Picture this: you have just completed a brand new installation of a server (Windows Server, Ubuntu, etc.) where you are going to deploy your organization's web portal. You need to ensure this service stays online and protected from bad actors.
You’ve already thought of a really hard-to-guess admin password, so you’re off to a great start. Clients will access the server through the public IP address, so you have decided to port-forward (NAT) through to port 80 and 443 for secure HTTPS connections. You have connected your new server to the World Wide Web and you’re ready to launch.
Now you have to ask yourself: have you done enough? How secure is your new server?
How to start protecting your web server
Your server security checklist
A strong password for admin access to your server is the bare minimum! Follow this security checklist to make sure you have covered the fundamentals.
1) System updates – especially security patches since the last ISO was released
Use the utility that comes with your operating system (OS) of choice to check for updates and security patches. With regular updates, you can avoid unnecessary risks from potential loopholes/backdoors that have already been fixed by the OS.
2) SSH access – disable Root
The “root” user has superior power and can execute any command on your system. If your server has access to the internet and if port 22 is allowed through your firewall, it’s best to disable root access to avoid the risk of a bad actor taking complete control of your server by hijacking or impersonating the root user.
If you have a Linux server, head over to /etc/ssh/sshd_config and look for PermitRootLogin and change the value next to it from yes to no.
3) Physical server security
It’s no use protecting your server from illegal remote access if local physical access is unsecured – someone could walk right up to it and access the physical console.
To address this, access the server BIOS and disable booting from external devices (such as DVDs / CDs / USB thumb drives). Set the BIOS and grub boot loader passwords to protect these settings.
Lock the server hardware in an IDC (Internet Data Center) or similar secure room/cabinet, and require that all persons pass security checks before they are allowed to access your server.
4) Lockdown – bind to localhost
Every server process available to the network must be defended from potential threats. You can reduce your exposure to unnecessary risk by binding processes to localhost when they do not require network access; for example, a local instance of MySQL on your web server.
5) Keep it clean – remove old stuff
All computer systems tend to accumulate junk over time. Bad actors can target and exploit old, unused data – especially if it is not kept as secure as more relevant, up-to-date data. You can minimize your risk by removing unused data that is sitting on your server while serving no purpose. Also, don’t forget to clean old home directories and remove old users.
What to do when they come for you
Advanced security against determined threats
If you’ve followed the steps above, you have gone a long way towards “hardening” your server installation against potential threats and minimizing your exposure to risk. But now what about those bad actors? They’ve noticed that your portal is attracting a lot of users and they see an opportunity to exploit this traffic. So they go for the easiest trick in the book: SQL injection.
You followed all the best practices so your web server is secure, right? Not necessarily. Depending on how well the code was written for your web portal, there’s still a chance that they can access your main admin account and take complete control of your server.
They could also try cross site-scripting. With this technique, they could change what is displayed on your website and could even capture credit card information or other sensitive personal data from your users. This would massively compromise your organization and your customers.
What more can you do, on top of the security fundamentals we’ve already learned, to secure your web server against those bad actors who are determined to exploit any weakness in your online operation?
Reverse proxies and ADCs
Welcome to the world of a reverse proxy. Reserve proxies are designed to sit in between your server and the outside world, and provide another layer of security. An example of a product that can act as a reverse proxy is an Application Delivery Controller (ADC), like Snapt Aria or Snapt Nova.
The ADC faces the World Wide Web and passes traffic securely to and from your backend server. Your server is never in direct connection with potential bad actors.
Snapt’s ADCs include a Web Application Firewall (WAF), which protects your servers from SQL injection, cross-site scripting, DDoS attacks and other threats. It will automatically block known bad IPs and botnets. You can also set up the WAF to block specific IP addresses, IP address ranges or entire countries, if you are don’t want them to have access to your services.
How to ensure you stay online and protected
Getting ahead of potential problems
What else can you do to ensure your services stay online and protected? Availability, performance and observability are the final components in providing total security for your deployment.
An ADC like Snapt Aria or Snapt Nova provides Load Balancing functionality to balance traffic loads and computation loads between multiple web servers – and even between multiple geographic locations with global server load balancing (GSLB) – ensuring that you stay online and responsive even when loads increase, or when you grow your backend pool of servers, or when you expand your infrastructure into new territories.
An ADC should also include a Web Accelerator, which performs a range of tasks like SSL termination and content optimization, to reduce client-server response times and take some of the computational load off your web servers. This makes it less likely that your servers will ever get overloaded, a problem which can lead to slowdown and possible downtime.
Finally, look for an ADC solution that provides in-depth reporting and analysis on your web servers’ operation. Who doesn’t like pretty graphs, right? Especially when Snapt’s pro-active reporting can alert you to potential threats and failures before they fully materialize, enabling you to get the drop on these issues before they become a problem.
Start protecting yourself with Snapt
Snapt Aria is a full-featured, high-performance software ADC. It’s ideal for companies that need traditional ADCs with flexible licensing and capacity, whatever their clouds, platforms, locations and budgets. It is available to try free with a 14-day trial.
Snapt Nova offers full-stack software ADCs served dynamically from Nova's centralized, scaleable, multi-location controller. It is perfect for DevOps, Developers and Infrastructure IT at companies embracing digital transformation and migrating workloads from legacy load balancers to a more modern app delivery fabric. The Community Edition is available to use free, with upgradeable licenses available on-demand.