Top 10 Web Server Security Best Practices

Posted on January 10, 2023 by Michael Flores Feliz | Updated: August 16, 2023

Category: Featured Articles | Tags: Backups, Common Questions, Encryption, Fail2Ban, Firewall, grub, Passphrase, Password, Password Policy, Permissions, Root, Security, Security Policy, Security Practices, selinux, SSH, SSH Keys, SSH Ports, SSL, VPN

Reading Time: 11 minutes

How Can You Ensure Security on a Server?

It is important to secure your server to prevent data loss or security compromises. Because security is such a challenging subject for many, it often goes unheeded. Many are caught unaware when an issue arises. By following these best practices, you can significantly lower your risk of being compromised by a malicious actor.

Server Security Best Practices

1. Server Management

Proper server management ensures all activity continues to meet organizational standards and maintains peak server operations performance. This includes hiring qualified system administrators and implementing physical and internal security measures.

2. Physical Security

Implementing physical security controls helps prevent unauthorized personnel from physically accessing components such as routers, wiring closets, and servers. Controlled access via physical access control (PAC), such as locks, biometric authentication, and other devices like badges, is essential in any organization.

Traditional doors and locks are the most basic form of a physical access control system, but enterprise-grade physical access control systems go much further. Access controls may be more stringent in certain areas of a building, such as organizations that have public access areas and restricted access areas.

Maintaining the credential database and deleting any deactivated users is a security best practice. Also, adding different kinds of PACs is a good formula for more secure control of physical access to vulnerable or essential departments in a business.

3. Update Software and Operating Systems

Maintaining an updating cycle on software and operating systems (OS) is the single most significant security precaution you can take for your server. Updates range from critical vulnerability patches to minor bug fixes. Many software vulnerabilities are patched when they become public, adding to the urgency with which users should install updates.

Since server systems tend to have a complex relationship with software environments, faults can go unnoticed. Failing to maintain your operating system and any other software on your server up to date will inevitably expose it to common vulnerabilities. Businesses must plan to execute regular updates and patches within a reasonable amount of time to maintain security.

4. Secure Connections

SSH

When command line (terminal) access to the server is needed, utilize a secure shell (SSH) connection. SSH creates a secure pipe for data travel. This connection secures only the information sent through the terminal from the computer to the server.

Something else to consider is the SSH port. The SSH default port is #22. Best practice suggests avoiding this port and using a port range of 32768 to 61000 for extra integrity. This change prevents automated attacks on the connection and primary hacking radars.

SSH Keys

Instead of an SSH password for accessing the server, use an SSH key instead. They disable the SSH feature necessary to access the server as the root user, eliminating the need to use a root password. It provides an additional layer of security when connecting to the server than using a password alone.

Using SSH keys also allows us to create a cryptographically secure keypair that stores unique connection information locally on your computer and the server. Because SSH key pairs generate cryptographically, the larger the key size is, the more secure it is.

A proxy server is an option as an additional security measure since they hide any network users behind the proxy's IP address and host firewalls. This setup makes it more difficult for hackers to target specific devices for access.

Multi-Factor Authentication (MFA)

SSH keys are mainly a single-factor authentication method. A two or multi-factor authentication would require the user to give out different kinds of information (phone number, email, government ID) to access sensitive data.

VPN

A virtual private network (VPN) is a private connection to a local, private network from a remote location. It ensures private data remains secured and maintains the confidentiality and integrity of that information. A VPN grants privacy and protection in online communications and browsing, making the connection between your equipment and the Internet confidential.

Fail2Ban

Fail2ban is a server software that prevents intruders by penalizing or blocking remote connections that attempt brute-force access. It allows you to monitor the impact and frequency of attacks, and updates to firewall rules are issued to block suspect IP addresses for a specified time. Fail2Ban can monitor several protocols, including HTTP, SSH, and SMTP. By default, Fail2Ban only monitors SSH but is a helpful security deterrent for any server.

SSL/TLS

Another effective safeguard is server security certificates, such as Secure Sockets Layer (SSL) and Transport Layer Security (TLS). These security certificates are cryptographic protocols for authentication and encryption, with TLS being a newer version of SSL. TLS fixes some security vulnerabilities in older SSL protocols, and these certificates are required for user authentication.

Server security certificates protect network communications by scrambling sensitive data sent over the internet, such as passwords, usernames, and credit card information, allowing servers to validate entities.

Restricting Root Access

SSH should be restricted to a limited subset of users. To do this, add the following information to the /etc/ssh/sshd_config file.

PermitRootLogin no
Protocol 2

Then, add the SSH users group to the /etc/ssh/sshd_config file.

