Are you afraid that a security issue will affect your server and that someone with bad intentions will realize it? Nothing could be more common than this: the number of security breaches is exploding.
Securing servers is essential as cybercriminals first target these servers. This is where the most sensitive data is stored. It is important to ensure that strong security measures are built into systems and applications to maintain a secure computer network.
With the increase in remote working, and even more so since the COVID-19 pandemic, the problems of hacking have increased significantly. Nevertheless, there are several measures companies can take to ensure a high level of security.
We thought it would be helpful to have some of these steps you can take to keep your server secure.
1. Establish Password Policy
You must define a password policy that must be faithfully respected by all members who have access to your server. Among the most common recommendations, you can find these:
- Enable two-factor authentication;
- Do not use acronyms or personal information in passwords;
- Use a complex password of at least 10 characters, including numbers, symbols and punctuation marks;
- Do not store passwords on laptops, smartphones or tablets (all of which are easily stolen or lost);
- Use a secure password generator to generate passwords;
- set an expiration date for the password;
- Do not use the same password for multiple accounts.
2. Secure your website with HTTPS
HTTPS is the secure version of HTTP. It serves as a communication protocol to secure the communication between two systems; For example, for a browser and a web server.
When SSL is present on the web server all information entering and leaving your server is automatically encrypted. Specifically, it prevents a hacker from getting their hands on the sensitive information of your visitors.
The HTTPS protocol uses the SSL/TLS protocol for encryption and authentication. It encrypts HTTP requests and responses, so attackers only see random characters instead of credit card details, for example.
You can enable your server to use SSL for its web server by purchasing a premium SSL certificate (such as Comodo) and configuring your server to use it, or by using Let’s Encrypt to implement an SSL certificate for free. Huh. Their “certbot” command-line tool can help you set up SSL in minutes. I wrote an article that might help you, if you don’t know how to choose your SSL certificate.
3. Update the Server Regularly
It is always useful to update your server regularly to protect your operating system from hackers. Unfortunately, this is not enough: you also need to make sure that you regularly update your content management system, such as WordPress or PrestaShop, as well as their themes and plugins.
Outdated software or plugins may contain security vulnerabilities known to malicious users. Often, public disclosure of a security flaw precedes an update. In other words, the fault is known to all, it is to take advantage of what is left…
4. Disable Unnecessary Services
It is also recommended to disable and even remove all unnecessary services that are not essential to the functionality of your server.
By default, most (Linux-based) operating systems come with a service management tool. You can use it to deactivate and remove the affected services.
Another example: If your website is powered by WordPress, you should remove all unused plugins and themes to protect it from attacks: The less information you provide on your site, the smaller the base on which a hacker can attack. Can do.
5. Disable Unused Ports
This passage directly echoes the previous one: keeping ports open poses no particular security risk, and they are sometimes necessary for communication between different services or applications. It also requires that certain ports be enabled, such as ports 80 and 443 for HTTP or HTTPS connections, or the SSH port you choose.
If you have completed a minimal system installation that includes only a few third-party applications, the number of additional ports required is limited. These open ports become a risk only when the program using them has a security flaw, and the hacker exploits it.
As we saw above, the higher the number of applications, the greater the potential threat. So it makes sense to protect your server from such attacks, by blocking all unnecessarily open ports. Almost all operating systems already have a tool installed by default to regulate traffic, or to create fixed rules to define desired and unwanted ports.
6. Install Malware Scanning Software
It is also recommended that you regularly scan your server to detect any malware and remove it before it compromises the security of your server. While malware is rare on Linux distributions, it is non-existent.
ClamAV is one of the best malware scanning tools for Linux. It scans your server and automatically removes malicious software or files. It supports multiple file formats including documents, executables and archives.
Also read: 7 Best Practices To Secure Your Data And Your Employees’ Use
7. Install Firewall
You can install a firewall configured to prevent unauthorized connections to (or to) your server. Almost all Linux distributions include or can be easily added with firewall software.
CSF, also known as ConfigServer Security & Firewall, is a free firewall that can be used to protect your server from a variety of attacks. It checks for login authentication failures on your SSH server, mail server, FTP server, cPanel, DirectAdmin and Webmin and can block them immediately. CSF is also capable of detecting multiple attacks, such as port scanning and brute force attacks for multiple services.
8. Secure the server against brute force attacks
A hacker who wants to access your server (or the applications running on it) has several ways to do so. One of the simplest and most common types of attacks is the so-called brute force method. In this case, the hacker tries to access the password using a tool that tries one option after another.
The more visionary and careful you are in your password policy, the less likely this method is to be effective. Keep in mind that if you provide a service with an account creation option, not all users will be as diligent and careful as they should be.
Fortunately, protecting against such attacks doesn’t require any complicated and expensive software: as each connection attempt is recorded, processed and then recorded in log files on your server, simple Analysis tools can help you.
Examine Fail2ban (Linux-/POSIX-Systeme) or RdpGuard (Windows) log files, detect unusual behavior and block IP addresses of suspicious users. You can adjust the number of failed attempts required before blocking the IP, as well as the effective duration of the block.
9. Change SSH Port
SSH is the most commonly used protocol for connecting to remote servers. Most people use SSH to log in using a password and manage their remote servers.
For accessing the server via SSH, port 22 is dedicated: it is configured automatically when you install your system. A hacker looking for a permeable system would primarily attempt to attack through this port.
However, by setting a different port for these connections, you greatly reduce the risk of unwanted access. Simply open the SSH configuration file with a text editor of your choice, then find the appropriate line and replace port 22 with the number of your choice.
WARNING: Remember that there are many other “standard” ports that are useful for other services (such as port 80 for HTTP), and you should not use them. First take a look at the list of software ports (RCP and UDP) maintained by IANA (Internet Assigned Numbers Authority).
10. Use Public Key Authentication for SSH
To finish with SSH, you can use key authentication to connect to your remote server, instead of using a password: each user has a public key and a private key. The private key is kept by the user, and the public key is kept on the server.
SSH keys contain more bits than passwords, and are not easily cracked. You must keep your private key secure – do not share it with anyone!
Can’t secure your server? Contact a Business System Security Expert at Codeur.com!