Secure Your Server: An In-Depth, Actionable Guide 

Whether you’re an online small business or a blog owner, your site’s security is paramount. Hackers don’t just steal data; they also use compromised servers as bases for further cyber attacks such as phishing, spam, and even cryptocurrency mining. 

While no security measure is 100% foolproof, implementing robust server security practices significantly lowers your risk of being hacked.

What Is Server Security?

A secure web server protects all its information and transactions from unauthorized access. In essence, a secured server is a safe server, forming the backbone of your online presence, website security and data integrity.

Why is Server Security so Important?? 

Securing your server is crucial for maintaining your online reputation, attracting new visitors, and retaining existing customers. An unsecured server poses threats to both you and your users:

• Crucial information can be compromised or stolen.
• Search engines penalize sites with security issues.
• Leaving your server vulnerable endangers your entire online operation.

Common Server Security Threats

Understanding the threats you face is the first step in protecting your server. Here are some of the most common security risks:

Denial-of-Service (DoS) or Distributed-Denial-of-Service Attacks (DDoS)

DDoS attacks aim to overload your server resources, bringing all of the server’s functions offline. These attacks can last for days or even longer, and are initiated for various reasons:

• Business competitors seeking to disrupt operations
• Activists attempting to disable access to certain content
• Malicious actors (“trolls”) doing it for amusement

To protect against DDoS attacks:

• Implement robust firewall rules
• Cloud server hosting plans (like those offered by Liquid Web, for example) provide excellent protection from DDoS attacks. 

Code Injection

Also known as remote code execution (RCE), code injection attacks occur when a hacker exploits input validation flaws in scripts or applications to implement and execute malicious code. Applications that directly accept unchecked input are particularly vulnerable.

To secure against code injection:

• Use whitelisting for input validation
• Encode HTML outputs
• Avoid JavaScript code serialization

Cross-Site Scripting (XSS)

XSS is one of the most frequent methods of server attack. These attacks target users to steal their data by manipulating web application scripts. Hackers create malicious scripts that execute every time a web page loads, potentially allowing them to:

• Manipulate the user’s computer and browsing history
• Control the browser
• Use other applications and devices for further malicious activities

Identifying Server Vulnerabilities

Before implementing security measures, it’s crucial to identify potential security vulnerabilities in your server setup. Common weak points include:

• Weak passwords
• Misconfigured firewalls
• Outdated software and operating systems
• Unnecessary open ports
• Lack of encryption for sensitive data
• Insufficient access controls

Regular security audits and vulnerability scans can help identify these issues before they can be exploited.

Key Steps to Make Your Web Server Secure

There are many tools and methods to harden and protect your servers from illegal access and other malicious activities. To secure your server, follow the next steps listed below:

1. Create strong passwords
2. Generate an SSH key pair
3. Keep your server updated
4. Use firewalls
5. Consider using Linux as your web server operating system
6. Limit superuser/root access
7. Utilize VPNs and private networks
8. Use a multi-server environment
9. Employ dedicated servers for maximum security
10. Implement regular backups
11. Monitor server logs
12. Secure the filesystem
13. Disable unnecessary services
14. Implement ongoing security training

Let’s dive into the details of these.

1. Create Strong Passwords

The first step in securing your server is to use strong passwords. Most experts recommend a password of at least 12 characters, including numbers, both uppercase and lowercase letters, and special characters like exclamation points and ampersands. Additionally, do not use the same password for different systems. It is essential to change all of your passwords regularly. 

Because it can be difficult to remember passwords, many experts also recommend utilizing a password manager.

Two-Factor Authentication (2FA) adds an extra layer of security to protect your online identity. Enabling 2FA requires you to input a second authentication in addition to your username and password. Examples include fingerprints, retinal scans, and one-time codes and passwords that change frequently (often every 30 seconds).

2. Use SSH

Using SSH allows you to connect more safely to your server and remain protected from hacking attacks. It is commonly used for remote login to a computer system, allowing users to execute commands, transfer files, and manage systems securely.

SSH key pairs are based on public-key cryptography, where a key pair consists of a public key and a private key. Even a relatively short SSH key is much stronger than most passwords because it relies on cryptographic algorithms that are nearly impossible to crack using brute force.

Also, since the private key never leaves the client machine, it is less exposed to the risk of being intercepted or stolen during transmission. Key-based authentication can be configured to disable password-based logins entirely, which eliminates the risk of password-related attacks like brute-force or dictionary attacks.

3. Keep Your Server Updated

It is essential to check for server updates frequently. Indeed, keeping your server up to date ensures that it has the newest security patches and that any security issues found in the older versions are fixed. If you are not using the latest updates, your server can be compromised in a matter of minutes. 

If you prefer not to think about this maintenance, you can enable automatic updates. That way, your server can keep itself up to date for you.

4. Use Firewalls

Your firewall should always be up and running because it represents an important security layer preventing illegal access. 

