11 Server Security Tips To Secure Your Server

Provido

Katılımcı Üye
21 Eki 2015
477
1
Hackers are always on the lookout for server vulnerabilities. It is your responsibility to ensure your data is safe and secure.

Minimize risks and be confident your data is safe on secure servers by implementing our server security tips and best practices.


how-to-secure-your-server.png



Secure Server Connectivity

1. Establish and Use a Secure Connection


When connecting to a remote server, it is essential to establish a secure channel for communication.

Using the SSH (Secure Shell) Protocol is the best way to establish a protected connection. Unlike the previously used Telnet, SSH access encrypts all data transmitted in the exchange.

You need to install the SSH Daemon and to have an SSH Client with which you issue commands and manage servers to gain remote access using the SSH protocol.

By default, SSH uses port 22. Everyone, including hackers, knows this. Most people do not configure this seemingly insignificant detail. However, changing the port number is an easy way to reduce the chances of hackers attacking your server. Therefore, the best practice for SSH is to use port numbers between 1024 and 32,767.


2. Use SSH Keys Authentication


Instead of a password, you can authenticate an SSH server using a pair of SSH keys, a better alternative to traditional logins. The keys carry many more bits than a password and are not easily cracked by most modern computers. The popular RSA 2048-bit encryption is equivalent to a 617-digit password.

The key pair consists of a public key and a private key.

The public key has several copies, one of which remains on the server, while others are shared with users. Anyone that has the public key has the power to encrypt data, while only the user with the corresponding private key can read this data. The private key is not shared with anyone and must be kept secure. When establishing a connection, the server asks for evidence that the user has the private key, before allowing privileged access.


3. Secure File Transfer Protocol


To transfer files to and from a server without danger of hackers compromising or stealing data, it is vital to use File Transfer Protocol Secure (FTPS). It encrypts data files and your authentication information.

FTPS uses both a command channel and a data channel, and the user can encrypt both. Bear in mind that it only protects files during transfer. As soon as they reach the server, the data is no longer encrypted. For this reason, encrypting the files before sending them adds another layer of security.


4. Secure Sockets Layer Certificates


Secure your web administration areas and forms with Secure Socket Layer (SSL) that guards information passed between two systems via the internet. SSL can be used both in server-client and in server-server communication.

The program scrambles data so that sensitive information (such as names, IDs, credit card numbers, and other personal information) is not stolen in transit. Websites that have the SSL certificate have HTTPS in the URL, indicating they are secure.

Not only does the certificate encrypt data, but it is also used for user authentication. Therefore, by managing certificates for your servers, it helps establish user authority. Administrators can configure servers to communicate with centralized authority and any other certificate that the authority signs.


5. Use Private Networks and VPNs


Another way to ensure secure communication is to use private and virtual private networks (VPNs), and software such as OpenVPN (see our guide on installing and configuring OpenVPN on CentOS). Unlike open networks which are accessible to the outside world and therefore susceptible to attacks from malicious users, private and virtual private networks restrict access to selected users.

Private networks use a private IP to establish isolated communication channels between servers within the same range. This allows multiple servers under the same account to exchange information and data without exposure to a public space.

When you want to connect to a remote server as if doing it locally through a private network, use a VPN. It enables an entirely secure and private connection and can encompass multiple remote servers. For the servers to communicate under the same VPN, they must share security and configuration data.


Server User Management

6. Monitor Login Attempts


Using intrusion prevention software to monitor login attempts is a way to protect your server against brute force attacks. These automated attacks use a trial-and-error method, attempting every possible combination of letters and numbers to gain access to the system.

Monitoring and managing users ensures better server security.
Intrusion prevention software oversees all log files and detects if there are suspicious login attempts. If the number of attempts exceeds the set norm, intrusion prevention software blocks the IP address for a certain period or even indefinitely.


7. Manage Users


Every server has a root user who can execute any command. Because of the power it has, the root can be very hazardous to your server if it falls into the wrong hands. It is widespread practice to disable the root login in SSH altogether.

Since the root user has the most power, hackers focus their attention on trying to crack the password of that specific user. If you decide to disable this user entirely, you will put attackers in a significant disadvantage and save your server from potential threats.

To ensure outsiders do not misuse root privileges, you can create a limited user account. This account does not have the same authority as the root but is still able to perform administrative tasks using sudo commands.

Therefore, you can administer most of the tasks as the limited user account and use the root account only when necessary.


Server Password Security

8. Establish Password Requirements


The first thing is to set password requirements and rules that must be followed by all members on the server.

Do not allow empty or default passwords. Enforce minimum password length and complexity. Have a lockout policy. Do not store passwords using reversible encryption. Force session timeout for inactivity and enable two-factor authentication.


9. Set Password Expiration Policy


Setting an expiration date for a password is another routine practice when establishing requirements for users. Depending on the level of security required, a password may last a couple of weeks or a couple of months.


10. Use Passphrases For Server Passwords


There are several reasons why using a passphrase rather than a password can help elevate server security. The main difference between the two is that a passphrase is longer and contains spaces between the words. Therefore, it is often a sentence, but it does not have to be one.

For example, a password passphrase may be: Ilove!ToEatPizzaAt1676MainSt.

The given example is longer than a usual password, and it contains upper and lower case letters, numbers, and unique characters.

Furthermore, it is much easier to remember a passphrase than a string of random letters. Finally, since it consists of 49 characters, it is more difficult to crack.


11. Password Don’ts


If you want to maintain a secure server, there are a few things you want to avoıd when it comes to passwords. Firstly, be mindful where you store passwords. Do not write them on pieces of paper and hide them around the office.

It is generally advisable not to use personal information like your birthday, hometown, pet names and other things that can connect you, the user, to the password. These are extremely easy to guess, especially by people who know you personally.

Passwords that only contain simple dictionary words are also easy to crack, especially by dictionary (brute force) attacks. Mindful of the same risk, try to avoıd repeating sequences of characters in the same password.

Finally, do not use the same password for multiple accounts. By recycling passwords, you put yourself at significant risk. If a hacker manages to get access to a single account, all other accounts with the same password may be in danger. Try to use a different password for every separate account and keep track of them using a password manager such as KeePass.



Excerpted​
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.