Hackers are always on the lookout for server vulnerabilities. It is your responsibility to ensure your data is safe and secure.
Minimize risks and be confident your data is safe on secure servers by implementing our server security tips and best practices.
Secure Server Connectivity
1. Establish and Use a Secure Connection
When connecting to a remote server, it is essential to establish a secure channel for communication.
You need to install the SSH Daemon and to have an SSH Client with which you issue commands and manage servers to gain remote access using the SSH protocol.
By default, SSH uses port 22. Everyone, including hackers, knows this. Most people do not configure this seemingly insignificant detail. However, changing the port number is an easy way to reduce the chances of hackers attacking your server. Therefore, the best practice for SSH is to use port numbers between 1024 and 32,767.
2. Use SSH Keys Authentication
Instead of a password, you can authenticate an SSH server using a pair of SSH keys, a better alternative to traditional logins. The keys carry many more bits than a password and are not easily cracked by most modern computers. The popular RSA 2048-bit encryption is equivalent to a 617-digit password.
The key pair consists of a public key and a private key.
The public key has several copies, one of which remains on the server, while others are shared with users. Anyone that has the public key has the power to encrypt data, while only the user with the corresponding private key can read this data. The private key is not shared with anyone and must be kept secure. When establishing a connection, the server asks for evidence that the user has the private key, before allowing privileged access.
3. Secure File Transfer Protocol
To transfer files to and from a server without danger of hackers compromising or stealing data, it is vital to use File Transfer Protocol Secure (FTPS). It encrypts data files and your authentication information.
FTPS uses both a command channel and a data channel, and the user can encrypt both. Bear in mind that it only protects files during transfer. As soon as they reach the server, the data is no longer encrypted. For this reason, encrypting the files before sending them adds another layer of security.
4. Secure Sockets Layer Certificates
Secure your web administration areas and forms with Secure Socket Layer (SSL) that guards information passed between two systems via the internet. SSL can be used both in server-client and in server-server communication.
The program scrambles data so that sensitive information (such as names, IDs, credit card numbers, and other personal information) is not stolen in transit. Websites that have the SSL certificate have HTTPS in the URL, indicating they are secure.
Not only does the certificate encrypt data, but it is also used for user authentication. Therefore, by managing certificates for your servers, it helps establish user authority. Administrators can configure servers to communicate with centralized authority and any other certificate that the authority signs.
5. Use Private Networks and VPNs
Another way to ensure secure communication is to use private and virtual private networks (VPNs), and software such as OpenVPN (see our guide on installing and configuring OpenVPN on CentOS). Unlike open networks which are accessible to the outside world and therefore susceptible to attacks from malicious users, private and virtual private networks restrict access to selected users.
Private networks use a private IP to establish isolated communication channels between servers within the same range. This allows multiple servers under the same account to exchange information and data without exposure to a public space.
When you want to connect to a remote server as if doing it locally through a private network, use a VPN. It enables an entirely secure and private connection and can encompass multiple remote servers. For the servers to communicate under the same VPN, they must share security and configuration data.
Server User Management
6. Monitor Login Attempts
Using intrusion prevention software to monitor login attempts is a way to protect your server against brute force attacks. These automated attacks use a trial-and-error method, attempting every possible combination of letters and numbers to gain access to the system.
Intrusion prevention software oversees all log files and detects if there are suspicious login attempts. If the number of attempts exceeds the set norm, intrusion prevention software blocks the IP address for a certain period or even indefinitely.
7. Manage Users
Every server has a root user who can execute any command. Because of the power it has, the root can be very hazardous to your server if it falls into the wrong hands. It is widespread practice to disable the root login in SSH altogether.
Since the root user has the most power, hackers focus their attention on trying to crack the password of that specific user. If you decide to disable this user entirely, you will put attackers in a significant disadvantage and save your server from potential threats.
To ensure outsiders do not misuse root privileges, you can create a limited user account. This account does not have the same authority as the root but is still able to perform administrative tasks using sudo commands.
Therefore, you can administer most of the tasks as the limited user account and use the root account only when necessary.
Server Password Security
8. Establish Password Requirements
The first thing is to set password requirements and rules that must be followed by all members on the server.
Do not allow empty or default passwords. Enforce minimum password length and complexity. Have a lockout policy. Do not store passwords using reversible encryption. Force session timeout for inactivity and enable two-factor authentication.
9. Set Password Expiration Policy
Setting an expiration date for a password is another routine practice when establishing requirements for users. Depending on the level of security required, a password may last a couple of weeks or a couple of months.
10. Use Passphrases For Server Passwords
There are several reasons why using a passphrase rather than a password can help elevate server security. The main difference between the two is that a passphrase is longer and contains spaces between the words. Therefore, it is often a sentence, but it does not have to be one.
For example, a password passphrase may be: Ilove!ToEatPizzaAt1676MainSt.
The given example is longer than a usual password, and it contains upper and lower case letters, numbers, and unique characters.
Furthermore, it is much easier to remember a passphrase than a string of random letters. Finally, since it consists of 49 characters, it is more difficult to crack.
11. Password Don’ts
If you want to maintain a secure server, there are a few things you want to avoid when it comes to passwords. Firstly, be mindful where you store passwords. Do not write them on pieces of paper and hide them around the office.
It is generally advisable not to use personal information like your birthday, hometown, pet names and other things that can connect you, the user, to the password. These are extremely easy to guess, especially by people who know you personally.
Passwords that only contain simple dictionary words are also easy to crack, especially by dictionary (brute force) attacks. Mindful of the same risk, try to avoid repeating sequences of characters in the same password.
