Due to their function, web servers are different from many other devices in a typical network environment. They are not only exposed to the internet by design, but they are likely serving web traffic to complete strangers. Additionally, in many situations web servers are likely serving dynamic applications such as WordPress websites or acting as proxies to other internal applications. It’s no surprise, then, that web servers present themselves as attractive targets for attackers.
Hardening a system refers to the process of improving a system’s defenses so that it is more difficult for a malicious hacker to compromise that system and gain a foothold in a network.
The process of hardening a web server will of course depend on the type of web server you are using (e.g. Apache HTTP Server, Nginx, Microsoft IIS…), however, there are a number of fundamentals and best practices to improve your web server security that you need to keep in mind no matter what web server you are using.
This article is a guide to web server hardening. In this document, we’ll look at a number of technology-neutral best practices that you can use to improve your web server security. For WordPress hardening, refer to our WordPress security and hardening guide.
1. Keep your web server up to date
Keeping software up to date might not seem like a big deal, but applying security patches on time is arguably one of the most important defenses you can implement. In addition to performance and stability improvements, web server and operating system updates often contain fixes for security vulnerabilities.
At first glance, this may seem trivial, however, any information security professional will tell you that patching is more complicated than it seems, not because installing the latest version of most software is particularly difficult, but because patching is always considered something that can be postponed.
The best approach to ensuring that your web server software is constantly updated is to find a system or routine that works for you or the person responsible for updating your web server and operating system. Most of the time, this boils down to a periodic reminder (e.g. setting up a repeating calendar event) that you will take time for.
2. Remove unnecessary software and modules
Although it might not always seem like it, web servers are complex pieces of software. Some web servers, such as Apache HTTP Server, come with a series of “modules” (similar to what plugins are for WordPress) that you can enable or disable depending on your use case. Malicious attackers are known to exploit features and vulnerabilities in a web server module to gather more information about your web server. While this may not be the only reason for a successful attack, the purpose of hardening web servers is to take a defense-in-depth approach and make it difficult for malicious actors to gain even the smallest foothold. .
A practical example of this is modules like Apache HTTP Server’s mod_status. This module is designed to get an overview of server activity and performance (current hosts, number of requests being processed, number of idle workers, and CPU usage) via the /server-status URL. Such a feature can provide an attacker with a pretty good indication of your web server’s performance – a very useful tool in the event of a Denial of Service (DoS) attack.
Likewise, other unused software running on your web server may pose an unnecessary risk. For example:
- Are you using an FTP server, such as vsftpd which you don’t need?
- Is there a mail transfer agent such as Sendmail or Postfix that you no longer need? If you use a third-party service to improve WordPress email deliverability, you won’t need such a service.
These apps/services and many more on the server are all components that have their own security quirks, vulnerabilities, and patching requirements.
In summary, run less software whenever possible. If you are not using a module or service, you should consider disabling or removing it. Of course, don’t just disable modules or applications without extensive testing in a development or pre-production environment (sometimes it might not be entirely clear that a web server module or application is in use).
3. Strengthen access control
Controlling access to your web server is essential to getting it right. After all, you want to minimize the risk of access to your web server falling into the wrong hands. Here are a number of best practices to follow to maintain proper access control.
- Do not use the root user. If you need to perform administrative tasks, use sudo instead;
- Use strong system (and WordPress) passwords;
- Use SSH keys in favor of the password when using SSH;
- Consider restricting SSH/RDP access from specific IP addresses;
- Enable two-factor authentication (2FA) on all cloud provider accounts;
- Make sure that each person accessing the web server has their own user—don’t share user accounts between users;
- Explicitly limit shell/SSH/Remote Desktop access to people who need it.
4. Configuring File Integrity Monitoring (FIM)
File Integrity Monitoring (FIM) helps system administrators identify file changes on a web server. Although some files change quite frequently as part of normal web server operations, files such as a WordPress installation should never change unless an administrator makes changes (for example, by updating the wp-config.php) or updating WordPress itself.
While there are a host of options you can choose to use when it comes to file integrity monitoring, it’s a good idea to stick with something that’s specific to the application you’re running, which is simple to set up and use and does not require much tuning. Otherwise, you’ll drown in meaningless notifications and before you know it, alert fatigue will set in, erasing your efforts to be with. In short, more alerts and features do not mean better when it comes to FIM, rather look for a solution that provides the most value with the least overhead.
5. Use a DDoS and WAF mitigation service
Instead of exposing your web server directly to the internet, you should consider using a service such as Cloudflare, Fastly, Akamai, or similar to protect against a wide range of attacks, including distributed denial of service attacks. (DDoS). A denial of service (DoS) attack is a type of attack in which an attacker aims to overwhelm a website with requests and thereby prevent your web server from responding to requests from legitimate users.
In addition to denial of service mitigation, these cloud services typically also offer web application firewall (WAF) features that are capable of stopping many common web application attacks such as SQL injection base (SQLi) and the simple Cross-site Script (XSS). Although WAFs are not a solution to web application vulnerabilities, they do provide some protection against exploitation, especially with WAF rules optimized for WordPress websites.
What are the next steps?
While this article covers some common web server hardening techniques, nothing in security is a silver bullet. Thus, no method of defending a system is infallible, especially against a determined adversary. Hence, why you need to secure every component that makes up your WordPress website. You cannot secure your web server and ignore WordPress security or your own computer.
However, constant patching and following good security and hygiene practices can dramatically increase the effort an attacker must expend to successfully complete an attack, which most of the time means frustrating the attacker, forcing them to move towards an easier target.
The post A guide to hardening your web server appeared first on WP White Security.
*** This is a syndicated blog from WP White Security’s Security Bloggers Network written by Mark Grima. Read the original post at: https://www.wpwhitesecurity.com/web-server-hardening/