Introduction
Malicious actors are always on the lookout for server vulnerabilities. The responsibility of system administrators and security officers is to ensure that the data on the server is safe and secure.
Minimize risks and increase the security of the system you are maintaining by implementing our server security tips and best practices.
What is Server Security?
Server security is a set of measures that protect a server from all types of threats, such as DDoS attacks, brute force attacks, and careless or malicious users. The measures can include installing and maintaining firewalls, enforcing strong passwords and user authentication protocols, installing antivirus software, and conducting regular backups to avoid data loss.
Why is Server Security Important?
Servers play a key role in business-sensitive data processing and storage. Protecting servers from external threats with server security measures is essential for maintaining:
- Integrity - Server security ensures the accuracy and completeness of the data stored on the server by preventing tempering and accidental modification.
- Availability - Security measures help system administrators keep the server and its services available for authorized users at all times.
- Confidentiality - Protection of sensitive data stored on the server prevents unauthorized users from using the data for malicious purposes.
- Reputation - A security breach can result in data loss or service disruption. These incidents can damage a company's reputation and incur financial losses.
- Compliance - Big companies are subject to industry-specific regulations that require their servers to conform to certain security standards. Not meeting these standards often results in regulatory fines.
21 Tips to Secure Your Server
Below is a list of 21 tips to improve the security of your servers. It features sections dedicated to internet connectivity and user management, the areas in which you can do most to improve the overall strength of a system. Furthermore, the list presents other best practices across the entire server security field.
Secure Server Connectivity
1. Establish and Use a Secure Connection
When connecting to a remote server, it is essential to establish a secure channel for communication.
The SSH (Secure Shell) Protocol is the best way to establish a protected connection. Unlike the previously used Telnet, SSH access encrypts all data transmitted in the exchange. To gain remote access using the SSH protocol, you must install the SSH Daemon and an SSH Client to issue commands and manage servers.
By default, SSH uses port 22. Changing the default port number is an easy way to reduce the chances of hackers attacking your server. Therefore, the best practice for SSH is to use a random port number between 1024 and 32,767.
Note: Learn about the differences between Telnet and SSH and when to use them.
2. Use SSH Keys Authentication
Instead of a password, you can authenticate an SSH server using a pair of SSH keys, a better alternative to traditional logins. The keys carry substantially more bits than a password, and current computers cannot easily crack them. For example, the popular RSA 2048-bit encryption is equivalent to a 617-digit password.
The SSH key pair consists of a public key and a private key.
The public key has several copies, one of which remains on the server, while others are shared with users. Anyone with the public key has the ability to encrypt data, while only the user with the corresponding private key can read this data.
The private key must not shared with anyone and must be kept secure. When establishing a connection, the server asks for evidence that the user has the private key before allowing privileged access.
Note: For more SSH-related tips, read SSH security best practices.
3. Secure File Transfer Protocol
Using File Transfer Protocol Secure (FTPS) helps transfer files to and from a server without the danger of malicious actors compromising or stealing data.
FTPS uses command and data channels to encrypt data files and authentication information. However, it is important to bear in mind that FTPS only protects files during transfer. As soon as they reach the server, the data is no longer encrypted. For this reason, encrypting the files before sending them adds another layer of security.
4. Secure Sockets Layer Certificates
Secure your web administration areas and forms with Secure Socket Layer (SSL) that guards information passed between two systems via the internet. SSL can be used both in server-client and server-server communication.
The program scrambles data so sensitive information (such as names, IDs, credit card numbers, and other personal information) is not stolen in transit. Websites with the SSL certificate have HTTPS in the URL, indicating they are secure.
Not only does the certificate encrypt data, but it is also used for user authentication. Therefore, by managing certificates for your servers, SSL helps establish user authority. Administrators can configure servers to communicate with centralized authority and any other certificate that the authority signs.
5. Use Private Networks and VPNs
Another way to ensure secure communication is to use private and virtual private networks (VPNs) and software such as OpenVPN (see our guide on installing and configuring OpenVPN on CentOS). Unlike open networks, which are accessible to the outside world and therefore susceptible to attacks from malicious users, private and virtual private networks restrict access to selected users.