It is possible to manually block certain IP addresses or ranges unknown to you or if you consider that the user trying to connect from a specific IP address has malicious intent. You should whitelist only those IP addresses or ranges that need access. 

Attackers can use all of your open ports to gain unauthorized access to your server. Close all of the ports you are not using. If you are already using Linux as your server’s operating system, the netstat command can list all of the open ports and help you close the ones you don’t need.

The firewall rules you set will block unwanted traffic or server manipulation. Most importantly, firewalls represent the perfect protection against DDoS attacks.

5. Consider Using Linux as Your Web Server Operating System

Linux is often considered more important or advantageous for securing servers compared to other operating systems like Windows or macOS. Its importance in securing servers stems from its open-source nature, strong security features, flexibility, and the extensive support community. 

The Linux OS allows administrators to fine-tune the OS to minimize vulnerabilities, apply strict security policies, and keep systems updated with the latest security patches. The combination of these factors makes Linux a preferred choice for running and securing servers, especially in environments where security and reliability are paramount.

6. Limit Superuser/Root Access

Disabling direct root login is a security best practice to protect against brute-force attacks. Instead of logging in as root, create a separate user account with superuser privileges that can perform administrative tasks via sudo.

To disable direct root login, modify the /etc/ssh/sshd_config file:

PermitRootLogin no

Ensure SSH is using the more secure Protocol 2. Protocol 1 is outdated and vulnerable.

Protocol 2

Restrict SSH access to a specific group of users by adding the following directive to the /etc/ssh/sshd_config file. First, ensure you have a user group, such as sshusers, that includes the users you want to allow SSH access.

AllowGroups sshusers

After making changes to the sshd_config file, you’ll need to restart the SSH service to apply the changes:

sudo systemctl restart sshd

7. Utilize VPNs and Private Networks

To secure communication with your server, you should use a virtual private network (VPN). Hackers much more easily compromise open networks, but VPNs restrict access to the selected users, greatly enhancing security. 

8. Use a Multi-Server Environment

Isolating web applications and database servers is a great way to secure your server. Separate database servers keep your sensitive data safe in case of server compromise. To configure the total isolation, you will need a fully dedicated, bare metal server that does not share anything with another server.

9. Employ Dedicated Servers for Maximum Security

Dedicated and bare metal servers provide you with a unique level of security because they are physically isolated from other servers, making them much safer than shared servers. They both protect your data and maintain optimal performance. In addition, you will have physical security and the possibility to customize the configuration to your needs. Liquid Web offers great secure dedicated server hosting plans.

10. Implement Regular Backups

Maintain frequent, secure backups of your server data. Store backups in a separate, secure location to ensure data recovery in case of a breach or hardware failure. Consider using the 3-2-1 rule for backup retention:

• Create three copies of your data (one primary and two backups)
• Store copies on at least two different types of storage media
• Keep one copy offsite (e.g., a remote storage server or cloud storage solution)

11. Monitor Server Logs

Regularly review server logs to detect unusual activities or access attempts. Consider implementing an intrusion detection system (IDS) for real-time monitoring and alerts. Some recommended HIDS (Host Intrusion Detection Systems) include:

• OSSEC
• Wazuh (A fork of OSSEC that offers more reliability and scalability)
• Tripwire

For network monitoring, consider NIDS (Network Intrusion Detection Systems) such as:

• Snort
• Suricata

12. Secure the Filesystem

Take additional steps to secure your server’s filesystem:

• Mount filesystems with user-writable directories on separate partitions
• Use nosuid, nodev, and noexec options in the /etc/fstab file
• Set /boot to read-only mode
• Disable booting from removable media if not required
• Set a GRUB bootloader password to prevent unauthorized access during boot

13. Disable Unnecessary Services

Regularly audit and disable services that are not essential for your server’s operation. Use the following commands to view enabled and running services: For Red Hat/CentOS:

systemctl list-unit-files | grep enabled
systemctl | grep running

For Debian/Ubuntu:

service --status-all | grep '+'

systemctl | grep running

Disable unnecessary services using:

systemctl disable [service_name]

14. Implement Ongoing Security Training

Conduct regular security training for all users with access to the server. This should include:

• Monthly security reminders
• Quarterly in-depth training sessions
• Bi-annual security drills across multiple areas (email, network, and physical security)
• Travel security training for remote workers or employees who travel frequently

Remember to stay informed about the latest security best practices and regularly review and update your security measures to maintain a robust server security strategy that keeps you protected against new and evolving cyber risks.

Consider Securing your server with Liquid Web today!

If you have applied the steps mentioned above, your server will be safer and more resistant to DDoS, code injection, cross-site scripting, and other attacks. Our DDoS protection services are available on VPS servers, dedicated servers, and much more.

Cyber threats are on the rise. Contact one of The Most Helpful Humans In Hosting® and take action today!