Ensuring web server security is crucial for safeguarding your web applications and the data they manage against various threats such as malicious activities, hacking attempts, and data breaches. The following are some essential factors and recommended procedures to improve web server security:
How Can Security Be Assured on a Server?
To avoid data loss or security breaches, it’s crucial to secure your server. Security is a topic that many people find difficult, so it frequently goes unheeded. When a problem occurs, many people are unprepared. You may dramatically reduce your risk of getting hacked by a bad actor by adhering to these best practices.
Optimum server security procedures
Server Administration
Achieving peak server operations performance requires proper server management to guarantee that all activity continues to adhere to organizational requirements. This includes taking internal and external security measures and employing qualified system administrators.
Physical Protection
Physical security measures are put in place to help stop unauthorized individuals from physically accessing servers, routers, and wiring closets. Every firm needs physical access control (PAC), which includes locks, biometric authentication, and other hardware like badges.
The most fundamental type of physical access control system are conventional doors and locks, but enterprise-grade physical access control systems offer much more. In portions of a building with public access areas and limited access areas, for example, access controls could be stricter.
A security best practice is to keep the credential database updated and to remove any inactive users. Additionally, adding several PACs is an excellent way to increase the security of physical access control for susceptible
Upgrade operating systems and software
The most important security measure you can take for your server is to keep software and operating systems (OS) updated. Critical vulnerability patches and modest bug fixes are also included in updates. The urgency with which consumers should install updates is increased by the fact that many software vulnerabilities are patched as soon as they are made public.
Faults may go undetected in server systems because of the complicated interactions they frequently have with software environments. Your server will inevitably become vulnerable if your operating system and any other applications are not kept up to date. To ensure security, businesses must prepare to implement frequent updates and fixes in a timely manner.
The upkeep of the credential database and removal of any inactive users is
Safe Connections
SSH
Use a secure shell (SSH) connection whenever access to the server’s command line (terminal) is required. SSH establishes a secure data conduit. Only the data passed from the PC to the server through the terminal is secured by this connection.
The SSH port is another item to think about. The default port for SSH is 22. The best practice advises avoiding this port and, for added integrity, utilizing a port range of 32768 to 61000. This modification shields the connection and main hacking radars from automated attacks.
Keys SSH
Use an SSH key rather than an SSH password to access the server. They remove the necessity for a root password by disabling the SSH feature required to connect to the server as the root user. When connecting to the server, it adds an extra degree of security over just using a password.
We can generate a cryptographically secure keypair using SSH keys that keeps particular connection data locally on your computer and the server. Because SSH key pairs are generated cryptographically, the more secure they are, the bigger the key size.
Since they conceal any network users behind the proxy’s IP address and host firewalls, proxy servers are an alternative as an additional security precaution. In this configuration, it
MFA, or multi-factor authentication
The major single-factor authentication mechanism is SSH keys. To access sensitive data, a user would need to provide multiple pieces of information (such as a phone number, email address, and government ID). This is known as two-factor or multi-factor authentication.
VPN
A virtual private network (VPN) is a secure link from a distant location to a local, private network. It guarantees the security of private data and upholds the confidentiality and accuracy of the data. Using a VPN secures your connection to the Internet and offers privacy and protection when communicating and browsing online.
Fail2Ban
A server program called Fail2ban discourages or blocks remote connections that make brute-force attempts at access. It enables you to keep tabs on the severity and frequency of attacks, and updates to firewall rules are made to temporarily block dubious IP addresses. Numerous protocols, including HTTP, SSH, and SMTP, can be watched by Fail2Ban. Fail2Ban serves as a good security deterrent for any server, although by default it simply monitors SSH.
SSL/TLS
Server security certificates, like those for Secure Sockets Layer (SSL) and Transport Layer Security (TLS), are yet another reliable measure of protection. With TLS being a more recent form of SSL, these security certificates are cryptographic mechanisms for authentication and encryption. Older SSL protocols had some security flaws that TLS fixes, and these certificates are necessary for user authentication.
By encrypting critical information sent over the internet, such as passwords, usernames, and credit card numbers, server security certificates safeguard network connections and enable servers to validate entities.
Restricting Root Access
SSH should be restricted to a limited subset of users. To do this, add the following information to the /etc/ssh/sshd_config file.
PermitRootLogin no Protocol 2Then, add the SSH users group to the /etc/ssh/sshd_config file.
AllowGroups sshusersTurn off pointless services
Services in Audit
Service auditing investigates which services are currently active on the server, the protocols they employ, and the ports they communicate over. Being aware of these elements will aid in reducing the system’s attack vectors.
