Upping Your Server Security

Three top tips for making sure your server is as secure as possible.
A server’s always-on / always-connected nature makes for a tempting target to hackers and other online miscreants.  Whether this happens with a view to launching spam email campaigns, DoS attacks or simply defacing a website, there are unfortunately always those looking for a way into your server.  In this article I’m going to look at some basic things you can do to help secure your server and keep those with bad intentions out.

1. Careful Software Management

Any software on your server that is exposed to the internet can be used as a method to gain access.  Access can come though poor configuration of a service, others through exploitation of a flaw.  To this end it’s important to manage your software to minimise the possible attack vectors open to a potential attacker.
The key things to do are:

• Uninstall any software that you don’t actively use, or if you cannot uninstall it then disable it
• Only install and use software from trusted suppliers
• Always keep software up to date with security patches

Removing unused software has fairly obvious benefits. If there is any software present that can be accessed, removing them lowers the number of vulnerabilities that can be found.  Similarly, keeping software up to date with security patches means that when suppliers find and fix vulnerabilities you are protected from any potential attacks involving them.  Only installing software from trusted suppliers is very important, as getting the software from a third party that may be infected with viruses or may have been modified by hackers to introduce access methods to a computer leaves you wide open to attack.  This goes for both software that you install and also website scripts and modifications.  Something we see a lot of are WordPress themes and mods that come with additional scripts that allow a hacker to easily gain access to the server. These are difficult to spot if you don’t know what you are looking for and rely on the WordPress administrators to simply install them without checking them for exploits.  Similar cases happen with other website software too; WordPress isn’t alone in this respect.

2. Configure Your Server’s Firewall

Most server operating systems come with some form of firewall software.  It is important that this is configured to ensure that remote users can only access elements on your server that you wish them to.  The key thing is to make certain that access to the configuration software on your server is restricted.  On Linux servers this generally means SSH and potentially any control panel software such as cPanel or Virtualmin.  On Windows servers this generally means Windows Remote Desktop and any control panels such as Plesk.  You will want to make use of your firewall to limit access to these services to only IPs that require access.  If your ISP supplies you with a dynamic IP address that may change on a weekly basis, restricting this to the ranges of IPs that your ISP uses is still much better than leaving these services open to the world to access.
This can be a bit complicated for beginners, but there are plenty of tutorials online to help with configuring your firewall.  If it still feels a bit difficult then our managed support teams can aid you in getting this configured to your needs should you require it.

3. Manage Your User Accounts

Generally it is seen as poor security to be logging into your server management tools using the superuser account (root in Linux or Administrator in Windows). Instead separate user accounts should be created for each user accessing the server, and permissions should be assigned to those accounts as required for their roles.  This is because attackers will generally attempt to log in using the superuser account names on a server using brute force attacks to repeatedly guess at a password.  If these accounts are banned from logging in remotely then the attacker would be wasting their time, and in order to attack your server they would also need to successfully guess the username of a valid user as well as their password.  By having limited access for each user, should an attacker successfully gain access to the server they will then be limited in the damage they can do, and with any damage traceable back to a single user can potentially make it easier to find out what was done in an attack.
Remember to request that all your users use secure passwords.  It is often better to allow your users to create their own passwords and enforce a certain amount of complexity rather than enforcing the use of truly random passwords.  Insist on passwords of 10 characters or longer, with a mixture of, numbers, letters (upper and lower case) and symbols, as in general shorter passwords can be brute forced relatively swiftly on modern computers.
Again, our managed support team can help you with managing your user accounts on your server and helping limit access to the superuser accounts should you struggle in doing this yourself.
Making use of these three relatively simple guidelines should help your server stay secure and minimise your exposure to attacks.  This should in turn reduce the amount of time you need to spend responding to issues with your server, and potentially cleaning up any mess caused by an attacker.
Need help or advice about securing your server? Our team are on hand 24/7/365! Contact us here.