AllowGroups sshusers

5. Disable Unnecessary Services

Audit Services

Service auditing explores what services are actively running on the server, the protocols they are using, and the ports with which they interact. Being conscious of these factors will help lessen any attack vectors in the system.

Most servers come with certain services enabled by default, allowing you to use multiple features available on the server. If these extra services are not in use, it is best to disable them. Running specific commands on a Red Hat-based system helps you find and disable unnecessary services.

Red Hat/CentOS Enabled Services

To view the enabled services in Red Hat or CentOS, run the following command.

systemctl list-unit-files | grep enabled

This is the output.

[root@host ~]# systemctl list-unit-files | grep enabled
var-lib-snapd-snap-core-7917.mount            enabled 
var-lib-snapd-snap-hello\x2dworld-29.mount    enabled 
var-lib-snapd-snap-snapcraft-3440.mount       enabled 
acpid.service                                 enabled 
auditd.service                                enabled 
autovt@.service                               enabled 
crond.service                                 enabled 
dbus-org.fedoraproject.FirewallD1.service     enabled 
firewalld.service                             enabled 
getty@.service                                enabled 
irqbalance.service                            enabled 
microcode.service                             enabled 
NetworkManager-wait-online.service            enabled 
postfix.service                               enabled 
qemu-guest-agent.service                      enabled 
rhel-autorelabel.service                      enabled 
rhel-configure.service                        enabled 
rhel-dmesg.service                            enabled 
rhel-domainname.service                       enabled 
rhel-import-state.service                     enabled 
rhel-loadmodules.service                      enabled 
rhel-readonly.service                         enabled 
rsyslog.service                               enabled 
sonarpush.service                             enabled 
sshd.service                                  enabled 
systemd-readahead-collect.service             enabled 
systemd-readahead-drop.service                enabled 
systemd-readahead-replay.service              enabled 
tuned.service                                 enabled 
snapd.socket                                  enabled 
default.target                                enabled 
multi-user.target                             enabled 
remote-fs.target                              enabled 
runlevel2.target                              enabled 
runlevel3.target                              enabled 
runlevel4.target                              enabled 
[root@host ~]#

The following command shows the running services.

systemctl | grep running

The output is as follows.

[root@host ~]# systemctl | grep running
session-2969.scope                  loaded active running   Session 2969 of user root
acpid.service                       loaded active running   ACPI Event Daemon
auditd.service                      loaded active running   Security Auditing Service
crond.service                       loaded active running   Command Scheduler
dbus.service                        loaded active running   D-Bus System Message Bus
firewalld.service                   loaded active running   firewalld - dynamic firewall daemon
getty@tty1.service                  loaded active running   Getty on tty1
irqbalance.service                  loaded active running   irqbalance daemon
polkit.service                      loaded active running   Authorization Manager
postfix.service                     loaded active running   Postfix Mail Transport Agent
rsyslog.service                     loaded active running   System Logging Service
serial-getty@ttyS0.service          loaded active running   Storm management console on Serial Getty ttyS0
snapd.service                       loaded active running   Snappy daemon
sonarpush.service                   loaded active running   LiquidWeb Sonarpush Monitoring Agent
sshd.service                        loaded active running   OpenSSH server daemon
systemd-journald.service            loaded active running   Journal Service
systemd-logind.service              loaded active running   Login Service
systemd-udevd.service               loaded active running   udev Kernel Device Manager
tuned.service                       loaded active running   Dynamic System Tuning Daemon
dbus.socket                         loaded active running   D-Bus System Message Bus Socket
snapd.socket                        loaded active running   Socket activation for snappy daemon
systemd-journald.socket             loaded active running   Journal Socket
systemd-udevd-control.socket        loaded active running   udev Control Socket
systemd-udevd-kernel.socket         loaded active running   udev Kernel Socket
[root@host ~]#

To disable a service, such as Bluetooth, use this command.

systemctl disable bluetooth

Debian/Ubuntu Running Services

The following command shows you the running services on a Debian or Ubuntu-based server.

service --status-all |grep '+'

Here is the output.

root@host ~# service --status-all |grep '+'
 [ + ]  apache-htcacheclean
 [ + ]  apache2
 [ + ]  apparmor
 [ + ]  apport
 [ + ]  atd
 [ + ]  binfmt-support
 [ + ]  cron
 [ + ]  dbus
 [ + ]  ebtables
 [ + ]  grub-common
 [ + ]  irqbalance
 [ + ]  iscsid
 [ + ]  lvm2-lvmetad
 [ + ]  lvm2-lvmpolld
 [ + ]  lxcfs
 [ + ]  procps
 [ + ]  rsyslog
 [ + ]  ssh
 [ + ]  udev
 [ + ]  ufw
 [ + ]  unattended-upgrades
root@host ~#

