of files on the system and then compare the hash count of the files on a daily basis to confirm that no changes have been made to critical files on the system.
6. Keep Software Up-To-Date:
Outdated software likely contains security vulnerabilities known to hackers, as Equifax recently discovered at everyone's expense. If you ignore all the other tips in this article, which you shouldn't, you should at least update using your Linux distribution's package manager.
7. Backup Regularly:
You may not think of backups as a security measure, but the main reason we protect a server is to keep the data stored on it safe. It is impossible to guarantee that a server will never be compromised, so the data must be encrypted and backed up to an external location. Regular full backup recovery tests will neutralize ransomware attacks.
8. Monitor Logs:
Records are a vitally important security tool. A server collects huge amounts of information about what it does and who is connecting to it. Patterns in that data often reveal malicious behavior or security compromises. Logwatch is a great daily summary tool that can analyze, summarize, and report on what is happening on your server. Logsentry can be used for hourly reports for more active input tracking.
9. Turn Off Unnecessary Services:
Any Internet software that is not essential to the operation of the server should be disabled. The fewer points of contact between the internal server environment and the outside world, the better. Most Linux distributions, including CentOS and Ubuntu, include a tool for managing services.
This also applies to the web server engine itself, activating modules you don't need, removing language modules that are not in use, disabling web server status, and debugging pages. The less information you provide about its underlying infrastructure, the smaller the footprint to attack it.
10. Install ModSecurity:
ModSecurity is a web application firewall: it operates at a higher level than the CSF firewall and is designed to deal with threats against the application layer. Simply put, it stops many types of attacks against web applications, including content management systems like WordPress and e-commerce stores like Magento. ModSecurity used to be an Apache module, but now it is available for NGINX as well.
Consider these options also:
Take steps to mitigate XSS (Cross Site Scripting) attacks by adding settings to servers that force the server and client to confirm who they are talking to. OWASP has a wealth of information and tutorials.
Use HTTP2 (or http1.2) HTTP / 2 implementations MUST use TLS version 1.2 or higher for HTTP / 2 over TLS. This updated http engine benefits server load by speaking binary to the client instead of text and improves interoperability, reduces exposure to known security vulnerabilities and reduces the potential for site display issues from different browser access customers.