How Do You Secure a Dedicated Server?
How Do You Secure a Dedicated Server?
Courtesy/News Source: greengeeks.com
It seems like there’s a new horror story about the breach of an unsecured server every week. It’s vitally important that you secure your dedicated server and take steps to avoid exposing sensitive data. Protect yourself against hackers using your server for criminal purposes or infecting you with malware or ransomware.
What Are Dedicated Servers?
A webserver not shared between multiple users is a dedicated server. Shared hosting or Virtual Private Servers (VPS) split server resources between multiple users and sites.
All the resources of a dedicated server are dedicated (hence the name) to one user. A dedicated server can host multiple websites, but they’re all controlled by a single user or company.
There are several different kinds of dedicated server hosting, but they break down into two categories, managed and unmanaged. When you use a managed dedicated server, the hosting company takes care of maintenance and updates, and usually server security.
With an unmanaged dedicated server, the user is responsible for maintenance and security. You’re basically given an empty server and it’s up to you how it’s used.
Dedicated servers use a lot of energy, so if resource use is a concern, check out GreenGeeks dedicated servers. The carbon footprint is offset 300% by renewable energy. No other dedicated server provider can make that claim.
How to Secure a Dedicated Server
Before we get to tips, know that there are a lot of ways to gain access to a dedicated server. Depending on which services you run on the server, you have to be concerned with not only root server access, but also the security of your firewall, web server, web applications, database server, email server, DNS, and FTP.
Every service running on the machine has its own security concerns. A weakness in one service puts them all at risk.
If you can’t dedicate time and resources to security, consider a form of secure server hosting or a managed server. A managed dedicated server is almost always more expensive than an unmanaged one. But you’re paying for the expertise of professionals who deal with security issues every day.
This article is a high-level overview with some universal tips, not a comprehensive guide. We’re talking about Linux and other unix-based systems. But some of the things we’ll talk about (default port numbers, etc.) apply to Windows servers as well.
Number One Dedicated Server Security Tip: Stay Up to Date
Almost every service or software package that you install on a dedicated server will be updated at some point. Some more often than others. It’s easy to skip or overlook updates. But it’s a good practice to schedule some time periodically to check for updates. Then you can determine whether you need to install them.
You probably won’t find it necessary to install every update issued for every service, but you want to avoid getting too far behind or relying on outdated services. The older any given version of a service gets, the more susceptible it is to exploits.
Every operating system creates a root user that has administrative access to, well, everything. Obviously, you should change the root credentials to a secure password or passphrase. And, it’s best to avoid using the root user for your everyday server access.
Instead, create a user with restricted permissions and log in as that user. When you need root access to do something on the server, you can gain it using the “su root” command, and entering the root password.
If you make a practice of logging in using a restricted user, you can then block the root user from logging in via SSH. That will defeat any attempt by hackers to brute force a root login.
It’s also best to limit the number of users who have access to the server and to force periodic password changes. No one likes to change their passwords, but the longer a password is used, the greater the chances of it being compromised.
Finally, if you do allow multiple users access to the server, make sure they are logging in via trusted networks whenever possible.
Your server security is only as strong as its weakest link. And if a user logs in from a coffee shop over an unsecured wifi connection, their credentials are at risk of exposure.
The best way to secure a dedicated server is to make sure the server users are employing sound security practices.
Hackers Look for Services Running on Standard Ports
By default, most services run or “listen” on standard ports. For example, if I’m going to try to gain SSH access to your server, I’m going to focus my attention on port 22, the standard SSH port.
Changing the port numbers for every service that you can, or at least the services that can do the most damage (like SSH) helps increase security. It doesn’t make it impossible to find the services, but it hides them from bots that only scan certain ranges.
If You Don’t Use It, Remove It
If you’ve ever looked at the processes running on your home computer, you’ve no doubt come across a lot of programs or services that you had no idea was up and running.
A web server also launches many common services by default. What’s necessary depends on your needs, of course. But if you don’t use services that log a user onto the server, like FTP, disable them.
Also, remember to uninstall any programs or services that you test or try and then decide not to use. It’s easy to forget about things like that, which is why the periodic update check that I mentioned earlier is important.
That’s a good practice to extend to your websites themselves, where you’re also likely to be installing programs just to test them or check them out.
There’s nothing worse than a three-year-old version of WordPress or Joomla sitting around unattended. They’re magnets for exploitation. If you aren’t using something, delete it!
Backup Your Data
A lot of dedicated server users back up their entire servers, operating system and all. Those kinds of backups serve a purpose. But if someone compromises the OS, it’s like the backup is as well. For that reason, a re-install of the OS and services may be preferable.
But your data is a different story. Back it up as often as you can. And your backups should not live on your dedicated server. Always back up to a separate location or cloud-based storage.
The Best Server Security Tips Are Just the Tip of the Iceberg
If the beginning of this article reads as if I’m advising against doing your own server security, it’s because security isn’t something that I take lightly. I base that on painful personal experience as well as seeing too many other well-meaning people have their servers owned because they overlooked an open port on an obscure or unused service.
Of course, you can secure a dedicated server. It just takes attention to detail and a good maintenance plan. Most hackers are not fools, and they’re almost always more devious than we are. So it’s best not to leave any stone unturned.
To demonstrate just how devious they can be, I’ll leave you with this cautionary tale. Many years ago, a server for a business I was part of was compromised. Our server security was on point, but hackers got in through an extremely complicated and convoluted path. It began with the BlueTooth on the server admin’s phone!
Keep things like that in mind, and remain vigilant and you can keep the bad guys at bay.