You can use a variety of the server’s functions because many servers come with some services enabled by default. It is preferable to disable these extra services if they aren’t being used. You can locate and disable unused services on a Red Hat-based system by running particular commands.
Services Supported by Red Hat/CentOS
Run the following command to see the enabled services in Red Hat or CentOS.
systemctl list-unit-files | grep enabledThe result is this.
[root@host ~]# systemctl list-unit-files | grep enabled var-lib-snapd-snap-core-7917.mount enabled var-lib-snapd-snap-hello\x2dworld-29.mount enabled var-lib-snapd-snap-snapcraft-3440.mount enabled acpid.service enabled auditd.service enabled autovt@.service enabled crond.service enabled dbus-org.fedoraproject.FirewallD1.service enabled firewalld.service enabled getty@.service enabled irqbalance.service enabled microcode.service enabled NetworkManager-wait-online.service enabled postfix.service enabled qemu-guest-agent.service enabled rhel-autorelabel.service enabled rhel-configure.service enabled rhel-dmesg.service enabled rhel-domainname.service enabled rhel-import-state.service enabled rhel-loadmodules.service enabled rhel-readonly.service enabled rsyslog.service enabled sonarpush.service enabled sshd.service enabled systemd-readahead-collect.service enabled systemd-readahead-drop.service enabled systemd-readahead-replay.service enabled tuned.service enabled snapd.socket enabled default.target enabled multi-user.target enabled remote-fs.target enabled runlevel2.target enabled runlevel3.target enabled runlevel4.target enabled [root@host ~]#The next command displays the services that are active.
systemctl | grep runningThe result is as shown below.
[root@host ~]# systemctl | grep running session-2969.scope loaded active running Session 2969 of user root acpid.service loaded active running ACPI Event Daemon auditd.service loaded active running Security Auditing Service crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus firewalld.service loaded active running firewalld – dynamic firewall daemon getty@tty1.service loaded active running Getty on tty1 irqbalance.service loaded active running irqbalance daemon polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent rsyslog.service loaded active running System Logging Service serial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0 snapd.service loaded active running Snappy daemon sonarpush.service loaded active running Realjossy Sonarpush Monitoring Agent sshd.service loaded active running OpenSSH server daemon systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-udevd.service loaded active running udev Kernel Device Manager tuned.service loaded active running Dynamic System Tuning Daemon dbus.socket loaded active running D-Bus System Message Bus Socket snapd.socket loaded active running Socket activation for snappy daemon systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket [root@host ~]#Use this command to turn off a service, such as Bluetooth.
systemctl disable bluetoothUbuntu/Debian Running Services
On a server running Debian or Ubuntu, the ensuing command displays the services that are now active.
service –status-all |grep ‘+’This is the result.
root@host ~# service –status-all |grep ‘+’ [ + ] apache-htcacheclean [ + ] apache2 [ + ] apparmor [ + ] apport [ + ] atd [ + ] binfmt-support [ + ] cron [ + ] dbus [ + ] ebtables [ + ] grub-common [ + ] irqbalance [ + ] iscsid [ + ] lvm2-lvmetad [ + ] lvm2-lvmpolld [ + ] lxcfs [ + ] procps [ + ] rsyslog [ + ] ssh [ + ] udev [ + ] ufw [ + ] unattended-upgrades root@host ~#The status of the services governed by systemV are listed by this command. The active status of the service is indicated by the plus (+) and negative (-) symbols.
systemctl | grep runningThe result is shown in the following.
root@host ~# systemctl | grep running proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point init.scope loaded active running System and Service Manager session-1726.scope loaded active running Session 1726 of user root accounts-daemon.service loaded active running Accounts Service apache2.service loaded active running The Apache HTTP Server atd.service loaded active running Deferred execution scheduler cron.service loaded active running Regular background program processing daemon dbus.service loaded active running D-Bus System Message Bus getty@tty1.service loaded active running Getty on tty1 irqbalance.service loaded active running irqbalance daemon lvm2-lvmetad.service loaded active running LVM2 metadata daemon lxcfs.service loaded active running FUSE filesystem for LXC networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd polkit.service loaded active running Authorization Manager rsyslog.service loaded active running System Logging Service serial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0 snapd.service loaded active running Snappy daemon ssh.service loaded active running OpenBSD Secure Shell server systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-networkd.service loaded active running Network Service systemd-resolved.service loaded active running Network Name Resolution systemd-timesyncd.service loaded active running Network Time Synchronization systemd-udevd.service loaded active running udev Kernel Device Manager unattended-upgrades.service loaded active running Unattended Upgrades Shutdown user@0.service loaded active running User Manager for UID 0 dbus.socket loaded active running D-Bus System Message Bus Socket lvm2-lvmetad.socket loaded active running LVM2 metadata daemon socket snapd.socket loaded active running Socket activation for snappy daemon syslog.socket loaded active running Syslog Socket systemd-journald-audit.socket loaded active running Journal Audit Socket systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log) systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket root@host ~#Make use of the following command to disable a service.
systemctl disable apacheTake X Windows out of the system.
