In this article, we will release the best server security practices for all time. Since security is challenging subject for all, it is often ignored and many get caught unknowingly when a issue occurs. But these best practices can surely help you to lower the risk of being compromised by any malicious actor.
1. Be Alert. Teach Yourself.
The first and foremost thing to enhance your server security is to always be alert about your security. It is similar to locking doors at night or ensuring that windows of your cars are rolled up. These practices indicate that you are cautious against the possibility of being compromised.
This doesn’t mean that you should always be logged in to your server and monitor the logs or constantly block connections in the firewall. Your life doesn’t only focus around your WooCommerce store or blogging platform of choice. If your business is your bread and butter then it should be your significant part of the day. It is recommended to think broadly on security and setup a good plan in advance to restrain the attackers. So, ensure that your crucial data is locked down and is accessible to only some important people that you trust.
It’s a fact that we don’t know, what we don’t know. Read it carefully again…
This means if you don’t know what question to ask, you will miss something. No, you don’t need to be a security expert. But yes you are the one responsible to be alert and secure your business.
Some of you might be paying for the managed services and so you might thing why should I be alert?
Remember security is a shared concern. That means both you and MilesWeb have to stay alert. Hence, educate yourself.
2. Physical Security
a. Limit Server Access
You can restrict the server access by using the iptables firewall which is available on most of the Linux servers. With the APF (Advanced Policy Firewall), you can easily manage your iptables firewall rules. More advanced technique is using CFS (ConfigServer Firewall) which controls your iptables but comprises of a more robust feature set. Here the idea is about blocking any unused open ports in your server firewall. With this, only the ports required to your server will communicate with other users. Additionally, you can implement cPHulk’s brute force protection option via WHM to automatically block users that continuously try and fail to login with invalid credentials to the running services.
Your first step towards server security is to limit the physical access to the server. You can ask the query that mainly arises is related to your server’s location. Is your server located in the basement or is it secured in a data center with verified virtual and physical policies and procedures that concentrate on the physical integrity of the server.
Below are some of the questions that should be asked prior to housing your server:
- Who can physically access my server? The monitoring team? Yes. Someone from accounting? NO! not good. When you know in advance who can touch the server, it answers a lot of questions.
- How does your hosting provider offer access control? Keycards or FOBs? Biometrics? Or those neat retinal and palm print scanners seen in the movies? Based on your security requirement, these and other solutions may be implemented.
- Lastly, check for the ways your host logs and tests these systems? Do they have policies and procedures defined that can be reviewed? Do they follow the standards of NIST? These are only some questions that can be asked when gathering info about the servers’ physical security.
3. Secure Connections
A VPN or Virtual Private Network creates a secure “tunnel” or pipe from your computer to a secured network across an unsecured network such as the internet. All traffic is securely routed through the tunnel. Since a VPN take you into your business network, it must be considered your first layer of security.
So, always use a VPN.
When there is access required to the server via a command line (terminal), an SSH (SHELL) connection is used. With this connection, a secure pipe is created for your data to travel through. With this type of connection, integrity of your data is offered while it passes via an unsecured network like the internet. Is that it routes all the traffic via this connection such as a VPN? No. The information that is send via the terminal from your computer to the server is only secured. Alternatively, you can use SSH within a VPN for adding a second layer of protection to your data connection.
A server software, Fail2Ban reviews specific log files and blocks IPs that show signs of malicious behavior. Generally, valid login attempts take just a couple of tries to access the server (and in case SSH keys are used, no more than one). If any server hits with multiple unsuccessful logins within a given time, it indicates an attempt of malicious access.
After that Fail2Ban provides updates to firewall rules for blocking suspect IP addresses for a specified amount of time (although other actions can also be taken). It comprises of a default set of filters for services such as apache and ssh.
