Here in this tutorial we are talking about the basics of the steps required when securing Web server. Hacking is regularly performed by automated scripts written to scour the Internet in an attempt to exploit known website security issues in software. Here are 8 basic tips to help keep your server safe secure and online.
- Remove Unnecessary Services
- Remote access (SSH)
- Server Signatures
- PHP Configuration
- Web Application Firewall
- Operating System & Software Updates
Setting up a good firewall is an essential step when securing any modern operating system. Most of the Linux distributions come with a few different firewall tools that you can use to configure firewall. In this guide, we’ll be covering the iptables firewall.
Only install the Software you need
Do you really need all sorts of web services installed? (rcp / exim / postfix server daemons etc). Avoid installing unnecessary software to avoid vulnerabilities in softwares.
Just install what you need, for example apache or nginx, php and database (Example Mysql or MariaDB).
When a Password-based authentication mechanism is active, meaning that your server is still exposed to brute-force attacks, we want to Disable Password Authentication on the Server, where we use ssh access to console.
SSH keys provide an easy, yet extremely secure way of logging into your server. For this reason, this is the method we recommend for all users.
Web Server signatures
Revealing web server signature in server and PHP version info can be a security risk as you are essentially telling attackers the known vulnerabilities of your web server software.
Add the following two lines at the end of the Apache config file to disable web server signatures.
ServerSignature Off ServerTokens Prod
Hide PHP Version
Another potential security threat is PHP version info leak in HTTP response headers. Apache web server includes PHP version info via “X-Powered-By” field in HTTP response headers.
You can disable this by adding php.ini line
expose_php = Off
Disabling Functionality in PHP.ini
There are certain functions in PHP that we don’t want users to use because of the danger they can pose. Even if you know your users aren’t utilizing certain functions it is wise to completely disable them so an attacker can’t use them, like web shell.
Disable functions and Disable Remote File Includes
Web Application Firewall (ModSecurity)
A Web Application Firewall (WAF) protects the Web servers from malicious traffic and blocks attempts to compromise the system.
We introduce a Web Application Firewall article about commercial firewalls and a few free choices. Depending your configuration we recommend using Open Source ModSecurity Firewall and ModSecurity rules.
Always Keep Software and Linux Kernel Up to Date
Applying security patches is an important part of maintaining Linux server. Linux provides all necessary tools to keep your system updated, and also allows easy upgrades between versions. All of the security update should be reviewed and applied as soon as possible. Again, use an RPM package manager such as yum and/or apt-get and/or dpkg to apply all security updates.
Also if you’re using a Content Manager Software (WordPress, Joomla or Drupal etc), keep the software always updated along with their extensions (Themes, Plugin and so on).
Always make backup of critical files, configurations and databases. Why you need backup is not actually a malware infection, it’s operator error – an administrator accidentally deleting or disabling something they shouldn’t. The quickest way to recover is to restore a recent backup or snapshot whole server if possible. Backups also need to be automated, frequent and off-site different location than itself server.