Are you afraid that a security issue might affect your server and that someone malicious will notice? Nothing could be more normal: the number of security vulnerabilities is exploding.
Securing servers is essential because cybercriminals prioritize targeting these servers. It's where the most sensitive data is stored. It's important to ensure that robust security measures are integrated into systems and applications to maintain a secure IT network.
With the rise of remote work, and even more so since the Covid-19 pandemic, problems of hacking have increased considerably. However, there are a number of measures companies can implement to ensure a higher level of security.
We thought it would be useful to take a look at some of these measures that you can take to secure your server.
1. Establish a password policy
You must define a policy of passwords, which must be strictly followed by all members who have access to your server. Among the most common recommendations, you can find these:
- Enable two-factor authentication;
- Do not use dictionary words or personal information in passwords;
- Use complex passwords of at least 10 characters, including numbers, symbols, and punctuation marks;
- Do not store passwords on laptops, smartphones, or tablets (anything that can be easily stolen or lost);
- Use a password generator secure for generating the password;
- Set an expiration date for a password;
- Do not use the same password for multiple accounts.
2. Secure your website with HTTPS
HTTPS is the secure version of HTTP. It serves as the communication protocol to secure communication between two systems; for example, between a browser and a web server.
Any information entering and leaving your server is automatically encrypted when SSL is present on the web server. This prevents a hacker, for example, from getting hold of your visitors' sensitive information.
The HTTPS protocol uses the SSL/TLS protocol for encryption and authentication. It encrypts HTTP requests and responses so that attackers only see random characters instead of details like a credit card, for example.
You can make your server use the SSL protocol for its web server by buying a premium SSL certificate (such as Comodo) and configuring your server to use it, or by using Let’s Encrypt to apply a free SSL certificate. Their command-line tool “Certbot” can help you set up SSL in a few minutes. I wrote an article that can help you if you don’t know how to choose your SSL certificate.
3. Regularly update the server
It is always useful to regularly update your server to protect your operating system from hackers. Unfortunately, that is not enough: you must also make sure to regularly update your content management system, such as WordPress or Prestashop, as well as their themes and plugins.
Outdated software or plugins can contain security vulnerabilities known to malicious users. Often, the public disclosure of a security vulnerability precedes an update. In other words, the flaw becomes known to everyone and all that remains is to exploit it…
4. Disable unnecessary services
It is also recommended to disable and even remove any unnecessary services that are not essential to your server’s functionality.
By default, most operating systems (Linux-based) come with a service management tool. You can use it to disable and remove the services in question.
Another example: if your website is powered by WordPress, you should remove any unused plugins and themes to protect against attacks : the less information you expose about your site, the smaller the surface an attacker has to launch an attack.
5. Disable unused ports
This point directly echoes the previous one: keeping ports open does not in itself pose a particular security risk, and they are sometimes necessary for communication between different services or applications. Some ports must even be enabled, such as ports 80 and 443 for HTTP or HTTPS connections, or the SSH port you selected.
If you performed a minimal system installation including only a small number of third-party applications, the number of additional ports required is limited. These open ports only become a risk when the program using them contains a security flaw that an attacker exploits.
As we saw above, the higher the number of applications, the greater the potential danger. It therefore makes sense to protect your server against such attacks by blocking any unnecessarily open ports. Almost all operating systems already include a tool by default to create fixed rules to regulate traffic or to define desired and unwanted ports.
6. Install anti-malware software
It is also recommended to regularly scan your server for any malware and remove it before it compromises your server's security. While malware is rare on Linux distributions, it is not nonexistent.
ClamAV is one of the best malware scanning tools for Linux. It scans your server and automatically removes malicious software or files. It supports several file formats, including documents, executables, and archives.
Also read: 7 best practices to secure your data and employee usage
7. Install a firewall
You can install and configure a firewall to prevent any unauthorized connections to (or from) your server. Almost all Linux distributions include a firewall or can have one easily added.
CSF, also known as ConfigServer Security & Firewall, is a free firewall that can be used to protect your server against different types of attacks. It checks for failed authentication attempts on your SSH server, your mail server, your FTP server, cPanel, DirectAdmin and Webmin and can block them immediately. CSF is also able to detect many attacks, such as port scans and brute-force attacks against many services.
8. Secure the server against brute-force attacks
A hacker who wants to access your server (or the applications running on it) has several methods to do so. One of the simplest and most common types of attack is the brute-force method. In this case, the attacker tries to obtain passwords using a tool that tries one option after another.
The more foresight and care you apply to your password policy, the less likely this method will be effective. Keep in mind that if you offer a service with an account creation option, not all users will be as conscientious and careful as they should be.
Fortunately, no complex or costly software is necessary to protect against such attacks: because each login attempt is recorded, processed and then stored in your server's log files, simple analysis tools can help.
Fail2ban (Linux-/POSIX-Systems) or RdpGuard (Windows) check the log files, detect unusual behavior and block the IP address of suspicious users. You can set the number of failed attempts required before an IP is blocked yourself, as well as the actual duration of the block.
9. Change the SSH port
SSH is the most used protocol to connect to a remote server. Most people use SSH to connect and manage their remote servers, using a password.
To access a server via SSH, port 22 is dedicated: it is automatically configured when you installed your system. A hacker looking for a vulnerable system will therefore mainly attempt attacks through this port.
However, by setting a different port for these connections, you significantly reduce the risk of unwanted access. To do this, simply open the SSH configuration file with the text editor of your choice, find the appropriate line and replace port 22 with a number of your choice.
Warning: Don’t forget that several other “standard” ports are used by other services (like port 80 for HTTP), and you should not use them. First take a look at the list of software ports (TCP and UDP), maintained by IANA (Internet Assigned Numbers Authority).
10. Use public key authentication for SSH
Finally, with SSH you can, instead of using a password, use key-based authentication to connect to your remote server: each user then has a public key and a private key. The private key is kept by the user, and the public key is placed on the server.
An SSH key contains more bits than a password and is not easily “crackable”. You must keep your private key secure – do not share it with anyone!
Can’t secure your server? Call on a enterprise systems security expert on Codeur.com!