You can monitor several protocols using Fail2Ban including HTTP, SSH, and SMTP. But by default, Fail2Ban only monitors SSH and acts as a helpful security restriction for any server since the SSH daemon is usually configured for continuous functioning and listen for connections from any remote IP address.
d. Restrict Root Access
Restrict SSH to a limited subset of users. This task can be completed by adding the below information to the /etc/ssh/sshd_config file:
PermitRootLogin no Protocol 2
Then add ssh users group to /etc/ssh/sshd_config:
Using SSHKeys you can turn off the SSH feature that is needed for accessing the server as the root user, and so you don’t need to use a root password. With this, you get an additional layer of security when connecting to the server. SSHKeys are highly secured than just using a password. Additionally, SSHKeys also enable users to create a cryptographically secure keypair which stores unique connection information locally on your computer and the server.
SSHKey pairs are generated cryptographically, particularly, the larger the size of the key, the more secure it is. For your information the smallest key size is 1024 bits and the maximum is 4096 bits. Also, the number of entropy bits will depend on the algorithm used, eg. RSA.
f. Alternate SSH Ports
For further security, you can modify the port on which SSH listeners on. You can modify this ssh port setting to a random port. Generally, you can modify this SSH port setting to a random port. Usually, port 22 is used by SSH but it is recommended to use a port range of 32768 to 61000. With this being said, depending on security by complexity is not an effective means to fight against incursions. IANA suggests using ports 49152 to 65535.
When you transfer files to and from the server, you should use SFTP (secure FTP). With SFTP, you can connect to the server in a secure way, similar to the way of SSH usage. Multiple FTP software titles such as Filezilla or WinSCP have excellent features to enable for this connection type.
You should ensure that the use of SSL certificates is implemented across all domains and services on the server. In this way, even connections that are seemingly less important are secured.
Email is still one of the primary attack vectors used by malicious actors. Attackers use this medium widely as millions of people use emails for conversation. Today, almost all are aware of the dangers of opening an unknown email but it is still an issue in several companies. This can be restricted with continuous security training and reinforcement of security policies.
MilesWeb offers SpamExperts to secure your email account from spam mails.
j. Secure Application Logins
Some of the typical applications such as WordPress, email, cPanel, or webmail are accessed by you on your server. It is possible to configure connection methods for each service for secure connections so that there isn’t any information transmitted via plain text between your computer and the server.
Insecure Application logins
You can access these default server applications from any web-browser and pass the official data in plaintext when accessed from any of these insecure URLs:
- cPanel – http://example.com/cpanel
- cPanel – http://example.com: 2082
- WHM – http://example.com:2086
- WHM – http://serverIP#:2086
- Webmail – http://example.com/webmail
Secure Application Logins
These same services can be accessed on your server over https to keep your credentials encrypted and transmitted securely you would use these URLs:
- cPanel – https://example.com:2083
- WHM – https://example.com:2087
- Webmail – https://example.com:2096
Just log into WHM and then go to Tweak Settings >> Redirection and turn on Always redirect to SSL to force all cPanel applications for using https by default.
4. Make Use of Strong Passwords
This is the first security measure for most services on your server. For this, you should always use a strong password for anything that has an access to the server. Check the below guidelines for securing your server.
a. Use Password Management Software
It is recommended by the NIST to use a password manager for the storage and dissemination of passwords. With the software, you can use stronger as well as secure passwords daily. Below are some of the software suggested by some reviewers for generating strong passwords:
b. Use A Passphrase Instead of a Password
While selecting a password, it is often better to use an altered phrase or a passphrase which is easy to remember but hard to guess. Check this example: T0 3Rr 1$ Hum@N, t0 F0rg1v3 D1v1n3!
As per an expert, the above passphrase would take a computer about 2 SEXDECILLION YEARS (that is 1051 power or a 1 followed by 51 zeros, or in Great Britain 1096 or by 1 followed by 96 zeros) to crack it.
c. Expire Passwords After X Time
If you want to find the expired password, use the chage command that lists and changes the password aging info for a Linux user account. To lists specific info for a user use the chage -l command and the chage -M command for modifying the value of the number of days prior to the password expires again:
[root@host ~]# chage -l user Last password change : Jan 01, 2019 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 [root@host ~]# chage -M 90 user Last password change : Jan 1, 2019 Password expires : March 1, 2019 Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 90 Number of days of warning before password expires : 7 [root@host ~]#
d. Password Policy Requirements
Make sure you follow the latest NIST standards for your password policy.
e. Define what passwords NOT to use
Remember don’t use the words that are commonly found in the dictionary. Also avoid using well known places, person’s names, events or pet names. Never reuse passwords instead use an adjacent keyboard string of characters.