This command lists the state of the services regulated by systemV. The plus (+) and minus (-) symbols indicate whether the service is active.

systemctl | grep running

The following shows the output.

root@host ~# systemctl | grep running
  proc-sys-fs-binfmt_misc.automount        loaded active running   Arbitrary Executable File Formats File System Automount Point
  init.scope                               loaded active running   System and Service Manager
  session-1726.scope                       loaded active running   Session 1726 of user root
  accounts-daemon.service                  loaded active running   Accounts Service
  apache2.service                          loaded active running   The Apache HTTP Server
  atd.service                              loaded active running   Deferred execution scheduler
  cron.service                             loaded active running   Regular background program processing daemon
  dbus.service                             loaded active running   D-Bus System Message Bus
  getty@tty1.service                       loaded active running   Getty on tty1
  irqbalance.service                       loaded active running   irqbalance daemon
  lvm2-lvmetad.service                     loaded active running   LVM2 metadata daemon
  lxcfs.service                            loaded active running   FUSE filesystem for LXC
  networkd-dispatcher.service              loaded active running   Dispatcher daemon for systemd-networkd
  polkit.service                           loaded active running   Authorization Manager
  rsyslog.service                          loaded active running   System Logging Service
  serial-getty@ttyS0.service               loaded active running   Storm management console on Serial Getty ttyS0
  snapd.service                            loaded active running   Snappy daemon
  ssh.service                              loaded active running   OpenBSD Secure Shell server
  systemd-journald.service                 loaded active running   Journal Service
  systemd-logind.service                   loaded active running   Login Service
  systemd-networkd.service                 loaded active running   Network Service
  systemd-resolved.service                 loaded active running   Network Name Resolution
  systemd-timesyncd.service                loaded active running   Network Time Synchronization
  systemd-udevd.service                    loaded active running   udev Kernel Device Manager
  unattended-upgrades.service              loaded active running   Unattended Upgrades Shutdown
  user@0.service                           loaded active running   User Manager for UID 0
  dbus.socket                              loaded active running   D-Bus System Message Bus Socket
  lvm2-lvmetad.socket                      loaded active running   LVM2 metadata daemon socket
  snapd.socket                             loaded active running   Socket activation for snappy daemon
  syslog.socket                            loaded active running   Syslog Socket
  systemd-journald-audit.socket            loaded active running   Journal Audit Socket
  systemd-journald-dev-log.socket          loaded active running   Journal Socket (/dev/log)
  systemd-journald.socket                  loaded active running   Journal Socket
  systemd-udevd-control.socket             loaded active running   udev Control Socket
  systemd-udevd-kernel.socket              loaded active running   udev Kernel Socket
root@host ~#

To disable a service, use the following command.

systemctl disable apache

Remove X Windows From the System.

The X Window System (also called X11, or just X) is a windowing system for bitmap displays, standard on Unix-like OSs. It provides a basic framework for a windowed graphical user interface (GUI) environment. The X Windows system included in CentOS, Red Hat Enterprise Linux (RHEL), and Fedora Linux is called X.org.

Most servers do not require a GUI for general server administration tasks, while others use a management panel. It is helpful to know how many open paths there are to the server and only enable the ones you need. It is good to remove X Windows if it comes installed and your server does not require it.

Use this command to remove the X Windows system.

yum groupremove "X Window System"

6. Keep Backups

Losing critical information can be catastrophic for any business. Luckily, numerous reliable backup solutions are available, including server backup software that can support both physical and virtual servers.

Liquid Web offers multiple options for backups. Some tools allow you to quickly perform and automate backups and recovery rates and easily monitor backup profiles to avoid data loss. When putting together your backup plan, the best practice is using the 3-2-1 rule of backup retention.

The 3-2-1 Rule

Three: Create three copies of your data. These copies should consist of one primary copy and two backups.

Two: Store the copies of your data on at least two different types of storage media. You may store one copy on your local hard drive and another on an external drive, network-attached storage (NAS), or a locally kept storage server.

One: Store one data copy offsite. This option can be a storage server held at another location or a cloud storage solution with a hosting provider.

7. User Management

Monitor Login Attempts

Host intrusion detection systems (HIDS) is a type of application that monitors devices and networks for suspicious activity. It examines accessed files, used applications, and data in the kernel logs.

Network intrusion detection systems (NIDS) is an application that monitors network traffic for suspicious activity. It evaluates the flow of data between devices within a network.

