Even if you have a secure web application and an insecure web server, or vice versa, it still puts your business at a huge risk.
Securing a web server is as important as securing the website or web application itself.
Although securing a web server can be a daunting task that requires a specialist’s help, you can still learn how to keep your server secured.
We have created a list to help you go through the process of securing your web server.
Take a look at 7 necessary steps you need to do.
1. Disable Server signature
Don’t let an important piece of information about your server and operating system go to the wrong hands. Turn off server signature before someone targets your server.
Hence, one with these details can paralyze your system with focused attacks. For example, if you have this kind of error page, the hacker will know too much about your server:
Not found The requested URL/ gergwerg was not found on this server. Apache/2.4.9. (Debian) Server at 193.365.2.87 port 70
How to disable Apache web server signature?
First, you should create a backup of the configuration file, in case something goes wrong.
Then, disable the server signature on Apache by editing the configuration file:
- On Linux Mint, Ubuntu or Debian you can find config file here
$ sudo vi /etc/apache2/apache2.conf
- On Fedora, Arch Linux, CentOS or RHEL you can find config file here
$ sudo vi /etc/httpd/conf/httpd.conf
Add the following code at end of Apache config file:
ServerSignature Off ServerTokens Prod
Or, turn off Server Signature by editing .htaccess file:
# START - Disable server signature # ServerSignature Off # END - Disable server signature #
How to disable Nginx web server signature?
The path of the configuration file is either the first or the second:
- For Linux
- For FreeBSD
- Or search the file:
find / -name nginx.conf
Find the line that refers to “server_tokens” and change it as written below, and then restart your Nginx and you are good to go.
- For Debian, Ubuntu and Centos 5 or 6:
service nginx restart
- For CentOS 7:
systemctl restart nginx
When you disable the server signature, you can move on to another security measures.
Turn off PHP signature
Turning off PHP signature can also help you slow down potential attackers who can’t wait to find a weakness in your system.
To reduce the amount of available information you can set expose_php to off in your php.ini file.
However, there are other useful tactics to secure PHP signature – configure web servers such as Apache to parse different filetypes through PHP. Then you can use misleading file extensions:
- Hiding PHP as another language
AddType application/x-httpd-php .asp .py .pl
- Obscure it completely by using unknown types for PHP extensions
AddType application/x-httpd-php .bop .foo .133t
- Hide it as HTML code by using HTML types for PHP extensions
AddType application/x-httpd-php .htm .html
Security through obscurity is minor preventative measure with few drawbacks, still, you should rename your PHP files with the above extensions.
2. Standard authentication with SSH
SSH keys are a pair of cryptographic keys that can be used for authentication. Setting up SSH keys allows you to disable password-based authentication. SSH keys have much more bits of data than a password, which means that there are more possible combinations that an attacker would have to run through.
What about user permission?
SSH keys are easy to set up and are recommended for login on both Linux or Unix servers. Besides, when you secure your private key, the server will ask for a proof to confirm that the client has the associated private key.
How can you generate a new SSH key?
If you’re unsure whether you already have an SSH key, check for existing keys.
If you don’t have the key, you can easily generate a new one simply by following these steps:
- Open Terminal.
- Paste the text below.
ssh-keygen -t rsa -b 4096
Here you create a new SSH key, using the provided email as a label.
Generating public/private rsa key pair
When you’re indicating to “Enter a file in which to save the key,” press Enter. This accepts the default file location, and it’s easier if you always use the default.
- Enter a file in which to save the key (/home/you/.ssh/id_rsa): [Press enter]
At the prompt, type a secure passphrase.
- Enter passphrase (empty for no passphrase): [Type a passphrase]
- Enter same passphrase again: [Type passphrase again]
Then add your SSH key to the ssh-agent
- Start the ssh-agent in the terminal window:
eval "$(ssh-agent -s)"
This is the response you will get:
Agent pid 59566
Add your SSH private key to the ssh-agent. If you have created your key with a different name, or if you are adding an existing key that has a different name, replace id_rsa in the command with the name of your private key file. You will get this feedback:
Add the SSH key to your GitHub account.
Do you feel that you need password authentication?