5. Turn Off All Unwanted Services
a. Audit Services
With service auditing, you can explore services that actively run on the server, the protocols used and the ports they interact with. Keeping these factors in mind will help to decrease any attack vectors in the system.
Certain services are by default enabled on most servers. These services can enable you to use several features available on the server but in case you don’t want to use these extra features, you should disable them. To find these services execute the below commands on a RedHat based system and you get the below outputs:
Redhat/CentOS Enabled Services
systemctl list-unit-files | grep enabled
[root@host ~]# systemctl list-unit-files | grep enabled var-lib-snapd-snap-core-7917.mount enabled var-lib-snapd-snap-hello\x2dworld-29.mount enabled var-lib-snapd-snap-snapcraft-3440.mount enabled acpid.service enabled auditd.service enabled autovt@.service enabled crond.service enabled dbus-org.fedoraproject.FirewallD1.service enabled firewalld.service enabled getty@.service enabled irqbalance.service enabled microcode.service enabled NetworkManager-wait-online.service enabled postfix.service enabled qemu-guest-agent.service enabled rhel-autorelabel.service enabled rhel-configure.service enabled rhel-dmesg.service enabled rhel-domainname.service enabled rhel-import-state.service enabled rhel-loadmodules.service enabled rhel-readonly.service enabled rsyslog.service enabled sonarpush.service enabled sshd.service enabled systemd-readahead-collect.service enabled systemd-readahead-drop.service enabled systemd-readahead-replay.service enabled tuned.service enabled snapd.socket enabled default.target enabled multi-user.target enabled remote-fs.target enabled runlevel2.target enabled runlevel3.target enabled runlevel4.target enabled [root@host ~]#
and running the below command outputs:
systemctl | grep running
[root@host ~]# systemctl | grep running session-2969.scope loaded active running Session 2969 of user root acpid.service loaded active running ACPI Event Daemon auditd.service loaded active running Security Auditing Service crond.service loaded active running Command Scheduler dbus.service loaded active running D-Bus System Message Bus firewalld.service loaded active running firewalld - dynamic firewall daemon firstname.lastname@example.org loaded active running Getty on tty1 irqbalance.service loaded active running irqbalance daemon polkit.service loaded active running Authorization Manager postfix.service loaded active running Postfix Mail Transport Agent rsyslog.service loaded active running System Logging Service serial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0 snapd.service loaded active running Snappy daemon sonarpush.service loaded active running MilesWeb Sonarpush Monitoring Agent sshd.service loaded active running OpenSSH server daemon systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-udevd.service loaded active running udev Kernel Device Manager tuned.service loaded active running Dynamic System Tuning Daemon dbus.socket loaded active running D-Bus System Message Bus Socket snapd.socket loaded active running Socket activation for snappy daemon systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket [root@host ~]#
To disable a service, use:
systemctl disable bluetooth
Debian/Ubuntu Running Services
The below commands will show you the services active on a Debian/Ubuntu based server:
service --status-all |grep '+' root@host ~# service --status-all |grep '+' [ + ] apache-htcacheclean [ + ] apache2 [ + ] apparmor [ + ] apport [ + ] atd [ + ] binfmt-support [ + ] cron [ + ] dbus [ + ] ebtables [ + ] grub-common [ + ] irqbalance [ + ] iscsid [ + ] lvm2-lvmetad [ + ] lvm2-lvmpolld [ + ] lxcfs [ + ] procps [ + ] rsyslog [ + ] ssh [ + ] udev [ + ] ufw [ + ] unattended-upgrades root@host ~#
lists the state of the services that the system regulates. The plus (+) and (-) indicators indicate if the service is active or not.
