Sunday, 19 April 2015

How to Secure Web Servers


Securing Web Server seems to be a difficult task for most of the web administrators but i can make it easy for you, In today digital age everything is at risk of cyber attack and your web servers are the most intimating target for Bad guys(Blackhat Hackers).

So you want to stop them from bringing harm to your network-
Follow the following steps to ensure that your web server have what you deploy on it not what bad guys want

Install a firewall and/or login failure tracker


You should always run a firewall allowing traffic only on ports that you use, i.e. HTTP, SMTP, IMAP/POP3. It is also good to run a daemon that keeps track of failed login attempts, and blocks these IP addresses at the firewall. ConfigServer Security & Firewall is an excellent piece of software that does both, and is free for personal use-

http://configserver.com/cp/csf.html



MySQL


You should disable the local in file function, which will help to prevent against unauthorised reading from local files. This matters especially when new SQL Injection vulnerabilities in PHP applications are found. Add the following line to your /etc/my.cnf file under the [mysqld] section, and restart MySQL-

local-infile = 0



PHP



Enable only the PHP modules that your sites require
Disable risky PHP functions in php.ini, via a line such as “disable_functions=show_source, system, shell_exec, passthru, exec, phpinfo, popen, proc_open, ini_set”
Use a PHP security module such as suhosin or mod_security
SSH

Disable SSH logins as root user
Allow only publickey logins for root or all SSH users (no password authentication)
Change the port on which SSH runs on by editing /etc/ssh/sshd_config and restarting the SSH service. This will thrwart automated dictionary attacks on the standard port 22
Only allow SSH protocol 2, 1 is outdated and insecure
http://wiki.centos.org/HowTos/Network/SecuringSSH
http://centoshelp.org/security/securing-sshd/


Apache


Use Apache 2.2 or later
older versions of Apache are very vulnerable to serveral vulnerabilities so upgrade it.
Run PHP as suPHP. This setting makes PHP run as the user that is using it. This makes abuse easier to track, and prevents a malicious script from affecting other user’s accounts
Set Server Signature to “Product Only”. This way the server will not divulge the specific version of Apache it is running in error message or HTTP headers (WHM –> Apache Configuration)
Only use Apache modules that your website or users need
Passwords

Do not use simply passwords, such as words you can find in a dictionary, or passwords less than 8 characters long. Try to include a mix of upper and lower case letters, as well as numbers in your password. Do not use the same password you use for your primary e-mail account as other services
Make a password rotation schedule, such as every two weeks, monthly, etc, and stick to it
Set the minimum password strength option in WHM to a value of at least 50 to keep users from setting easily crackable passwords
WHM/cPanel

Disable “Compiler Access” in “Security Center”
Enable “Shell Fork Bomb Protection” in “Security Center”
Set “Password Strength” in “Security Center” to a value of at least 50


PHP Software


Always follow the security recommendations for hardening your installation when installing any PHP software
ALWAYS check at least once a week to make sure you are running the latest version of any mainstream PHP software. Outdated versions tend to have security vulnerabilities that WILL get exploited eventually, resulting in lost data, defaced websites, SPAM being sent from accounts, service suspension, and malware warnings in browsers when people visit your site (which are a pain to get rid of)
Set file permissions securely
All directories should be 755 or 750.
All files should be 644 or 640. Exception: configuration files (wp-config.php, configuration.php, config.php) should be 600 or stricter to prevent other users on the server from reading it.
No directories should ever be given 777, even upload directories
The above are the #1 reasons customer’s websites get hacked
Supplemental Information:http://codex.wordpress.org/Updating_WordPress
http://codex.wordpress.org/Hardening_WordPress

http://docs.joomla.org/Upgrade_Instructions

http://docs.joomla.org/Security



Antivirus/Malware Scan



There are numerous software packages available to scan and monitor your server and accounts for malicious content
ClamAV
AVG for Linux
RKHunter
ChkRootKit


Backups, backups, backups



Make backups, and make them often. Your web host is not repsonsible for backing up your information unless it is specifically included in your plan, or you pay for the service
There are backup features standard in cPanel servers. You can make the download and store it on your home computer or workstation
Make a backup right now, while we’re on the subject
Seriously, do it

SPAM Prevention

If you have a contact form, make sure it isn’t easily exploited by bots. Use a captcha if possible
Set an hourly e-mail limit per account in WHM/Tweak Settings. 500 should be more than sufficient for most accounts
Use strong passwords for e-mail accounts
Check your mail statistics once in awhile to see who is sending the most mail, and at what volume


>>Unnecessary Services


Some Linux installations include services which are rarely if EVER used in web hosting environments, and just add another layer of possible security holes
These include cups, xfs, bluetooth, nfs, rpcidmapd, etc.
Stop and disable these if you do not need them.
these extra services not only increase load on your server in serveral case it has been found that unnecessary services and opened port result in huge security breach in network.

No comments:

Post a Comment

Proper way to install nvidia 390 fix error

Proper way to install nvidia 390 if you see any error in the process look below; command  sudo apt purge --autoremove '*nvidia*&#...