Use Fail2Ban for SSH Login Protection that bans IP addresses from logging into your server after too many failed login attempts.
- With SSH keys you have only one try to log in, and the legitimate logins usually take no more than three tries.
When somebody tries to attempt to a server over this limit, the server indicates malicious access. Fail2Ban monitors SSH only and is a helpful security deterrent for any server. Why? SSH daemon is usually configured to run constantly and listen for connections from any remote IP.
3. Change the default SSH port
Changing the default SSH port will stop many automated attacks. To change it, you need SSH root access to the VPS.
- Open configuration file of the SSH daemon by executing the following command:
- Locate this line: # Port 22
- Change it to any port you desire and remove # at the beginning. Save the changed file with CTRL+X (or COMMAND+X shortcut if you are on MAC).
- Restart SSH daemon to implement the changes using this command:
service sshd restart or systemctl restart ssh
You are now only able to access the server using the port that you have specified in the configuration.
Firewalls are an essential part of any server configuration – they are a piece of software or hardware that controls what services are exposed to the network.
A firewall is a separator or restrictor of network traffic, which can be configured to apply your organization’s data security policy. That means firewalls can stop confidential information from getting into the wrong hand without your permission – passwords, bank details, and other personal information.
They will help you limit access to ports you specify, but you can specify sources as well. As an example, you can limit outbound connections to reduce the possibility of reverse shells.
Setting up the firewall should only take a few minutes and you can do it during your server’s initial setup or when you make changes in what services are offered on your computer.
5. Use HTTPS instead of HTTP
Yes, it’s extremely significant to use HTTPS if you have sensitive information on your site. Online shopping or banking require HTTPS, but you should use it even if your site is only informative.
One of the main reasons for using HTTPS is browser policy. In 2017, the most popular web browsers started warning users when they visit sites that use HTTP. So, if your site includes a contact form, the browser will display a security warning.
HTTPS is better for SEO: Google’s search rankings favor HTTPS over HTTP.
When visitors see the security symbol and HTTPS they will know that you value their privacy, even if you aren’t receiving any personal information from them.
Encrypted websites protect our privacy and are significantly faster. Some technologies designed to make websites faster only work with HTTPS.
How to convert HTTP to HTTPS?
Install a professionally signed security certificate on your web server. Once SSL certificate is installed, HTTPS protocol will be activated and allow secure connections between a web browser and the server.
You will have to pay for SSL, but it’s worth it.
There is also a way to use SSL for free, many web hosting companies now offer signed certificates from Let’s Encrypt, which is renewed automatically every 3 months.
So, choose a type of SSL certificate and make sure that your site and your users are safe.
6. DDoS Protection
DDoS attacks are the most prevalent type of attacks regardless of the industry and everyone should take protective measures. The frequency of distributed denial-of-service (DDoS) attacks has increased more than 2.5 times over the last 3 years. Take this statistic seriously and learn how to respond to the potential attacks before they even happen.
You can also use Cloud services as they give you the easiest way to mitigate attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification, and Layer 7 attacks.
7. Keep Things Up To Date To Enforce Security
Keep both the server operating system and any software up to date – this is necessary for keeping your site secure.
Does your website security have any weaknesses in the software?
Hackers will try to abuse them faster than you know.
If you have a managed hosting company should take care of the updates. You don’t need to worry about this problem.
On the other hand, if you are using a third-party software such as a CMS or a forum, you should make sure you are quick to apply any security patches. Most vendors notify you of available system updates when you log in.
- You can ease your job by using tools like Composer, npm, or RubyGems in order to manage their software dependencies and security vulnerabilities that appear in a package you depend.
You can also use different reporting tools to get automatic notifications if there is a vulnerability notification in one of your components.
It’s better to start late than never with security measures.
Every software on the server has security vulnerabilities which could be a threat for the whole server.
There is no general solution for securing every piece of software. You must keep in mind every potential hole on the server and think about a solution for it.
Vulnerable server security is a serious threat, do not overlook it!
Do you have another suggestion on how to secure server?
P.S. While you are working on protecting your server and website, you might as well use the time to check how your site is performing and what things you should fix and to go through the basics of securing your website if you use WordPress CMS.