systemctl | grep running
root@host ~# systemctl | grep running proc-sys-fs-binfmt_misc.automount loaded active running Arbitrary Executable File Formats File System Automount Point init.scope loaded active running System and Service Manager session-1726.scope loaded active running Session 1726 of user root accounts-daemon.service loaded active running Accounts Service apache2.service loaded active running The Apache HTTP Server atd.service loaded active running Deferred execution scheduler cron.service loaded active running Regular background program processing daemon dbus.service loaded active running D-Bus System Message Bus email@example.com loaded active running Getty on tty1 irqbalance.service loaded active running irqbalance daemon lvm2-lvmetad.service loaded active running LVM2 metadata daemon lxcfs.service loaded active running FUSE filesystem for LXC networkd-dispatcher.service loaded active running Dispatcher daemon for systemd-networkd polkit.service loaded active running Authorization Manager rsyslog.service loaded active running System Logging Service serial-getty@ttyS0.service loaded active running Storm management console on Serial Getty ttyS0 snapd.service loaded active running Snappy daemon ssh.service loaded active running OpenBSD Secure Shell server systemd-journald.service loaded active running Journal Service systemd-logind.service loaded active running Login Service systemd-networkd.service loaded active running Network Service systemd-resolved.service loaded active running Network Name Resolution systemd-timesyncd.service loaded active running Network Time Synchronization systemd-udevd.service loaded active running udev Kernel Device Manager unattended-upgrades.service loaded active running Unattended Upgrades Shutdown firstname.lastname@example.org loaded active running User Manager for UID 0 dbus.socket loaded active running D-Bus System Message Bus Socket lvm2-lvmetad.socket loaded active running LVM2 metadata daemon socket snapd.socket loaded active running Socket activation for snappy daemon syslog.socket loaded active running Syslog Socket systemd-journald-audit.socket loaded active running Journal Audit Socket systemd-journald-dev-log.socket loaded active running Journal Socket (/dev/log) systemd-journald.socket loaded active running Journal Socket systemd-udevd-control.socket loaded active running udev Control Socket systemd-udevd-kernel.socket loaded active running udev Kernel Socket root@host ~#
To disable a service, use:
systemctl disable apache
Remove X Windows from the system.
There is no need for a GUI on most servers for general server administration tasks. A management panel may be used by some servers to perform administrative tasks. This doesn’t matter but know the number of open paths to the server and just enable the ones you essentially need.
yum groupremove “X Window System"
6. Keep Your System Updated
One of the security precautions for any operating system is to keep all of your software up to date then be it a desktop, laptop or mobile. The software updates include critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched until they become public.
a. Don’t use default yum-updates.
It is important to update your system for keeping it secure but the default versions of yum-updatesd contain some glitches. Therefore, set up a cron job to apply updates. You can accomplish this via the following steps:
- Use this code to disable the yum-updatesd service: /sbin/chkconfig yum-updatesd off
- Create the yum.cron file with the below code:
!/bin/sh /usr/bin/yum -R 120 -e 0 -d 0 -y update yum /usr/bin/yum -R 10 -e 0 -d 0 -y update
This file should be run and placed in /etc/cron.daily or /etc/cron.weekly.
b. Hide Server Information
Provide at least some information about the underlying infrastructure. It is better to display less about the server.
Additionally, hiding the version numbers of any software installed on the server is a good idea. By default, the exact release date is revealed which can help hackers while searching for weaknesses. You can remove this information simply by deleting it from the HTTP header of its greeting banner.
7. Restrict Website Access
It is important to review website access logs for unwanted activity and block irrelevant users from your website of you find any. It is good to block bad users at the website level prior to blocking them in the server’s firewall. In case your website is developed in WordPress, you should ensure that it is secure from things such as WordPress Brute Force attack with WordFence or a similar product, so your account also remains secure.
