TECH TALK

Securing Linux Web Servers: Best Practices and Techniques

Join Chithra, DevOps at Acro, on a journey to fortify your Linux web servers easily and efficiently. Uncover straightforward, effective methods to bolster your security, ranging from SSH enhancements to SSL fortifications. Gain insights into transforming your server into a secure and resilient digital fortress.

---

As web servers play a pivotal role in delivering online content, ensuring their security is of utmost importance. This article explores best practices and techniques to secure Linux-based web servers, covering various aspects from server setup to ongoing maintenance.

1. Configuration

a. Minimal installation

• Start with a minimal server installation to reduce potential vulnerabilities.
• Only install the necessary components to minimize attack surfaces.

b. Server access (SSH)

• Use public key authentication only; disable password authentication
• When possible or practical, restrict access to necessary IP addresses only (Use Firewalls)
• Disable root login via SSH
• Remove the default user

2. Web Server Configuration

• Disable unnecessary modules and features.
• Set up HTTP basic authentication for dev environments, preventing crawlers from accessing your site.
• Implement security headers in your web server configuration to enhance browser security. Headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS), and X-Content-Type-Options can provide additional layers of protection.
• Disable Server Signatures (For Apache) / Server Token (For Nginx) to prevent the server name, server version number and other information such as recent error messages, module information and other directory information from displaying upon request or when a 404 error page is presented.
• Limit HTTP Methods to restrict unnecessary HTTP request methods of the web server to only accept configured methods.

3. SSL/TLS Implementation

a. Let's encrypt

• Implement SSL/TLS certificates using Let's Encrypt for encrypted communication.
• Regularly update and renew certificates to maintain security.

4. Web Application Firewalls (WAF)

• WAFs can help mitigate the impact of DDoS attacks by filtering and managing traffic to ensure the availability of web services.
• Implementing a WAF as part of a comprehensive security strategy can significantly enhance the overall security posture of web applications and protect them from a wide range of cyber threats.

5. Directory and File Permissions

a. Restrictive permissions

• Set strict permissions for web directories and files. Proper permissions ensure the integrity of your web applications by preventing unauthorized modifications to critical files. In the event of a security breach, strict permissions limit the scope of the damage. Attackers with limited access are less likely to compromise the entire system or gain control over sensitive data.
• Limit access to sensitive configuration files. Configuration files often contain sensitive information, such as database credentials or API keys. Strict permissions ensure that only authorized users or processes can access and modify these files.

6. Regular Backups

a. Automated backups

• Set up automated backup systems to regularly back up web server data.
• Backups should be kept separately from the web server location. If backups are stored on the same server as the website or web application, they are susceptible to the same risks and vulnerabilities. For example, if the server experiences hardware failure, a cyberattack, or accidental data deletion, both the live data and the backups could be compromised simultaneously.
• Test and verify the integrity of backups.

7. Monitoring and Intrusion Detection

a. Log analysis

• For self-contained, single server systems, use tools like fail2ban to automatically block repeated malicious login attempts.
• As for much larger distributed systems,
  • Set up intrusion detection systems for real-time threat detection(Eg: Lacework, Dynatrace).
  • Implement log analysis tools such as Logwatch to monitor server logs for suspicious activities. ELK(Elastic Logstash Kibana) Stack can also be used to provide centralized log collection, processing, and analysis.

b. Log shipping

• Log shipping involves transmitting log data from one location to a centralized one for analysis and storage. Storing logs externally ensures they don't compete for storage with critical system files. It also enhances security by preventing attackers from hiding their tracks on a compromised server, as log evidence is stored separately.
• Popular log shipping solutions include syslog-ng, rsyslog, Fluentd, and Filebeat.

c. Uptime monitoring

• Setting up uptime monitoring for servers or services which will notify you if any of your them goes down.

8. Password Management

• Use strong and unique passwords.
• There should absolutely be no sharing of passwords. Each individual should have their own set of credentials.
• Enforce strong password policies within your organization. This may include MFA (2-factor authentication). minimum length requirements, complexity rules, and expiration policies.
• Do not share passwords via chat or as plain text.

9. Regular Updates and Patching

a. System and software updates

• Stay vigilant about system and software updates.
• Regularly patch vulnerabilities to stay ahead of potential threats.
• Make use of unattended upgrades to automate updates.

10. User Education and Documentation

• Educate users and administrators about security best practices, such as recognizing phishing attempts, the importance of strong authentication, and reporting any suspicious activities promptly.
• Maintain up-to-date documentation for your security configurations, processes, and incident response plans. This documentation is crucial for both current and future administrators.

Securing Linux web servers is an ongoing process that requires a combination of preventive measures and proactive monitoring. By implementing these best practices and techniques, you can fortify your web servers against common threats and ensure a robust and secure online presence. Strengthen the security of your Linux web servers today to provide a safe and reliable experience for your users.

Have a question? Reach out to our devOps team for a chat.

Fill in the form below, and one of our subject matter experts will be happy to give you a call.