How can you secure the server that hosts your business’s data?
That’s one of the top questions companies big and small have struggled to answer since cybersecurity became a hot topic.
In today’s security environment, anybody is a potential target for an attack and, unfortunately for most, the next malware infection is right around the corner.
Whether caused by a bad password, lack of antivirus or firewall, or open ports, the high volume of cyberattacks, often targeted at specific industries and companies, forces companies to show initiative.
It’s become imperative to come up with a comprehensive security strategy to safeguard proprietary data and prevent web server security compromise. The secret to any strong security strategy is understanding the main risks and vulnerabilities that could compromise its integrity.
The three most prevalent risks in security in 2020 are DoS attacks, Code Injection, and Cross-Site Scripting.”
But just what are these three security risks?
Three Malicious Risks to Stay Secure From in 2020
Denial-of-Service (DoS) or Distributed-Denial-of-Service Attacks (DDoS)
In a DoS or DDoS attack, offenders will overflow your server with junk data or falsified requests. The server is then forced to try to authenticate. This type of attack taxes server resources, making the websites inaccessible.
These attacks can bring down a network without having to gain internal access. Worse, there is no way to prevent these attacks from occurring and no way to anticipate whether you’ll be a target.
If customers don’t have access to your business, then you could lose money and major points on brand reputation.
Code injection is when a vulnerability is exploited by an attacker and your site or application is changed for their own purposes. This usually leads to clients using your site or application and becoming compromised themselves.
Cross-site scripting, also known as XSS, is a web application vulnerability that allows hackers to send misleading or malicious requests to your browser.
Between the various types of attack your business could face, a layered defense is critical to protect all assets that can be accessed through your web server.
8 Key Steps to Make Your Web Server Secure
1. Use Encrypted Information Transfer
Avoid insecure communication protocols such as telnet or plain FTP. Instead, use secure protocols such as sFTP or FTPs, SSH, and HTTPS. If using SSH, one tip is to change the SSH port to something other than the default port 22, which will help secure against brute force attacks scanning for vulnerable servers across the Internet. It’s not a guaranteed fix against those attacks, but can greatly reduce the chances of suffering from a brute force attack.
A web server or firewall that supports any of these protocols will ensure all information going back and forth is encrypted for protection from third-party interference, which is absolutely critical if your website involves online transactions. Secure communication protocols are vital for web servers that operate with payment information for online transactions.
A website that is PCI Compliant promises customers that your business has taken all the necessary steps to protect their data when shopping online. The Payment Card Industry’s Data Security Standards (PCI-DSS) require businesses to protect customer data through requirements for both their hosting infrastructure and server configuration. We offer a PCI scanning service that can verify your server meets all the PCI-DSS requirements, so you can reassure your customers their data is safe.
Also, have an SSL certificate installed on your website to ensure all transactions between you and customers are secure. SSL certificates are the standard for online security, encrypting online transactions to prevent data exposure to hackers. Liquid Web’s SSL certificates even come paired with Netcraft’s phishing detection to provide real-time alerts that warn site owners when their websites become compromised, ensuring even more protection for your customers’ sensitive data.
2. Adopt Complex Passwords and Multi-Factor Authentication Across the Entire Organization
No matter how many times security experts explain the importance of a strong password, weak passwords such as “admin123,” “123456” or an easy-to-crack dictionary word are still way too common.
Strong passwords are basic and effective, and just as important as using secure communication protocols. Organizations should use different, unique passwords and never reuse the same password for multiple accounts.
Helping your employees learn and implement password security best practices will go a long way to securing your infrastructure.
Make sure you update them at least every 90 days and never share them with anyone. No matter how strong they are, though, the only-password approach is becoming less dependable. A new layer of security is to introduce a multi-factor authentication strategy which leverages something as ubiquitous as a text message to further secure data resources.
3. Consider Linux as an Operating System for Your Web Server
Getting started with a new operating platform introduces a steep learning curve, which is why most companies, depending on their size and resources, need either an inside specialist or external help to continue running Windows.
While Windows remains a massively popular operating system, Apache powers a majority of the worlds web servers. As an open source Operating System, this allows any and all users to review its base code and provide updates and fixes for potential security flaws.
Switching to one of the several flavors of Linux (Ubuntu, Debian, Red Hat) could potentially open additional avenues for your web server needs.
4. Consider Layers of Security for Both Hardware and Software
Wherever possible, use a VPN and a firewall on all web applications and endpoints, including your server. This goes doubly if your organization is sharing the environment or space with another company.
