Most website or blog owners use Web Servers to host their websites. The server itself runs 24 hours without stopping to be able to serve visitors to the site unless there is maintenance. Some people use Windows or Linux for their Web servers. It depends on the needs of the owner or their programmer. For Linux, I recommend OS (Operating System) like CentOS, Debian or Ubuntu. Those are some Operating Systems that are widely used by several people and many tutorials that you can find. For a web server, I’ve written a tutorial to install a web server on Linux for high traffic at a low price in the previous article.
Securing the Web Server is necessary
Sometimes, some people are not concerned with the security of their own web server and that is very dangerous for them in the future. Some examples of losses if a bad guy can access your web server such as user data leaks, source code leaked, data deleted (if you don’t have a backup), a large amount of money loss and may even end up in court.
That’s because many people think that to secure their servers or businesses from cyber attacks will spend a lot of money, especially if you hire security experts. But if you really don’t want to spend a lot of money on your server security, there are several alternative ways to secure the server. Below are some tips for your server security.
1. Use Strong Password
If you still use a password like “abc123” or “123456” it’s time for you to stop using technology and wear clothes “Where is My Privacy?”. Don’t be too excessive that the government is spying on you. Even babies can guess who is mother and father.
Use a strong password. mixed with several symbols, numbers and uppercase letters. The minimum recommendation for password length is 12. It is recommended that more than 16 for account login. For databases like MySQL or MongoDB, use 32 character passwords.
Things to remember, you must use a different password for each account login. Password to log in to SSH, database, email, administrator login on your website, and others. If you use the same password for anything and Bad Guy can access the source code of your file and see your database configuration (plaintext password). So, they can also access SSH and your e-mail, right?
2. Change SSH Port
If you check the SSH access log on your server, you will see a lot of failed login records from people trying to access your server via SSH. This also happened to me exactly a few hours after I made a new server!
That’s because you use the SSH default port. Bad guys out there have programs to scan on port 22 (SSH default port) automatically and use the list of passwords they have to try to log into your server. What if they are very lucky because your password is on their list and can log in to your server? Now it’s time to change the SSH port.
When I use Operating Systems like CentOS, Debian and Ubuntu, the file location to change the SSH port is here:
Use Vim or Nano or other file editors to edit the file. Look for the word “port” in the file. You will see the SSH port that you are using now there. Change the port according to your will.
3. Unnecessary port
With so many techniques or exploits to this day, ignoring unnecessary ports remains open, providing more opportunities for bad guys to attack your Web server. If they fail to attack and fail to find vulnerabilities on your site, they will try to attack the open port through the IP address of your server. Such as SSH, Database, Backup, RMI, Zabbix, and much more.
Seeing an open port from the attacker’s point of view is very easy. You can download tools like Nmap and run the scan on the IP address of your web server. I prefer to use Nmap. It feels like analyzing more deeply about the server that I have. Compared to just checking using netstat on the server.
After installing Nmap, run a command like this (Example): nmap -p 1-65535 -T4 -A REPLACE_WITH_YOUR_PUBLIC_IP_SERVER
Replace with your server’s public IP and wait for it to finish. Analyze what ports are most often used by users of your site. If your server is only for serving sites that you create and users only visit your site, it means only the HTTP (80) or HTTPS (443) ports that your users use. Close ports such as SSH or databases and whitelist for IP addresses that are entitled to use on that port.
4. Use Cloudflare
Not only makes the site quite a bit faster, Cloudflare really helps me to secure the server. You can hide the IP address of your server using Cloudflare. Their propagation DNS is so fast. They sometimes block users who are trying to find vulnerabilities in your site (ex: SQL Injection). Other features they provide are DDoS protection. They provide these features for free. Unless you want other features.
There are settings in your Cloudflare dashboard to automatically reduce the size of HTML, CSS and JS files. Very helpful to make your website faster and safer. There are many other features that you can explore with your free plan. It’s a good idea to explore other features now for your website.
5. Analyze Traffic Logs
Another important thing you have to do is analyze traffic logs. This is very important for security. It is recommended to analyze the history of traffic before deleting it. For example if the Bad guys attack your site using the classic SQL Injection technique and they are successful, you can see on your server log how they found vulnerabilities and attacked you from the start.
By doing that, it is very helpful for you or your developer to fix existing vulnerabilities. Analyzing traffic logs is one of the first steps if you suspect that someone who does not have access rights is already on your server.
6. Update Regularly
Another way the Bad Guy attacks you is to attack the old version of the software found to be vulnerable and publicly published about the vulnerability. Finding vulnerabilities on your website and securing the code on your website is not enough to secure your web server. If vulnerabilities are not found on your website, they will start looking for vulnerabilities in the software that your server uses. Like Nginx or Apache. MySQL or MariaDB, Exim or Postfix, and others.
Let’s take look at an example of a vulnerability in Exim version 4.90 (CVE-2018-6789). Bad guy can use that vulnerability to gain access to your server. What’s the point fixing bugs in your website code/app every day but the software on your website is a very old version.
There are many other ways to secure a server if you really intend to secure it. But it all depends on you. Taking easy steps for security is very important to increase user trust in your business. I will update this article if I find a new way for web server security.