On Unix-like operating systems, the X Window System, also known as X11 or simply X, is the default windowing system for bitmap displays. It offers the fundamental structure for a GUI environment with windows. X.org is the name of the X Windows system that is a part of CentOS, Red Hat Enterprise Linux (RHEL), and Fedora Linux.
For most servers, a management panel is sufficient for performing basic server administration chores. Knowing how many open paths there are to the server is useful so you can only enable those that you actually need. If X Windows is already installed and your server doesn’t need it, you should delete it.
This command can be used to uninstall the Windows X system.
yum groupremove “X Window System”Maintain Backups
Any firm may suffer a catastrophic loss if vital data were lost. Fortunately, there are lots of trustworthy backup options out there, such server backup software that can support both physical and virtual servers.
Three-two-one rule
- Make three duplicates of your data. Two backup copies and one primary copy should make up these copies.
- A minimum of two different types of storage media should be used to store the copies of your data. One duplicate can be maintained locally on your hard disk, while the second one can be kept remotely on a network-attached storage (NAS) device or locally on a storage server.
- One: Keep one copy of the data offsite. This alternative can be a storage server kept elsewhere or a cloud storage system with a hosting company.
User Administration
Follow up on login attempts
Applications of the sort known as host intrusion detection systems (HIDS) keep an eye out on networks and devices for any unusual activity. It looks at data in the kernel logs as well as accessible files, run apps, and data.
A program called Network Intrusion Detection Systems (NIDS) scans network traffic for unusual behaviour. It assesses the data exchange between connected devices.
NDIS is utilized for a LAN-based solution, while HIDS is used for a more comprehensive solution.
HIDS are listed below:
- (A clone of OSSEC that provides greater dependability and scalability) OSSEC Wazuh
- Onion Tripwire Samhain Security
Combining NIDS with HIDS can result in a strong, all-encompassing intrusion detection system strategy. Several suggestions are as follows:
Decrease User Permissions
Limit the permission sets that users have to 644 or 444 for files and 755 for folders to guarantee that only the necessary users have access to essential systems.
Administer user testing
Set a date for performing a security audit and let users know in advance. Set clear expectations and hold them responsible for any shortcomings.
Ongoing security education
Send out monthly reminders, do training every three months, and conduct dry runs over a six-month period in several areas (email, network, and physical). You should also keep track of failures so you can make improvements and provide more training in those areas.
Journey Safety
Your company’s front door is not where security stops. In the modern world, setting up security parameter training for staff members who travel internationally is a prudent decision, made the more so given that many businesses have gone totally remote or have set up remote weeks for specific departments.
Utilize SELinux.
A means for supporting access control security policies, such as mandatory access controls (MAC), is provided by the kernel-based security module SELinux. It is usually employed to modify access control requirements.
You can specify what a process or user is allowed to perform with SELinux. It can restrict operations to their domain so that actions can only communicate with specific file types or other processes from approved domains.
Any one of the following three configurations for SELinux is possible:
- SELinux actively carries out the defined policy’s enforcement.
- Mostly used for testing, permissive. Enforcement is logged but not actually imposed.
- System is inactive when it is disabled.
Education and Information
If you don’t know what to look for or what questions to ask, important things can go missed. To be safe, you don’t have to be an expert in security, but you do need to be aware of the threats to your company.
The idea that a fully managed server service provides all the protection you require is a frequent one. However, hosting companies collaborate with you and your team to guarantee the security of your environment. Your data is your responsibility, but the hosting provider makes sure the hardware, network, and facilities are secure. You and your team need to become knowledgeable about typical security concerns and how to protect your websites and applications against them.
Filesystem Security
The server filesystem can be protected in a number of ways. Start by mounting user-writable filesystems on distinct partitions at all times. Use the text editor of your choice to add the following commands to the /etc/fstab file: nosuid, nodev, and noexec.
Consider the following additional settings:
Make /boot Read-Only.
Even though it is only used to read or load modules and the kernel, make sure the /boot subdirectory is set to RW mode by default. For this, enter the following command.
/dev/sda1 /boot ext2 defaults ro 1 2Also, set /boot to read-only in the /etc/fstab file.
