Security is hot topic on the internet right now and it’s only getting hotter. In recent years, attacks ranging from simple “script kiddies” to complex, state-sponsored organizations (here’s a detailed report on one of them) have only increased. The only way to keep a server or environment completely safe from internet-based attacks is to uncable it, and put it in the back of a closet. Sadly, studies have shown that websites hosted on servers sitting in the back of a closet without an internet connection tend to be ranked lower by Google.
Thankfully, there’s a continuum of security between naked-to-the-world and stuck in a closet. While nothing can make a server’s security absolute, there are a number of things that can be done to make it harder to compromise. Here are five simple steps you can take to get you started:
1. Do not use defaults
Out of the box, most software and hardware contain a default security posture, such as a default username and password or a list of running services. For an attacker, a system still using defaults is a wonderful find. This applies to applications such as Apache as well as the server itself. While it’s becoming less common, one can still find wireless access points configured with the default username and password (which a simple Google search will find for you).
It’s important to note that there are different levels of compromise for a server or system. If an attacker manages to penetrate a server is such a way as to be able to only modify, say, website content, the server would be said to be compromised at the application level. Were the server compromised such that the attacker has full access, the server is said to be ”root-level” compromised.
The danger is that default accounts tend to have elevated privileges or access, virtually guaranteeing a root-level compromise. Besides being more beneficial to the attacker, root compromises are much messier to clean up and can require a full reinstallation to mitigate.
2. Use non-standard ports
Every service on the internet (SSH, DNS, HTTP, etc) is assigned a default port to use. If the internet were a road (remember when it was called the “information superhighway?”) then a port would be a lane on that road. HTTP ‘cars’ would use a lane numbered 80, SSH ‘cars’ would use a lane numbered 22, and so on. These port numbers are well known, and they have to be for the internet to work as it does. One way of keeping things more secure is to run administrative services on a non-standard port. SSH for example could be run on port 1022 instead of 22. While a human would eventually figure it out, most of the attacks run today are automated scripts that only try defaults.
3. Use a firewall
Part of a good security posture is defense in depth. If I just have one server, all of my security has to be implemented on the server itself. This creates additional management work and requires server resources such as CPU and memory. A software firewall such as iptables (Linux) or the Windows firewalls (Windows) is good, but a hardware firewall is better. Hardware systems are purpose-built devices better equipped to handle security needs. A hardware firewall also grants the ability to use VPNs which provide additional security.
4. Only use the ports and services you need
This dovetails with the previous item. Once a firewall is in place, lock down access as much as possible. If you know you’ll only be SSHing to your server from your office IP address, then consider locking down SSH to only that IP. Does FTP need to be open to everyone on the internet? Probably not, so restrict it as much as possible.
5. Keep your servers patched
Just because a server was up to date two years ago when it went online doesn’t mean it’s still up to date today. Security vulnerabilities are always being identified and patches are released. Believe it or not, there are still servers on the internet vulnerable to security holes that were identified five or more years ago. Keeping your servers patched doesn’t guarantee they’re hack-proof, but why make it easy for attackers?
Taking chances with your security isn’t worth it, especially since recovering from a security breach costs an average of $3,000 per day and could take you at least 30 days to completely mitigate its effects. Sure, your company could afford these mishaps, but why spend hard-earned dollars on something you can prevent?
If you’re interested in bolstering your security, having a disaster recovery plan is one effective way to protect your business. After all, when it comes to security, awareness and prevention are key. So please let us know how we can help. Our experts are available via chat to help you find an optimal, secure hosting solution for your environment.
Tags: online security