A virtual private network (VPN) is a tunneled private network of remote sites or users utilizing a public network, like the Internet, to connect to each other. A VPN uses encryption to secure your computer’s connection to the Internet, and guarantees that all of the data you’re sending and receiving over the VPN is secured from any potential prying third parties. A VPN can be extremely useful for a growing business to increase productivity without sacrificing security.
A firewall acts as the first line of defense for your server, protecting your data by filtering traffic according to a customizable set of rules. With the firewall in place, a barrier is created between your server and the rest of the Internet. Any traffic that attempts to connect to your server is analyzed, and if it is deemed malicious, that traffic is blocked.
Another important consideration for uptime protection is DDoS Attack Protection. Our DDoS Attack Protection system works to differentiate between legitimate and malicious traffic by monitoring a selected network of IP addresses and analyzing traffic that attempts to reach the server. In addition, our Support team works with our customers during attacks and regularly tweaks the system to ensure it is working effectively.
Also, if you have not done so already, immediately install an antivirus solution to get advanced protection against malware, ransomware, or unauthorized remote access, and run routine security scans.
You may additionally want to consider protection against brute force attacks. Brute Force Detection (BFD) is a service on your server that watches various log files for brute force attacks, which is an attack attempted via rapid logins using a dictionary file. Specifically, BFD looks for several failed login attempts in a short period of time from the same IP address. If detected, the guilty IP address will be blocked in the server’s firewall.
Hardening a server could take hours, but a server protection package like the one available to Liquid Web customers will optimize your security settings in no time.
Add additional security services and modifications to your server with ServerSecurePLUS™, an exclusive Liquid Web product. ServerSecurePLUS™ greatly enhances the security, reliability, compatibility of your server through daily CXS scans and a number of server hardening initiatives including email protection, service hardening, brute force detection, and secured access via SSH, FTP and RDP. Saving you hours of installation time or the hassle of hiring a system administrator, ServerSecurePLUS™ guarantees that your server’s important data will be protected.
5. Maintain Scheduled Updates and Backups
Keep updated, real-time backups of all data, databases, and applications. And test the process! There’s nothing worse than finding out your backups have been failing until after you need them. Additionally, while having local backups is great for quick restores of simple data, keeping an offsite backup is the best way to ensure data recovery in the event of a catastrophic system failure.
Also, always check for web application updates to prevent software vulnerabilities. Security and software updates are not to be taken lightly and should be run as soon as they are available, especially if known to be critical, such as OS or control panel updates. Nearly 60% of organizations that suffered a data breach in the past two years cite as the culprit a known vulnerability for which they had not yet patched.
If your website utilizes a content management system (CMS), then one of the most important things you can do to keep your server secure is to regularly and responsibly update the CMS and any plugins you may have. However, it is important to keep in mind that it might not be necessary to upgrade every time you discover a new update for your CMS. Pay attention to how your plugins may be affected, and discuss how the latest update might protect your data with your IT Support.
6. Restrict Access to Servers and Directories
By restricting access to the servers and directories to only those who need it, you are controlling risk and limiting potential damages. Taking extra measures to prevent mismanagement or third-party unauthorized access on a physical level also means fewer potential issues.
Liquid Web data centers restrict physical access to staff members to prevent any negligence that could cause outages or affect your business. In the same way, permissions to change and delete files and directories should be set so that only administrators with appropriate clearance have more than read access.
7. Control Root Level Access on Your Server
Consider disabling the root user login in the SSH server entirely. The root user gives full, unfettered access to your server to anyone wielding it. It’s massively powerful and should be used only when absolutely necessary.
One of the common methods that brute force attacks use when attempting to gain access to your system is to focus specifically on root passwords. Creating a new user and using an alternative login that you can switch to root when needed will both protect your server and allow you to still have access to root-level functions.
On a Liquid Web dedicated server, you have full root level access and are the only one who has full control over what happens on your server, so you can choose who gets that access and who doesn’t.
8. Choose Dedicated Servers for Top Protection
Even if you have a modest budget, dedicated servers deliver a specific level of protection for your data. Not only do they protect your sensitive information and ensure high server performance, but they also come with two top perks: they deliver both physical security, and can be customized according to your configuration needs.
Liquid Web’s Dedicated Servers can easily be equipped with locked security cages, and include options for hardware firewalls as well as the standard bundled offerings, which provide services such as backups and protection against Distributed Denial-of-Service attacks.