“…as soon as your server goes online, thousands and thousands of bots start to attack your server using different methods – attempting to hijack or infect your server to perform malicious attacks to other users.”
Getting your own server online is very exciting! You are now free to deliver any software/applications to your users by installing and configuring it to work in your server.
However, as soon as your server goes online, thousands and thousands of bots start to attack your server using different methods – attempting to hijack or infect your server to perform malicious attacks to other users.
Hence, it is very important that you secure your server the moment you get it in your hand. Here are the ways that guide you to secure your server:
1. Install only required OS components
Be it Linux or Windows, by default, they will prompt you to install the full version of the OS (If it’s a dedicated server, request the hosting provider to do it on your behalf for you).Always go for a minimal custom install.
Non-required components should be left out.
This minimizes the attack surface and reduces the number of patches and updates required for maintenance.
2. Keep the ‘Admin/Root’ account secure
The default superuser account in Windows Server is ‘Administrator’ and on Linux, it will be “Root”, and most brute force attacks are aimed at these accounts.
For Windows, lockout policy can be applied to other users but the admin account can never be disabled or locked out. We highly recommend you to rename Administrator to another username to keep it safe.
For Linux, add another root privilege account and restrict what root account can do.
3. Always use a secure user policy as guideline
Don’t allow empty passwords.
Enforce minimum password length and complexity.
Use a lockout policy (Windows).
Don’t store passwords using reversible encryption.
Force session timeout for inactivity.
4. Employ the Principle of “Least Privilege“
If you have multiple users using the same server, please do as below:
Avoid potential security issues due to mishandling of access rights.
Provide the minimum rights each user needs to carry out his/her duties (especially on the OS partition).
Set up Group Policy or use Role Based Access Control (RBAC) component to specify access restrictions according to your own requirements.
5. Always disable unnecessary network ports and services
Only enable the network ports used by the OS and installed components.
Disable/close the remaining ports.
Run a port scan of the system to confirm that all non-functional ports are properly protected.
Disable all unused network services (Bluetooth, wifi, etc) to prevent unauthorized access.
6. Enable Firewall and Antivirus
Either on Linux or Windows, enable the software firewall (prebuilt in the OS) to filter out untrusted network traffic. Admittedly, the firewall can be difficult to master at first. But never disable the firewall! The inconveniences of setting it up properly are worth the effort.
If you have extra funds, go with a hardware firewall! Hardware firewalls come with intrusion detection, policy and can mitigate some attacks very well.
7. Secure Remote Access
Hackers often gain entry using Remote Access. To prevent unauthorized access, change the default Remote Access port from 3389 (Windows) and 22 (Linux) to one in the 10000-65535 range.
If you have firewall enabled, always try to lock down remote access and allow them from the IPs you are using to connect only! Also a good way to protect your data is to use VPN and allow only remote access via VPN.
8. Always keep your OS updated!
Be it Windows or Linux OS, always keep them updated. This is one of the simplest ways to help keep your server secure. The patches are very important to fix any loophole or exploit that the OS might have.