8. Configure a Firewall
With a firewall such as IPtables can be used to block bad inbound traffic to your server and this offers a highly effective security layer. When you are high specific about the traffic you allow on your website, it becomes easy to avoid intrusions and other attempts to gain access from the internet.
One of the best ways is to allow only the traffic you need and deny the other. Furthermore, it comes with a newly implemented command-line utility called as nft. The command line syntax of nft is simpler as compared to iptables.
9. Setup Audits
With file monitoring, you can detect the unwanted file changes on the system. This is called as task auditing. Linux used audit.d for tracking and recording several characteristics of the system files when in a healthy state and then compare it to a then altered state. When different versions of the same files are contrasted side by side, it is possible to detect any inconsistencies that exist and track the changes.
10. User Management
a. Monitor Login Attempts
HIDs (Host Intrusion Detection systems) help to find the files that are being accessed, applications that are being used and the data that is present in the kernel logs.
NIDs (Network Intrusion Detection systems) help to review the data flow between computers within a network. Those connections are particularly detected for doubtful behavior.
It is possible to use HIDs for a more versatile solution and NDIs are majorly used for a LAN based solution. You can use below HIDs:
- Wazuh (A fork of OSSEC that offers more reliability and scalability)
- Security Onion
A combination of NIDs and HIDs can form a strong, comprehensive IDS strategy. You can use the below NIDs:
- Sguil b
b. Limit User Permissions
To restrict the users’ access to critical systems, you can limit the permission sets such as 644 or 444 for files and 755 for folders.
c. Perform User Testing
You can set a specific date for performing a security audit and inform the users in advance about it. Mention your expectations and hold them responsible for any inadequacy.
d. Ongoing Security Training
You can send monthly reminders and train the staff every three months, with six-month testing across multiple platforms (email, physical and network) and find out failures to improve and start additional training in those areas.
e. Travel Security
Security isn’t just meant for the front end of your business. It is important to set up security parameter training for employees that are travelling abroad.
11. Secure the Filesystem
You can take several steps to secure the filesystem on the servers. Make sure you mount filesystems with user-writable directories on separate partitions. Don’t miss to use nodev, nousid, and no exec in the /etc/fstab file.
a. Make sure /boot is read-only
You also need to check that the /boot folder is set to RW mode by default, instead of only being used for reading/loading modules and the kernel. Additionally, ensure that it is set to ready-only in /etc/fstab:
/dev/sda1 /boot ext2 defaults ro 1 2
b. Disable booting from removable media.
For this, modify the bios setting to disable boosting from removable media such as a USB stick.
c. Set a password for the GRUB bootloader.
In case there is a physical access to the server, one can easily enter the server. You can setup a wall between the attacker and the server access by setting up a password on the GRUB bootloader. This can be done by setting up a password to limit access. The first step is to backup the current grub.conf file.
root@host ~# cp /etc/grub.conf /etc/grub.conf.bak
The next step is to generate a secure password. Then create a file and then the password with the help of grub-md5-crypt command. A prompt window will ask you to enter a password twice. Just copy the created password from the secure file into the grub.conf file.
root@host ~# touch secure root@host ~# grub-md5-crypt > secure
After this, copy the password and paste it into the grub.conf file after the first line (in Redhat), as below. Then type the “:wq” in vim to save the file.
splashimage=(hd0,0)/grub/splash.xpm.gz password --md5 JnK!xdBep53lt1NVk@K6wb!js%!HEI#^
Now reboot the server to check if the changes have been implemented.
d. Ask for the root password prior to entering single-user mode.
In case a malicious actor can access your server, he can even select a particular kernel to boot into from the grub menu item by simply pressing “e” letter. Due to this, one can edit the first boot option so that booting gets enabled into single-user mode without asking for a password.
It is important for your system to be configured such that it prompts for the root password prior to entering single-user mode to restrict possible exploitation. You can get this done by following the instructions above in “Set a password for the GRUB bootloader.”
