I often get the message that their server has been hacked and what they have done to secure the server. So I’m writing this article to help to protect your server against hackers.
Including the best practices for Windows and Linux as well whether it is a web server that runs on Apache(WordPress) or Nginx (Ubuntu).
This hack could easily have been prevented with the following best practices, is your server secure?
Install Less Software
Cybersecurity is difficult enough, you should make it easier for yourself by installing less software. Fewer programs, services, plugins, mean fewer things to worry about. In cybersecurity terminology, this is called reducing the attack vector.
Reduce your attack vector by:
- starting with a minimal base system: do not begin with a full-blown and bloated operating system, start with as little as possible and keep track of the things you add
- only install what you absolutely need: install tools, plugins add-ons, and programs that you really – really – need. Be hard and determined: less is more!
Close all ports
Firewalls are used to filter network traffic and are available as standard system software on most operating systems. Limit the openings hackers have to your server.
Firewall configuration should:
- adopt a default policy of blocking: Most operating systems allow everything by default. Turn this around and block everything except that kind of traffic you expect and need.
- check inbound and outbound: Filter incoming and outgoing network traffic. This makes it much harder for hackers to come in (and get out – in the unfortunate case of a successful hack).
- filter open ports: Secure open network ports by filtering traffic based on source (IP-address) and/or state, only allow traffic from where you expect it to come from.
Hide version information
The software your server runs is versioned, often a number indicating the exact date when it was built. Hackers can use this version of information to look up is known for security problems, vulnerabilities, and weaknesses.
Stop helping hackers by removing version information from:
- web servers: Apache, NGINX, Microsoft Internet Information Services, etc. Check your server by analyzing the HTTP headers.
- mail servers: Postfix, Exim, Dovecot, Sendmail, etc. Often these servers communicate their version in a “hello banner”, shown directly after establishing a connection using SMTP, IMAP, POP3.
- web languages: PHP, .NET, Java, Python etc. Sometimes these frameworks and scripting languages add their own HTTP header (“x-powered-by”) with version info.
- file servers: FTP, SFTP, WebDav, etc. These servers communicate their version info in their greeting, shown directly upon connecting, often before authentication
- SSH: Did you know OpenSSH communicates operating system version info by default?
Use certificate instead of passwords
If password-based logins are allowed, hackers can repeatedly attempt to access the server. With modern computing power, it’s easy to automate this guessing by trying combination after combination until the right password is found (brute-forcing).
Secure authentication by:
- use SSH key authentication: an SSH key is much longer than a normal password and contains different characters than ordinary readable letters and numbers. This results in more possible combinations, making it exponentially more difficult for hackers to find the right key.
- limit authentication rate: Artificially make the password / key checking slower, reducing the speed of automated guessing
- block automated guessing: Exclude IP-addresses if they have failed to login successfully.
Every server has a root user who can execute any command. Because of the power it has, the root can be very hazardous to your server if it falls into the wrong hands. It is a widespread practice to disable the root login in SSH altogether.
Since the root user has the most power, hackers focus their attention on trying to crack the password of that specific user. If you decide to disable this user entirely, you will put attackers at a significant disadvantage and save your server from potential threats.
To ensure outsiders do not misuse root privileges, you can create a limited user account. This account does not have the same authority as the root but is still able to perform administrative tasks using sudo commands.
Therefore, you can administer most of the tasks as a limited user account and use the root account only when necessary.
Keep Server up to date
To do so just open the terminal to update and upgrade the packages via apt.
sudo apt update # Fetches the list of available updates sudo apt upgrade # Installs some updates; does not remove packages sudo apt full-upgrade # Installs updates; may also remove some packages, if needed sudo apt autoremove # Removes any old packages that are no longer needed
Back Up Your Servers
Although the previously mentioned steps are designed to protect your server data, it is crucial to have a backup of the system in case something goes wrong.
Store encrypted backups of your critical data offsite or use a cloud solution.
Whether you have automated backup jobs or do them manually, make sure to make a routine of this precautionary measure. Also, you should test backups, doing comprehensive backup testing. This should include “sanity checks” in which administrators or even end-users verify that data recovery is coherent.
If you implement these measures you can greatly improve the cybersecurity of your server. Protecting your server means better safety for your business, your organization, and your customers’ data.