This server security checklist provides a comprehensive overview of all aspects of website and server security. You’ll find details of all the potential threats, as well as the techniques and technology you can employ to reduce or eliminate them.
We’ll compare complementary and alternative server security techniques, and provide specific instructions for securing applications, networks and websites on Windows and Linux servers. You’ll also find links to more detailed resources and service providers for each of the areas we explore. Read on for a more secure hosting environment. Continue reading »
Security threats
With such a large number of possible hardware, software and scripting combinations on the web, it’s no surprise that the variety of security threats evolves as fast as the technology they seek to compromise.
The CVE (Common Vulnerabilities & Exposures) database alone includes over 59,000 known information security threats, and a search for apache brings up a list of 558 known vulnerabilities.
While the techniques used to access data and alter code vary greatly, a security breach usually has one of these aims:
Database access and the theft or corruption of personal or sensitive data
Altering website code in order to change what users see
Intercepting personal and sensitive data
Denial of Service (DoS) attacks that render services unavailable
Server security checklist
If you’re asking yourself “how secure is my server?” here’s everything you need to consider. If you are an iWeb customer and you want further information on securing your iWeb server, feel free to get in touch.
Hosting plan
The most basic first. If you are using shared hosting, it is relatively easy for others sharing your server to read and write from your files. That means it’s possible for someone to change your code or to retrieve the security credentials for your database.
It should be pointed out that there are usually security measures in place to prevent this from happening. But a determined hacker, poor programming or lack of security would put you at more risk than if you use a VPS or dedicated server.
A dedicated server also gives you more control over the more advanced security measures detailed below. With shared hosting it’s not possible to have your own hardware firewall, a backup server or a secure network.
Beyond the type of hosting you choose, the net effect of the technology, network and security measures put in place by your hosting provider will affect how well you are protected from more complex attacks.
Your hosting plan is also the basis for your personal security measures
On this basis you should be satisfied that your hosting provider has the experience, expertise and infrastructure in place to provide a solid basis for securing your server.
Updates and patches
Many of us use out-of-the-box software, applications and content management systems (CMS) to run websites, applications or interfaces on our servers.
One major benefit of this approach is that many of the core security measures are addressed by the developers of these services, whether they are commercial products (e.g. Microsoft) or they are trusted open-source applications (e.g. Wordpress, MySQL, Joomla). As the technology we use and the methods used by hackers both evolve, developers provide updates to address newly discovered security issues.
So it’s important to keep your software up-to-date, balancing this need with the cost of managing the updates and their effect on compatibility with other applications and plugins.
Encryption & SSL certificates
If you use the https protocol, for example on pages containing secure forms, you will need an SSL certificate for your website in order for the https protocol to function and for any data to be encrypted.
If you do not have a valid SSL certificate the data will not be secure, and the user will see a warning in their browser that the authenticated connection could not be established and the form is not in fact secure.
Passwords & authentication
Make sure that authentication is requested wherever possible, and check that this is the case from time to time. It is a good idea to change the passwords for your server, ftp and CMS regularly, especially if you are in an organization where personnel change frequently, or even from time to time. Make sure to choose a password that has mixed cases (capital letters and small letters) and numbers.
This may sound obvious, but regularity and diligence count. In their 2013 Information Security Survey, PricewaterhouseCoopers found that 37% of information security attacks originated from internal employees while 28% came from ex-employees and partners.
Firewalls
Firewalls use filters to block or allow traffic between networks, depending on the filter configuration.
For you and your organization this could mean:
Restricting access to your internal network to your employees only
You can set a firewall to filter by IP address and prevent people from accessing your private network from the public web.
Restricting access to your server administration
You can set a firewall to filter by IP address and restrict access to your server (in addition to authenticating access with a username and password).
Protecting your website against common attacks
Advanced firewalls protect against a wide range of common security breaches by recognizing their signature and by preventing/modifying certain types of activity to protect against known threats like Cross Site Scripting (XSS), SQL injection and Cookie tampering and manipulation to name a few.
There are two types of firewall: hardware and software. Hardware firewalls sit between your networks and the internet and can be more easily and thoroughly configured. If you have a dedicated server, private network or virtual private network (VPN) you may find that a hardware firewall is a more effective and easier to manage solution than a software firewall, which needs to be installed on every computer in the network and managed at the local level.
There are several ways to manage your firewall configuration:
Configure the firewall yourself
Have you System Administrator configure the firewall
Use a hosting provider that provides managed firewall (or security) services
Buy an out-of-the-box solution
Anti-virus and anti-spyware
A firewall will not necessarily protect your from viruses, malware or spyware. So it is a good idea to install, update and run specific anti-virus programmes to check for and remove these problems before they can cause any damage.