Private networks use a private IP to establish isolated communication channels between servers within the same IP range. This allows multiple servers in the same network to exchange information and data without exposure to a public space.
Use a VPN when you want to connect to a remote server as if doing it locally through a private network. VPNs enable an entirely secure and private connection and can encompass multiple remote servers. For the servers to communicate under the same VPN, they must share security and configuration data.
Server User Management
6. Monitor Login Attempts
Using intrusion prevention software to monitor login attempts is a way to protect your server against brute-force attacks. These automated attacks use a trial-and-error method, attempting every possible combination of letters and numbers to gain access to the system.
Intrusion prevention software oversees all log files and detects if there are suspicious login attempts. When the number of attempts exceeds the set norm, the intrusion prevention software blocks the IP address for a certain period or indefinitely.
Note: Learn about public and private IP addresses in our post Public vs. Private IP Address.
7. Manage Users
Every server has a root user who can execute any command. Because of the access level it has, the root can be hazardous if a server falls into the wrong hands. It is a widespread practice to disable the root login for SSH altogether.
Since the root user has the most power, hackers focus their attention on trying to crack the root password. When you disable this user entirely, you put attackers at a disadvantage and protect the server from potential threats.
To ensure outsiders do not misuse root privileges, create a limited user account. This account does not have the same authority as the root but can perform administrative tasks using sudo commands.
Therefore, you can administer most tasks with a limited user account and use the root account only when necessary.
Server Password Security
8. Establish Password Requirements
The first thing is to set password requirements and rules that all server users must follow. Follow these essential rules:
- Do not allow empty or default passwords.
- Enforce minimum password length and complexity.
- Have a lockout policy.
- Do not store passwords using reversible encryption.
- Force session timeout for inactivity and enable two-factor authentication.
Note: Use phoenixNAP password generator tool to securely generate strong and complex passwords .
9. Set Password Expiration Policy
Setting an expiration date for a password is another routine practice when establishing user requirements. Depending on the level of security required, a password may last a couple of weeks or months.
10. Use Passphrases For Server Passwords
Using a passphrase rather than a password can help elevate server security. The main difference is that a passphrase is longer and contains spaces between the words. Therefore, it is often a sentence, but it does not have to be one.
For example, a password passphrase may be: Ilove!EatingPizzaAt1676MainSt.
The given example is longer than a usual password and contains upper and lower case letters, numbers, and unique characters. Furthermore, it is much easier to remember a passphrase than a string of random letters. Finally, since it consists of 49 characters, it is more difficult to crack.
11. Password Don’ts
If you want to maintain a secure server, there are a few things you want to avoid when it comes to passwords. Be mindful where you store passwords. Do not write them on paper and keep them in the office.
It is advisable not to use personal information like your birthday, hometown, pet names and other things that can connect you to the password. These are extremely easy to guess, especially by people who know you.
Passwords that only contain simple dictionary words are also easy to crack, especially by dictionary (brute force) attacks. Additionally, try to avoid repeating sequences of characters in the same password.
Finally, do not use the same password for multiple accounts. By recycling passwords, you put yourself at significant risk. If a hacker manages to get access to a single account, all other accounts with the same password may be in danger.
Try to use a different password for every account and keep track of them using a password manager such as KeePass.
Note: Check out our article on strong password ideas to get a better understaning on how to create and use passwords that are hard to crack.
Other Best Practices to Secure a Server
12. Update and Upgrade Software Regularly
Regularly updating the software on a server is crucial in keeping it safe from hackers. Outdated software has already been explored for its weak points, leaving it open for hackers to take advantage and harm your system.
Automatic updates are one way to guarantee that you do not skip important updates. However, allowing the system to make automatic changes may be risky. Before updating your production environment, it is a good practice to examine how the update performs in a test environment.
Make sure to update the server control panel routinely. You also need to regularly update your content management system (if you use it), as well as any plugins it may have. Each new release includes security patches to fix known security issues.
