Welcome to our “Ask the Solutions Architect” series. In these posts, we will be asking the SA those questions you may encounter in your web hosting routines. In this post, we discuss system security and steps you can take to immediately deter an attack.
Today we ask: What can I do to improve my system security?
Nobody wants to face the dread of a compromised system. Luckily, there are steps that you can take to immediately secure your server. Within just a few hours you can dramatically improve your system confidence.
Compromised servers can lead to hosting spam, botnets, and compromised data. This is especially alarming if you happen to store sensitive data like payment information or personal data. A small amount of planning can work wonders towards preventing system disasters. This article acts as a best practice guide for systems administrators. These crucial steps can be hand deployed or implemented with automated deployment. To make sure you have done everything you can to secure your data, follow our recommendations below.
Security Tip #1: Change your passwords.
As trivial as passwords might seem, changing your password every 30 or 60 days can deter malicious cybercrime better than almost any other method. Remember to use complex passwords that are eight or more characters, using a combination of character types. Randomly generated are automatically issued with each 100TB server. Generated passwords are great if you have a method for remembering strings of characters and numbers.
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
Security Tip #2: Change public ports.
While changing your ports doesn’t mean that you will have more security per se, it will camouflage your server to a certain extent. This method of security is referred to as ‘security by obscurity’. While this method is widely debated as an actual means of security, changing your ports only takes a moment, so it is always worth doing. Many brute force applications and botnets avoid scanning and instead attack all ports for a certain number of servers. To do so, they typically target the most common ports first.
For example, Secure Shell (SSH) runs on port 22/tcp by default. Botnets will target 22/tcp first when scaling an attack. You can quickly change the default port to avoid these types of hit-and-run attacks where large ranges of IPs for services running on the most common ports.
If you are running Linux, you can change your port by modifying your SSH configuration files and restarting your SSH daemon (sshd). Follow the commands below as root or administrative user:
~# sed -i ‘/Port/cPort 1111’ /etc/ssh/sshd_config
~# /etc/init.d/sshd restart
Security Tip #3. Employ a firewall.
Linux systems have the option to use a powerful firewall called ‘iptables’. Administrators employ iptables to perform packet/connection inspection to monitor, filter, and allow traffic. By configuring iptables you can avoid brute force attacks and other types of malicious connections. To learn more about iptable configuration and basic usage we recommend looking at the Linux Firewall Introduction.
While this tip may be easier said than done, there are a few quick checks you can perform to try to mitigate public interference on your server. Ensure that any services available on the public network are secured according to the application’s best practices. Examples of securing public services include:
- Disabling root logins over SSH
- Setting up SSL certificates for your web server
- Updating all applications when available
- Using key-based authentication for SSH
- Deploying ModSecurity for Apache
- Configuring Nginx blocks to prevent unauthorized IPs
- Requiring authentication for Wowza streaming
The list above is not extensive, and it may take some time to secure all vulnerable areas. However, making sure that your systems are secure will not only put your mind at ease but will also ensure that your data is properly secured.
Security Tip #5: Employ off-site static backups.
Sometimes, additional security measures alone are not enough. A complete security detail also includes what happens when everything goes wrong. We recommend that any critical data stored is also backed up off-site with additional protection such as encryption and read-only archives. A data backup will not prevent security vulnerabilities, but it will help you recover should your system become compromised.
As always, remember that our expert support team is available 24 hours a day to answer any security questions you may have. Your journey to a well-protected infrastructure includes a variety of protective measures and a web host with the tools and services you need to be successful.