HIDS are used for a more well-rounded solution, and NDIS is used for a local area network (LAN) based solution.

Here is a list of HIDS:

OSSEC
Wazuh (A fork of OSSEC that offers more reliability and scalability)
Tripwire
Samhain
Security Onion

NIDS and HIDS can be used in conjunction to form a solid and comprehensive intrusion detection system strategy. Some recommendations include:

Limit User Permissions

To ensure only the needed users have access to critical systems, limit the permission sets they have to 644 or 444 for files and 755 for folders.

Perform User Testing

Set a specific date to perform a security audit and inform users before it comes. Define your expectations and hold them accountable for any noted deficiencies.

Ongoing Security Training

Send out monthly reminders and do training every three months, with six-month dry runs across multiple areas (email, network, and physical), and track failures to improve and add additional training in those areas.

Travel Security

Security does not just end at the front door of your business. Setting up security parameter training for employees traveling abroad is a wise choice in today's world, even more so now with many companies going fully remote or scheduling remote weeks for some departments.

8. Use SELinux

SELinux is a kernel-based security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC). It is primarily used as a means to adjust access control requirements.

With SELinux, you can designate what a process or user can do. It can limit operations to their domain, so actions can only interact from allowed domains with certain file types or other processes.

SELinux can exist in any of these three possible modes:

Enforcing - SELinux actively enforces the defined policy.
Permissive - Mainly used for testing. Enforcement is not applied but is logged.
Disabled - The system is inactive.

9. Awareness and Education

Essential things go unnoticed if you don't know what to look for or the questions to ask. While you don’t need to be a security expert to be protected, you must be aware of the dangers that seek to harm your business.

A common misconception is that a fully managed server offering is all the security you need. However, hosting providers work with you and your team to ensure your environment’s security. The hosting provider ensures that the hardware, network, and facilities are secure, but your data is your responsibility. You and your team must educate yourselves on common security issues and how to keep your websites and applications secure from them.

10. Securing the Filesystem

There are several steps to secure the server filesystem. For starters, always mount filesystems with user-writable directories on separate partitions. Also, use nosuid, nodev, and noexec in the /etc/fstab file using the text editor of your choice.

Here are some additional settings to be aware of:

Set /boot to Read-Only

Ensure that the /boot folder is set to RW mode by default, despite only being used for reading or loading modules and the kernel. Use the following command to accomplish this.

/dev/sda1 /boot ext2 defaults ro 1 2

Also, set /boot to read-only in the /etc/fstab file.

Disable Booting From Removable Media

This setting is optional, depending on your server use. To disable booting from removable media, you will need to modify the bios setting to disable booting from removable media like a USB stick.

Set a GRUB Bootloader Password

If someone has physical access to the server, they can get into it. Another wall between an attacker and server access is setting a password on the GRUB bootloader. You can accomplish this by setting up a password to limit access. First, backup the current grub.conf file.

root@host ~# cp /etc/grub.conf /etc/grub.conf.bak

Next, generate a secure password. Create a file, then create the password using the grub-md5-crypt command. You will then be prompted twice to enter a password. Then, copy the created password from the secure file into the grub.conf file.

root@host ~# touch secure
root@host ~# grub-md5-crypt > secure

After this, copy the password and paste it into the grub.conf file after the first line (in RedHat), as shown below. Then, save and exit the file.

splashimage=(hd0,0)/grub/splash.xpm.gz 
password --md5 JnK!xdBep53lt1NVk@K6wb!js%!HEI#^

You will need to reboot the server for the changes to take effect.

Prompt For Root Password Before Entering Single-User Mode

If a malicious actor has physical access to the server, they can select a specific kernel to boot into from the GRUB menu item by pressing the e key. This action allows someone to edit the first boot option to enable booting into single-user mode without being asked for a password.

Your system should be configured to prompt for the root password before entering single-user mode to limit possible exploitation. Following the instructions outlined in the Set a GRUB Bootloader Password section accomplishes this task.

Final Thoughts

Security is a shared concern. Follow these server security best practices and partner with your hosting provider. All of this gives your server environment the security it needs to flourish.

While this article helps with your end of the security bargain, finding a reliable hosting provider is another challenge. The Most Helpful Humans In Hosting® at Liquid Web offer industry-leading support for your hosting environment. Contact our sales team and get started today if you have not looked at our managed hosting options.

About the Author: Michael Flores Feliz

Michael Flores Feliz is a Linux Technician at Liquid Web and an up-and-coming DevOPs engineer. He is also a big car fanatic. His motto is long live Linux and Linux support.