13. Remove or Turn Off All Unnecessary Services
Increase server security by reducing the so-called attack vector. This cyber-security term refers to installing and maintaining only the bare minimum requirements needed to keep your services running. Enable only the network ports the server OS and installed components use. The less you have on the system, the better.
A Windows OS server should only have the required operating system components. A Linux operating system server should have a minimal installation with only the essential packages installed.
Since most Linux distributions listen for incoming connections on the internet, configure a firewall to allow only specific ports and deny all other unnecessary communication.
Check for dependencies before installing software on your system to ensure you are not adding anything you do not need. Moreover, inspect which dependencies were auto-started on the system and whether you want them there.
14. Hide Server Information
Aim to provide as little information about the underlying infrastructure as possible. The less is known about your servers, the better.
Also, it is a good idea to hide the version numbers of any software installed on the server. The version indicator often reveals the exact release date which aids hackers when searching for weaknesses.
15. Use Intrusion Detection Systems
To detect unauthorized activities, use an intrusion detection system (IDS), such as Sophos, which monitors processes running on your server. You can set it to check day-to-day operations, run automated periodical scans, or decide to run the IDS manually.
16. File Auditing
File auditing is another efficient way to discover unwanted changes on your system.
This method keeps a record of all the characteristics of a system when it is in a healthy state and compares it to its current state. By comparing the two versions of the same system side to side, you can detect all the inconsistencies and track their origin.
17. Service Auditing
Service auditing explores what services are running on the server, their protocols, and the ports they are communicating through. Being aware of these specifics helps configure valid protection for attack surfaces in the system.
18. Set Up and Maintain a Firewall
Secure your server by controlling and restricting access to your system.
Using CSF (ConfigServer and Firewall) is essential in tightening up security on a server. It allows only specific vital connections and locks down access to other services.
Set up a firewall during the initial server setup or when you make changes to the server's services. By default, a typical server runs multiple public, private and internal services.
- Public services generally run on web servers that need to allow access to a website. Anyone can access these services over the internet.
- Private services are used when dealing with a database control panel, for example. In that case, a number of selected users get access to the same point. They have authorized accounts with special privileges on the server.
- Internal services should never be exposed to the internet or the outside world. They are only accessible from within the server and only accept local connections.
The role of the firewall is to allow, restrict, and filter access according to the service the user is authorized for. Configure the firewall to restrict all services except those mandatory for your server.
19. Back Up Your Server
Although the previously mentioned steps are designed to protect your server data, it is crucial to have a backup of the system in case something goes wrong.
Store encrypted backups of your critical data offsite or use a cloud data backup and restore solution.
Whether you have automated backup jobs or do them manually, ensure to make a routine of this precautionary measure. Furthermore, you should perform comprehensive backup tests. This includes “sanity checks” in which administrators or end users verify that data recovery is coherent.
20. Create Multi-Server Environments
Isolation is one of the best types of server protection you can have.
Total separation requires having dedicated bare metal servers that do not share any resources with other servers. Although this method provides the most security, it is also the most expensive.
Having isolated execution environments in a data center allows the so-called Separation of Duties (SoD) and setting server configuration according to the functions a server fulfills.
Separating database servers and web application servers is a standard security practice. Separate execution environments are especially beneficial to larger-scale businesses that cannot afford any security breaches.
Independent database servers secure sensitive information and system files from hackers that manage to gain access to administrative accounts. Also, isolation lets system administrators separately configure the web application security and minimize the attack surface.
21. Create Virtual Isolated Environments
If you cannot afford or do not require complete isolation with dedicated server components, you can also choose to isolate execution environments.
Doing so helps you deal with security problems while ensuring other data is not compromised. You can choose between containers or VM virtualization which are much easier to set up.
Another option for virtualized environments in a UNIX operating system is creating chroot jails. Chroot separates a process from the central operating system’s root directory and allows it to access only files within its directory tree. However, this is not complete isolation and should be practiced only with other security measures.
Note: Two major services in the web hosting industry are cloud hosting and dedicated servers. To learn more about the differences between these two, refer to our article Cloud vs. Dedicated Server.