12. Utilize SELinux
SELinux, a kernel-based security module offers a method for supporting access control security policies, along with mandatory access controls (MAC). Basically, it is used for adjusting access control requirements. It is possible to designate the working of a process of user with SELinux. Operations can be restricted to their own domain and due to this any actions can only interact from the allowed domains with certain file types or other processes. The existence of SELinux is in any of the below three possible modes:
- Enforcing – SELinux is active and enforcing the defined policy.
- Permissive – Enforcement is not applied but is logged. It is mainly used for testing.
- Disabled – When the system is inactive.
13. Use Multi-Server / Isolated Environments
a. Use A Multi-Server Environments
Having an isolated environment is one of the best types of server security. To get a full isolation, one requires having a dedicated bare-metal server that doesn’t share any components with other server. Though this being the easiest to manage and offers highest security, it is very expensive. In a data center, having isolated execution environments permit the Separation of Duties (SoD) and also allows to set server configuration as per the functions fulfilled by the server.
It is a standard security step to separate database servers and web application servers. Separate execution environment offer benefits in a large scale business that can’t afford any security breaches. Sensitive information and systems files remain secured from hackers on independent database servers that can manage to access your administrative accounts. Additionally, due to isolation system administrators can separately configure the web application security and reduce the attack surface by setting web application firewalls.
b. Use Virtual Isolated Environments
If complete isolation with dedicated server components isn’t affordable or you don’t require it, you can select to isolate execution environments. By doing that, you will be able to deal with any security issues that may arise without compromising the other data. It is possible to select between containers (based on top of the host OS) or VM virtualization which can be set up easily.
Creating chroot jails is another option for virtualized environments in a UNIX operating system. Chroot separates a process from the root directory of central operating system and allows it to access only the files present in its directory tree. But, this isn’t complete isolation and needs to be practiced only with other security measures.
14. Take Backups
a. Buy a Website Backup Plan
It is said many times, backups are an essential part of every security protocol. We recommend purchasing a website backup plan for backup retention.
b. Backup Testing
Make sure you test your backup systems in advance and clearly save the procedures and process for restoring them in a document.
15. Use LUKS Encryption
For configuring LUKS on CentOS, you need to have the cryptsetup package. You will find this software installed by default in later versions of CentOS. Using the cryptsetup command you can encrypt specific disks or partitions to protection all of the information stored on it.
[root@host ~]# cryptsetup luksFormat /dev/sdc WARNING! ======== This will overwrite data on /dev/sdc irrevocably. Are you sure? (Type uppercase yes): YES Enter LUKS passphrase: Verify passphrase: [root@host ~]# cryptsetup -v luksOpen /dev/sdc mysecuredrive Enter passphrase for /dev/sdc: Key slot 0 unlocked. Command successful. [root@host ~]# mkfs.xfs /dev/mapper/mysecuredrive [root@host ~]# mkdir -p /mnt/my_secure_drive [root@host ~]# mount -v /dev/mapper/mysecuredrive /mnt/my_secure_drive/ (***you may get an SELinux warning here***) mount: /mnt/my_secure_drive does not contain SELinux labels. You just mounted an file system that supports labels which does not contain labels, onto an SELinux box. It is likely that confined applications will generate AVC messages and not be allowed access to this file system. For more details see restorecon(8) and mount(8). mount: /dev/mapper/mysecuredrivemounted on /mnt/my_secure_drive. [root@host ~]# restorecon -vvRF /mnt/my_secure_drive/ Relabeled /mnt/my_secure_drive from system_u:object_r:unlabeled_t:s1 to system_u:object_r:mnt_t:s1 mount -v -o remount /mnt/my_secure_drive/ mount: /dev/mapper/mysecuredrive mounted on /mnt/my_secure_drive (***no selinux warnings seen***) [root@host ~]# cryptsetup luksDump /dev/sdc LUKS header information Version: 2 Epoch: 3 Metadata area: 12288 bytes [……] Digest: 49 20 4c 6f 76 65 20 77 72 69 74 69 6e 67 20 61 62 6f 75 74 20 6c 69 6e 75 78 22 2f 47 55 b7 8f
That’s all! Don’t miss to check these top 15 server security practices to secure your server.