The Basic Security Guidelines for an Admin to Secure a Web Server
Web based businesses buy a dedicated server for many reasons but the common factor is control. When a business has complete control over the environment its website is hosted in, it can optimize the server to suit its requirements. This quality makes dedicated servers the preferred choice for web based businesses that own a popular website. However, with greater control come greater issues primarily security.
Cyber-attacks are on the rise and unsecured dedicated servers are prime targets. There are several reasons for hackers to gain access to your dedicated servers. In this edition, we go through the basic security guidelines for an admin to secure a web server.
Create a strong password: A no-brainer for an admin because hackers are still able to use brute force password crackers to gain access to a server. Make sure your password is at least 8 characters long, can’t be found in a dictionary and has capital alphabets and special characters.
Don’t install applications you don’t trust: Malware can easily sneak in on a dedicate server and open it up to all sorts of security risks. If you are not sure about the authenticity of an application check for reviews or ask your peers in addition to scanning everything before installing on server.
Hide the version of your software and web server: The server signature and the version of the software can be identified by simple methods like creating a 404 error. Armed with this knowledge, hackers can easily exploit vulnerabilities that may not have been patched. Hiding the server and OS version adds a layer of security.
Sign up for the web server and security mailing list: All web server companies, including open source versions, run a mailing list and send out newsletters with updates and announcements. It is the best way to stay up to date with latest developments and security concerns. For third party views, you can subscribe to unofficial lists that send out security updates.
Upgrade to the latest stable version: Upgrading to the latest version of a web server is not always recommended on a production server unless the upgrade has been tested. At times though, the risks outweigh the cautious approach. Attacks on severs may go up before a known vulnerability is permanently fixed. If an update to a software you are using fixes a critical vulnerability, upgrading may be the best approach.
Disable the modules your website doesn’t need: A server runs all modules in the system by default but your website may not need all of them. Identifying and disabling the modules that you don’t need reduces the overheads on the system, possible risks from vulnerabilities and saves several hours every year.
Log all access details: Admin level access is the only way to exploit a security loophole on a server. Track all access to the server and activity details like IP address, username, time and date. The logs can help in identifying and preventing any unauthorized access.
In the next edition of this series we’ll talk about how to secure your LAMP based servers before we move on to the best practices to secure a Windows server.