These programmes are widely available and are usually included in hosting providers’ premium security management packages. Here is a list of small business anti-virus reviews on Top Ten Reviews.
Change access ports
A simple and useful security measure is to change the default ports of your services, so that hackers cannot see what connections you are using. This is particularly relevant if you are using RDP and SSH to allow remote access to your server. If these services are not available on the typical ports, it becomes that much more difficult for an attacker to locate them and access your server.
Intrusion detection and prevention
In addition to firewalls and antivirus protection, you can also choose between a wide variety of more advanced intrusion prevention and intrusion detection systems.
Intrusion detection systems look for suspicious activity and alert you that there may be a virus on your server or somebody attempting malicious activity. Intrusion detection and prevention systems compare server activity to an updated database containing the signatures of malicious activity or viruses. If it finds a match, you are alerted and you can investigate further.
You can read some detailed information about intrusion prevention and detection systems on webopedia.
Secure programming
Many threats to websites can be reduced at the coding level through secure programming practices. It’s all a case of using a platform, framework and programmer that you trust and who can address each of these items:
Authentication
Input Validation and Input Filtering
SQL Security
Cross Site Request Forgery (CSRF) Protection
Session Management Security
Cross Site Scripting (XSS) Protection
This is a big topic, but some of the notable threats that can be reduced or eliminated by secure programming (or facilitated by negligence) include the theft of session cookies (allowing access to user accounts) and code injection, resulting in malicious changes and commands to your website or database.
For detailed, practical information on each of the items listed above see Mozilla’s resource on Secure Coding Guidelines.
Backup
As well as preventing attacks you also need to be prepared for the worst. In the event of an attack that alters your website or database, you may need to roll back to an earlier version or restore lost data, so you need to consider backing up your data and website files.
Creating a backup essentially consists of saving copies of of your files. There are a range of ways to do this, ranging from manually saving the files to a computer, server or cloud storage to having your hosting provider manage backups.
If you manually backup your data, it is important to be organized and maintain regular backups. You should also consider that regular backups involve moving large amounts of data and will eat into your bandwidth allowance.
There are also services that can help you organize your backups, store the data and manage the backups in such a way that only files that have been changed since the last backup are included, saving you time and bandwidth.
This useful article on Webdesign Tuts+ has some more detailed information on backing up websites and links to some of these services.
The most hands-off approach is to have your hosting provider manage your backups and data synchronization.
The amount of data you have on your servers will determine if you can use a web-based backup service or you need a dedicated backup server. iWeb provides managed backup and data protection using an R1 Soft web-based data protection services up to 500GB of data storage, at which point a dedicated backup server is needed to store the higher level of data.
The user’s eye view
As well ensuring your own data, code and forms are secure you should also think about how users of your services or website consider their digital interactions with you.
Certification
If your SSL certification is incorrectly set up, expired or simply absent and someone loads a secure page on your website, their browser will alert them and perhaps even advise them against trusting the website. Make sure you or your managed hosting provider are managing your SSL certificates, and that the user journeys are tested regularly.
Phishing
Phishing is the use of direct marketing, mainly email, to impersonate a company or service provider that is known and trusted by the recipient, with the aim of tricking them into providing some personal details. Most phishing scams impersonate financial services providers websites and entice the user to click through and give up information like username, password and account number.
People tend to be well educated in phishing due to the shear volume of these scams. If you intend to send somebody to a landing page with a form, consider how they will view this request and whether it might be better to create a separate landing page that links to the form.
Session timeout
Session timeouts are an important security measure against Cookie tampering and theft. They are also incredibly annoying for users.
While online banking services will have short session timeout windows due to the nature of the risks and consequences of someone compromising an account, think about whether your website needs session timeouts and if there are other ways that you can hedge against this kind of hacking.
Further reading
You can find more server security how-to guides, as well a wider range of server management tutorials on the new iWeb Knowledge Base.
Here are some related articles from around the web that you may find useful depending on your organization.
Secure Coding Guidelines from Mozilla
Data security tips for small businesses on smallbusinesscomputing.com
Guide to backing up your website on Web Design Tuts+
PWC Information Security Survey
Protecting your cookies and other tips on Coding Horror by Jeff Atwood
A Cisco white paper on protecting against DDoS attacks
Apache server security tips on the Apache website
Small business anti-virus reviews on Top Ten Reviews