Securing Web Server seems to be a difficult task for most of the web administrators but i can make it easy for you, In today digital age everything is at risk of cyber attack and your web servers are the most intimating target for Bad guys(Blackhat Hackers).
So you want to stop them from bringing harm to your network-
Follow the following steps to ensure that your web server have what you deploy on it not what bad guys want
Install a firewall and/or login failure tracker
You should always run a firewall allowing traffic only on ports that you use, i.e. HTTP, SMTP, IMAP/POP3. It is also good to run a daemon that keeps track of failed login attempts, and blocks these IP addresses at the firewall. ConfigServer Security & Firewall is an excellent piece of software that does both, and is free for personal use-
http://configserver.com/cp/csf.html
MySQL
You should disable the local in file function, which will help to prevent against unauthorised reading from local files. This matters especially when new SQL Injection vulnerabilities in PHP applications are found. Add the following line to your /etc/my.cnf file under the [mysqld] section, and restart MySQL-
local-infile = 0
PHP
Enable only the PHP modules that your sites require
Disable risky PHP functions in php.ini, via a line such as “disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, ini_set”
Use a PHP security module such as suhosin or mod_security
SSH
Disable SSH logins as root user
Allow only publickey logins for root or all SSH users (no password authentication)
Change the port on which SSH runs on by editing /etc/ssh/sshd_config and restarting the SSH service. This will thrwart automated dictionary attacks on the standard port 22
Only allow SSH protocol 2, 1 is outdated and insecure
http://wiki.centos.org/HowTos/Network/SecuringSSH
http://centoshelp.org/security/securing-sshd/
Apache
Use Apache 2.2 or later
older versions of Apache are very vulnerable to serveral vulnerabilities so upgrade it.
Run PHP as suPHP. This setting makes PHP run as the user that is using it. This makes abuse easier to track, and prevents a malicious script from affecting other user’s accounts
Set Server Signature to “Product Only”. This way the server will not divulge the specific version of Apache it is running in error message or HTTP headers (WHM –> Apache Configuration)
Only use Apache modules that your website or users need
Passwords
Do not use simply passwords, such as words you can find in a dictionary, or passwords less than 8 characters long. Try to include a mix of upper and lower case letters, as well as numbers in your password. Do not use the same password you use for your primary e-mail account as other services
Make a password rotation schedule, such as every two weeks, monthly, etc, and stick to it
Set the minimum password strength option in WHM to a value of at least 50 to keep users from setting easily crackable passwords
WHM/cPanel
Disable “Compiler Access” in “Security Center”
Enable “Shell Fork Bomb Protection” in “Security Center”
Set “Password Strength” in “Security Center” to a value of at least 50
PHP Software
Always follow the security recommendations for hardening your installation when installing any PHP software
ALWAYS check at least once a week to make sure you are running the latest version of any mainstream PHP software. Outdated versions tend to have security vulnerabilities that WILL get exploited eventually, resulting in lost data, defaced websites, SPAM being sent from accounts, service suspension, and malware warnings in browsers when people visit your site (which are a pain to get rid of)
Set file permissions securely
All directories should be 755 or 750.
All files should be 644 or 640. Exception: configuration files (wp-config.php, configuration.php, config.php) should be 600 or stricter to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories
The above are the #1 reasons customer’s websites get hacked
Supplemental Information:http://codex.wordpress.org/Updating_WordPress
http://codex.wordpress.org/Hardening_WordPress
http://docs.joomla.org/Upgrade_Instructions
http://docs.joomla.org/Security
Antivirus/Malware Scan
There are numerous software packages available to scan and monitor your server and accounts for malicious content
ClamAV
AVG for Linux
RKHunter
ChkRootKit
Backups, backups, backups
Make backups, and make them often. Your web host is not repsonsible for backing up your information unless it is specifically included in your plan, or you pay for the service
There are backup features standard in cPanel servers. You can make the download and store it on your home computer or workstation
Make a backup right now, while we’re on the subject
Seriously, do it
SPAM Prevention
If you have a contact form, make sure it isn’t easily exploited by bots. Use a captcha if possibleSet an hourly e-mail limit per account in WHM/Tweak Settings. 500 should be more than sufficient for most accounts
Use strong passwords for e-mail accounts
Check your mail statistics once in awhile to see who is sending the most mail, and at what volume
>>Unnecessary Services
Some Linux installations include services which are rarely if EVER used in web hosting environments, and just add another layer of possible security holes
These include cups, xfs, bluetooth, nfs, rpcidmapd, etc.
Stop and disable these if you do not need them.
these extra services not only increase load on your server in serveral case it has been found that unnecessary services and opened port result in huge security breach in network.
No comments:
Post a Comment