Not everyone relies on shared web hosting for the sites they work on. Many developers have turned to dedicated hosting, virtual private servers (VPS), colocation hosting and other methods that give them greater freedom to work and allow for more control over the environments where they host sites for their clients or business. While these hosting environments offer a developer much more flexibility, they do put the responsibility of securing that server in the hands of the developer. This can pose a problem for someone who does not understand the basics of web server security.
As a web developer, no one expects you to be a security expert. Especially when it comes to server technologies. However, you do your company, your clients, or yourself a great disservice if you don’t cannot apply some basic server hardening techniques to help thwart attacks that may target your servers. That is what this article aims to help you with. It is important to note that if your server stores data that needs to be kept private and confidential then you need to turn to a knowledgeable expert to help you with your security needs. If, however, you are not tasked with protecting sensitive information then please read on.
Why your server may be targeted
Before we get into taking the basic steps to harden your server, let’s understand why it might be a target. It’s easy to see why an environment that stores financial or personal data might be a target. The bad guys want to steal this kind of stuff. But what about the server that hosts a content rich site that collects no data what-so-ever? Well, those sites and their servers can be quite valuable as well.
To start with, servers can be targeted so that attackers can take over sites and litter them with propaganda. Sometimes, these servers are even used just for practice or to test out different tools and techniques. Servers are also compromised so that they can be used to broadcast spam on the sites they host. Others may be owned and controlled as part of a botnet. Even worse, some are taken over so that they can deliver malware.
Web servers are viewed as assets, and if there is any value then someone is going to try to compromise it so let’s look at some ways to prevent that from happening.
Get rid of what you don’t need
When an operating system is installed there are a number of services that are turned on by default. Most of these services have nothing to do with serving up web pages and are not needed. The services you need, and those you don’t, depend upon the operating system you are using but things like print server services have no business being enabled on a web server. Disable any that you don’t need. Likewise, any additional programs, software, modules or extensions that may have been installed on your server that isn’t required should be removed as well. While you are at it, make sure to delete any unused or unnecessary user accounts. Orphaned accounts are prime targets for attackers.
One last thing that you can get rid of on your web server are open ports. Yes, there are some ports that will need to remain open but if they are not in use make sure that they are closed to prevent a bad guy from exploiting them.
Keep everything updated
Service packs, patches and updates do more than provide software with new features and bug fixes, they also may contain fixes for security vulnerabilities. Now, it isn’t wise to just download the latest update and throw it on to a production server. You should test it out first to make sure that it isn’t going to adversely affect your environment. In addition to your production server, you should have a testing or staging server that you use. Even if it is a virtual server that is an exact replica of your live environment, it gives you a place to test anything before you install it on your production server. This includes patches and updates. If you notice that something causes a problem to where you cannot update, it is recommended that you install anything that is a security patch. This may require you to turn to an expert in your operating system or software.
Keep an eye on things
All computer systems keep detailed logs that track access to the server, access to web sites, database communication, etc. If you want to keep you server protected you need to review these logs for anomalies on a frequent basis. Look for things like failed login attempts, changes to account privileges, newly created accounts and anything else that looks suspicious.
Also, it is a recommended practice to store all logs in a segregated area.
Web servers, web sites and web applications have a number of files and folders that should not be accessible by the public. Set the permissions to these files and folders so that you prohibit read access to them, not just write and execute.
Also, make sure that any error messages that your server, and sites, provide do not reveal information about the server like the operating system, web application or anything else that can be used to plan an attack. The bad guys will often try to force errors as part of their investigation, hoping to gain information that they can use to search for known vulnerabilities to exploit.
Get some tools
There are a number of security solutions built specifically to help protect web servers. Some will scan your website for known vulnerabilities and misconfigurations, and then provide you with a report on what you need to do to fix things. Tools like this are invaluable if you are running your own web server. You can find some free tools and commercially available ones as well.
Knowledge is another tool that you should employ to help keep your web server safeguarded. Read up on the current threat landscape and continue to learn more about server and site security. Start with OWASP, the Open Web Application Security Project. You will find plenty of resources that can help build your security chops.