Select Page

How to secure a server

How to secure a server

A locked gate is an obstacle, but a skilled attacker can easily defeat it. Now, what if this gate has 10 different kinds of locks, is rigged with an alarm, and leads to a mine field? Yeah, that would dissuade a vast majority of attackers. This approach to security is called Defense in depth. Server security experts use a similar approach called Layered security to keep out attackers.

How to secure a server

Fort, moat and canons – Pretty hard to breach

From hiding critical information, to IP based access restrictions, there are a wide array of defenses that can be deployed on a server. So, even if an attacker manages to bypass one layer, there’ll always be another defensive layer to take its place.

Today, let’s take a look at how to secure a server using Layered security.

    1. 1. Protect and update system software

      Vulnerable software is perhaps the most popular way for hackers to gain access to a server. Software vulnerability results from using outdated or non-authentic software. Here are the various ways in which you can ensure your software packages are secure:

      • Update software packages periodically  – Configure the package management software (such as Yum) to send you notification when an update is available.

        how to secure a server - yum cron

        Yum-Cron is a utility that’ll notify you when updates are available

      • Delete unwanted packages – Default OS installs contain packages you may not need. For eg. a database server need not have web server components.
      • Apply security updates ASAP – Auto updates can be configured for security updates. For eg., in Redhat compatible systems yum-security plugin can be used for this purpose.
      • Use only verified, authentic repositories – Get application repos only from official repositories cross verified using PGP signature.

        how to secure a server - RPM verification

        You can verify individual packages (like here) or set the updater to verify automatically before downloading

      • Protect your base repos from being overwritten – If you use multiple sources for your software, protect your core system libraries from accidental deletion. For eg., in RedHat compatible systems, you can use “yum-protectbase” for this purpose.

      Read : How to keep your systems updated and patched

    2. 2. Enforce strong user account security

      Why break down the door, if you have the key? Valid login details are the equivalent to getting a key to a well secured door. It is the path of least resistance and often over-looked by server administrators. Attackers use phishing, brute forcing, or social engineering to steal login details. Here are a few tips to secure user accounts:

        • Prevent account setup with empty passwords – Configure the account setup policies and/or scripts so that a password is mandatory to setup an account.
        • Enforce use of strong passwords – Users tend to set easy to remember, short passwords, but it is often vulnerable to dictionary attacks. Enforce use of long passwords.

          How to secure a server - Choosing strong passwords

          Good passwords need not be hard to remember

        • Setup password expiry – The longer a password remains unchanged, the more time an attacker has to guess the right login combination. Force periodic password resets.
        • Prevent use of old passwords – Some attackers keep pilfering sensitive information using stolen passwords. Changing passwords periodically can block this, but it won’t work if the user sets the old password. So, prevent re-use of passwords.
        • Lock account after login failures – Hackers use automated tools that push in hundreds of passwords per minute to get a working combination. You can prevent it by setting the account to lock after a few login failures.

          How to secure a server login failure

          For highly sensitive systems, set the lockout retries very low

        • Use IP restriction where possible – For sensitive users such as administrators, limit logins to a pre-approved set of IPs.
        • Restrict permissions of user accounts – Build a security policy that prevents users from listing other system users, or navigating out of their home directories.
        • Setup centralized authentication to avoid exploits via unused accounts – Old accounts or test accounts are a favorite loophole for attackers. Centralized user management systems such as LDAP can help you easily audit and remove old accounts.
        • Configure secure authentication systems to block password snooping on the network – Attackers can sniff our username/password pairs sent across networks. Use of secure authentication systems like Kerberos avoid sending passwords across the network, thereby foiling sniffing attacks.
        • Consider using 2 factor authentication – For critical accounts, such as administrative accounts, setup 2 step authentication.
      how to secure a server 2 factor authentication

      Google authenticator is a free 2FA solution

      • Educate users on good security practices – Publish a page on your website explaining how Phishing, Social Engineering, Trojans or other malware can be used to steal login details.
    3. 3. Lock down public facing services

      Much like how open windows are access points to a house, open ports are access points to a server. Unsecured ports and services are easy entry points for attackers. Here’s how you can lock down public facing ports:

      • Disable un-used services from auto-start – In a default OS installation, many services are set to auto-start. This will open ports to the public, which may not be secure. So, disable all services you do not need.
      • Enable SSL in all services – Many services such as Web, Mail, FTP, etc. require end-users to authenticate to access services. Attackers can steal these login details by listening to the traffic. To prevent this, enable encryption for all services.

        How to secure a server - Free certificates

        Services such as Let’s Encrypt provide free SSL certificates.

      • Monitor open ports and sockets – Many kinds of malware (such as RATs or Bots) open a communication link to their malicious handlers using non-standard ports. So, it is important to monitor if any new ports or sockets were opened without your knowledge.
      • Monitor for malware taking over standard service ports – Some malware are known to kill standard services such as FTP or POP3, and occupy their ports. A service listing will show nothing out of ordinary, nor will a firewall block such a port. Use specialized tools to monitor such “port hijacking”.

      Read : How Bobcares detects security and performance issues


For as low as

$74.99/server/mo

Get full spectrum infrastructure management services - including setup, monitoring & maintenance.

Never again face a critical business downtime. We keep your servers secured, optimized and updated at all times. Our engineers monitor your servers 24/7 and fix issues before it can affect your customers.

SEE SUPPORT PLANS

Submit a Comment

Your email address will not be published. Required fields are marked *

Bobcares
Bobcares is a server management company that helps businesses deliver uninterrupted and secure online services. Our engineers manage close to 51,500 servers that include virtualized servers, cloud infrastructure, physical server clusters, and more.
MORE ABOUT BOBCARES