Finally, do not use the same password for multiple accounts. By recycling passwords, you put yourself at significant risk. If a hacker manages to get access to a single account, all other accounts with the same password may be in danger. Try to use a different password for every separate account and keep track of them using a password manager such as KeePass.
Other Best Practices to Secure a Server
12. Update and Upgrade Software Regularly
Regularly updating the software on a server is a crucial step in keeping it safe from hackers. Outdated software has already been explored for its weak points, leaving it open for hackers to take advantage of these and harm your system. If you keep everything up-to-date, you ensure that it is updated to protect itself in the first line of defense.
Automatic updates are one way to guarantee that no updates are forgotten. However, allowing the system to make such changes on its own may be risky. Before updating your production environment, it is good practice to examine how the update performs in a test environment.
Make sure to update the server control panel routinely. You also need to regularly update content management systems, if you use one, as well as any plugins it may have. Each new release includes security patches to fix known security issues.
13. Remove or Turn Off All Unnecessary Services
Increase server security by reducing the so-called attack vector.
This cyber-security term refers to installing and maintaining only the bare minimum requirements needed to keep your services running. Just enable the network ports used by the OS and installed components. The less you have on the system, the better.
A Windows OS server should only have required operating system components. A Linux operating system server should have a minimal installation with only the truly necessary packages installed.
Since most Linux distributions listen for incoming connections on the internet, you want to configure a firewall to allow only specific ports and deny all other unnecessary communication.
Check for dependencies before installing software on your system to ensure you are not adding anything you do not need. Additionally, inspect which dependencies were auto-started on your system and whether you want them there.
14. Hide Server Information
Try to provide as little information about the underlying infrastructure as possible. The less is known about the server, the better.
Also, it is a good idea to hide version numbers of any software you have installed on the server. Often they reveal, by default, the exact release date which can aid hackers when searching for weaknesses. It is usually simple to remove this information by deleting it from the HTTP header of its greeting banner.
15. Use Intrusion Detection Systems
To detect any unauthorized activities, use an intrusion detection system (IDS), such as Sophos, which monitors processes running on your server. You may set it to check day-to-day operations, run periodical automated scans, or decide to run the IDS manually.
16. File Auditing
File auditing is another good way to discover unwanted changes on your system.
It is keeping a record of all the characteristics of your system when it is in a good, “healthy,” state and comparing it to the current state. By comparing the two versions of the same system side to side, you can detect all the inconsistencies and track their origin.
17. Service Auditing
Service auditing explores what services are running on the server, their protocols, and which ports they are communicating through. Being aware of these specifics helps configure attack surfaces in the system.
18. Set Up and Maintain a Firewall
Secure your server by controlling and restricting access to your system.
Using CSF (ConfigServer and Firewall) is essential in tightening up security on your server. It allows only specific vital connections, locking down access to other services.
Set up a firewall during the initial server setup or when you make changes to the services the server offers. By default, a typical server runs different services including public, private and internal services.
- Public services are generally run by web servers that need to allow access to a website. Anyone can access these services, often anonymously, over the internet.
- Private services are used when dealing with a database control panel, for example. In that case, a number of selected people require access to the same point. They have authorized accounts with special privileges inside the server.
- Internal services are ones that should never be exposed to the internet or outside world. They are only accessible from within the server and only accept local connections.
The role of the firewall is to allow, restrict and filter access according to the service the user is authorized for. Configure the firewall to restrict all services except those mandatory for your server.
19. Back Up Your Server
Although the previously mentioned steps are designed to protect your server data, it is crucial to have a backup of the system in case something goes wrong.
Store encrypted backups of your critical data offsite or use a cloud solution.
Whether you have automated backup jobs or do them manually, make sure to make a routine of this precautionary measure. Also, you should test backups, doing comprehensive backup testing. This should include “sanity checks” in which administrators or even end users verify that data recovery is coherent.
20. Create Multi-Server Environments
Isolation is one of the best types of server protection you can have.
Full separation would require having dedicated bare metal servers that do not share any components with other servers. Although this is the easiest to manage and provides the most security, it is also the most expensive.
Having isolated execution environments in a data center allow the so-called Separation of Duties (SoD) and setting server configuration according to the functions the server fulfills.
Separating database servers and web application servers is a standard security practice. Separate execution environments are especially beneficial to larger scale businesses that cannot afford any security breaches.
Independent database servers secure sensitive information and system files from hackers that manage to gain access to administrative accounts. Also, isolation lets system administrators to separately configure the web application security and minimize the attack surface by setting web application firewalls.
21. Create Virtual Isolated Environments
If you cannot afford or do not require full isolation with dedicated server components, you can also choose to isolate execution environments.
Doing so helps you deal with any security problems that may arise, ensuring other data is not compromised. You can choose between containers or VM virtualization which are much easier to set up.
Another option for virtualized environments in a UNIX operating system is creating chroot jails. Chroot is separating a process from the central operating system’s root directory and allowing it to access only files within its directory tree. However, this is not complete isolation and should be practiced only with other security measures.
Note: Two major services offered in the web hosting industry are cloud hosting and dedicated servers. To learn more about the differences between these two, refer to our article Cloud vs Dedicated Server.
Wrapping Up: Securing Your Server
After reading this article and following the security recommendations, you should be more confident in your server security.
Many of the security measures should be implemented during the initial set up of the server, while others should be part of continuous or periodic maintenance. If your server monitoring is not automated, make sure to design and follow scheduled security checks.
To stay up-to-date with best practices on cyber security, we recommend you consider Cyber Security Certifications and follow industry leaders in security on many available podcasts.