Stop using removable media when starting up
Depending on how you utilize your server, this setting is optional. You must change the bios option to prevent booting from removable media, such as a USB stick, in order to prohibit booting from removable media.
GRUB Bootloader Password must be set.
The server can be accessed by anyone who has physical access to it. The GRUB bootloader password is another barrier between a hacker and server access. By limiting access with a password, you can achieve this. Create a backup of the current grub.conf file first.
root@host ~# cp /etc/grub.conf /etc/grub.conf.bakMake a strong password next. Make a file, then use the grub-md5-crypt command to generate a password for it. Then, you will be asked for a password twice. The created password should then be copied into the grub.conf file from the secure file.
root@host ~# touch secure root@host ~# grub-md5-crypt > secureThe password should now be copied and pasted after the first line (in RedHat) of the grub.conf file, as seen below. Next, save the file and close it.
splashimage=(hd0,0)/grub/splash.xpm.gz password –md5 JnK!xdBep53lt1NVk@K6wb!js%!HEI#^To make the changes effective, you must restart the server.
Before entering single-user mode, ask for the root password
By pressing the e key to access the GRUB menu item, a malicious user can choose a particular kernel to boot onto if they have physical access to the server. With this operation, it is possible to change the initial boot option to enable single-user mode booting without a password prompt.
To prevent potential exploitation, your system should be set up to ask for the root password before switching to single-user mode. This can be done by following the directions in the Set a GRUB Bootloader Password section.
IMPORTANT WEB SERVER SECURITY PRACTICES
Regular Updates
Keep your web server software, operating system, and all installed components (such as web applications and databases) up to date with security patches. Vulnerabilities in outdated software can be exploited by attackers.
Minimal Installation:
Install only the necessary components and services. A minimal installation reduces the attack surface and minimizes potential vulnerabilities.
Firewall
Use a firewall to control incoming and outgoing network traffic. Restrict access to only the necessary ports and services, and consider implementing a “default deny” policy.
Secure Configuration
Ensure that your web server and associated software are configured securely. Disable unnecessary features, restrict file permissions, and use strong, unique passwords.
HTTPS
Implement HTTPS (SSL/TLS) for secure data transmission. Use trusted SSL/TLS certificates to encrypt data between the client and the server. Let’s Encrypt provides free SSL certificates.
Web Application Firewalls (WAF)
Deploy a WAF to filter out malicious traffic, protect against common web application vulnerabilities like SQL injection and XSS, and provide an additional layer of security.
Access Control
Enforce proper access control mechanisms. Use role-based access control (RBAC) and least privilege principles to limit user and application permissions.
Security Headers
Implement security headers in your web server’s configuration to mitigate common web security risks. Examples include Content Security Policy (CSP) and X-Content-Type-Options.
Regular Backups
Perform regular backups of your web server and web application data. Ensure that backups are securely stored and regularly tested for restoration.
Monitoring and Logging
Set up comprehensive monitoring and logging to detect suspicious activities and unauthorized access. Analyze logs regularly to identify potential security incidents.
Intrusion Detection System (IDS)
Deploy an IDS to detect and respond to suspicious behavior or intrusion attempts in real-time.
Security Updates and Patch Management
Stay informed about security vulnerabilities and apply patches promptly. Implement a process for testing updates before applying them to production systems.
Secure File Uploads
If your application allows file uploads, validate and restrict file types, and store uploaded files outside the web root to prevent direct execution.
DDoS Mitigation
Protect against Distributed Denial of Service (DDoS) attacks with dedicated DDoS mitigation solutions or services.
Security Training
Educate your team on web security best practices and keep them informed about emerging threats and attack vectors.
Strong Authentication
Implement strong, multi-factor authentication (MFA) for server access and web application logins.
Incident Response Plan
Develop an incident response plan that outlines steps to take in case of a security breach. Be prepared to contain, investigate, and recover from security incidents.
Security Testing
Regularly perform security assessments such as penetration testing and vulnerability scanning to identify and address weaknesses in your web server and applications.
Final Reflections
Web server security is an ongoing process, and it requires continuous monitoring and adaptation to address evolving threats. By following these best practices and staying informed about the latest security developments, you can better protect your web server and the data it handles.
We all share a concern for security. Be sure you work with your hosting company and adhere to these server security best practices. All of this provides the security your server environment needs to thrive.
Also Read: Best Practices for Web Server Security
Also Read: When Should Your Server Be Upgraded?
Also Read: How to Fix 500 Internal Server Error
Also Read: Why Dedicated Server Hosting is Necessary for eCommerce Sites