How to secure web server
Studies show that 37,000 websites are hacked every day – that translates to 13.5 million websites per year. From exploiting software vulnerabilities to infecting ad-networks, attackers use a wide range of methods to distribute their malware. The good news is, these attacks can be blocked with a systematic approach to hardening your web server.
Now, many think that getting a top-of-the-line firewall is a good enough for website security. This is not true. An experienced security expert will tell you that the best way to secure a server is to deploy a series of defenses, one behind the other. So, even if an attacker manages to get through one layer, there’s another layer to take its place. This approach is called “Layered security”.
Today, we’ll see how to secure web server using “Layered security”.
1. Implement basic system security
The web service is just one part of a server. There are hundreds of ways in which server security can be breached. Setting up a strong foundation for server security is the first step in securing a web server. Here’s how:
- Disable un-used services – In a default OS installation, many services are set to auto-start. This will open ports to the public, which may not be secure. So, disable all services you do not need.
- Harden the file system – The filesystem controls the access privileges of each user. By hardening the filesystem settings, any malware that’s uploaded to the server can be blocked from being executed.
- Protect system binaries – Core system binaries can be write protected by using special filesystem settings. Preventing modification at filesystem level can be an effective deterrent against core system infection.
- Use only verified, authentic software – Get application repos only from official repositories that are cross verified using PGP signature.
- Setup Mandatory Access Control systems to block unauthorized operations – There are kernel patches in Linux and Mandatory Integrity Control features in Linux that restricts each user to a very limited set of operations. This effectively blocks an attacker from running any damaging exploits.
- Enable intrusion detection – Quick reaction to an intrusion or an intrusion attempt can help you limit any damage done on the server. Intrusion detection systems (IDS) monitor sensitive directories, logs and processes to notify you of un-usual behavior.
- Ensure physical security – Many businesses now use cloud servers from AWS, Google or Azure. For these users, physical security may not be relevant. But for companies that still use on-premise or co-located servers, physical security is still important.
Read : How to secure your server
2. Enforce strong network security
Almost all attacks originate over the network. By locking down your network services, a vast majority of these attacks can be blocked even before it touches your web application. Here are a few tips:
- Close all ports, and open only the ones you need – This is the most fundamental principle in network security. Block all, and allow only those you really want.
- Segregate private and public network – Remember that any one can listen in on the traffic from your server. Your company’s private data such as backup, internal mail, traffic to development server, etc. could be open to public. Split your network traffic so that only the data that’s supposed to be public is available over the public IP.
- Harden the network against common attacks – Many common attacks such as Slowloris, Syn flood, or Spoofed packets exploit insecure default settings in operating systems. The network settings need to be adjusted to defend against these issues.
- Monitor port scanning behavior and block attacking IPs – Valid users come directly to a standard service port, and request information. Malicious users scan for any open ports. Block any IP that tries to connect to closed ports at random.
- Setup a brute force monitor to automatically block abusive IPs – Legitimate users do not send in hundreds of login requests per minute. Install a brute force monitor and block originating IPs.
- Prevent direct access to back-end servers – In reality, only your web server and mail server should be open to the public. All others such as backup server, database server, POP/IMAP server, etc. should be off limits to direct access. Put these servers on a private network to reduce your attack surface area.