Web server security is the protection of information assets that can be accessed from a Web server. Web server security is important for any organization that has a physical or virtual Web server connected to the Internet. It requires a layered defence and is especially important for organizations with customer-facing websites. Server security comes to being confidentially, integrity, availability of appropriate information and authentication. A leaky server can cause a vital harm to an organisation. So security is the most complex topic that the modern world is concerned about. A security breach incurs a cost for the organisation in the terms of money as well as good will. Databases store confidential and sensitive information. Hence, it is the most important task of an organisation to safeguard crucial information from being stolen and misused.
Common Server Security issues faced
The most deadly mistakes which can make server less secure are as follows
- Weak Passwords
- Open Network Ports
- Old Software Version
- Poor Physical Security
- Insecure CGIs
- Stale and Unnecessary Accounts
Server Vulnerabilities, Threats, and Environments
To secure a server, it is essential to first define the threats that must be mitigated. Knowledge of potential threats is important to understanding the reasons behind the various baseline technical security practices presented in this document. Many threats against data and resources are possible because of mistakes— either bugs in operating system and server software that create exploitable vulnerabilities, or errors made by end users and administrators. Threats may involve intentional actors (e.g., attacker who wants to access information on a server) or unintentional actors (e.g., administrator who forgets to disable user accounts of a former employee.) Threats can be local, such as a disgruntled employee, or remote, such as an attacker in another geographical area. Risk assessments should be conducted to identify the specific threats against their servers and determine the effectiveness of existing security controls in counteracting the threats; they then should perform risk mitigation to decide what additional measures (if any) should be implemented .Performing risk assessments and mitigation helps organizations better understand their security posture and decide how their servers should be secured. An important element of planning the appropriate security controls for a server is understanding the threats associated with the environment in which the server is deployed. The recommendations in this publication are based on the assumption that the servers are in typical enterprise environments and thus face the threats and have the security needs usually associated with such environments.
Security measures to protect the Servers
Listed below are the few measure to maintain security on servers
- SSH Keys
SSH keys are a pair of cryptographic keys that can be used to authenticate to an SSH server as an alternative to password-based logins. A private and public key pair are created prior to authentication. The private key is kept secret and secure by the user, while the public key can be shared with anyone. Setting up SSH key authentication allows you to disable password-based authentication. SSH keys generally have many more bits of data than a password, meaning that there are significantly more possible combinations that an attacker would have to run through. Many SSH key algorithms are considered uncrack able by modern computing hardware simply because they would require too much time to run through possible matches.
- Public services that can be accesses by anyone on the internet, often anonymously. A good example of this is a web server that might allow access to your site.
- Private services that should only be accessed by a select group of authorized accounts or from certain locations. An example of this may be a database control panel.
- Internal services that should be accessible only from within the server itself, without exposing the service to the outside world. For example, this may be a database that only accepts local connections.
- A properly configured firewall will restrict access to everything except the specific services you need to remain open. Exposing only a few pieces of software reduces the attack surface of your server, limiting the components that are vulnerable to exploitation.
A firewall is a piece of software (or hardware) that controls what services are exposed to the network. This means blocking or restricting access to every port except for those that should be publicly available.
On a typical server, a number services may be running by default. These can be categorized into the following groups:
- VPNs and Private Networking
Private networks are networks that are only available to certain servers or users. For instance, a private networking is available in some regions as a data-center wide network. A VPN, or virtual private network, is a way to create secure connections between remote computers and present the connection as if it were a local private network. This provides a way to configure your services as if they were on a private network and connect remote servers over secure connections. Using a VPN is, effectively, a way to map out a private network that only your servers can see. Communication will be fully private and secure. Other applications can be configured to pass their traffic over the virtual interface that the VPN software exposes. This way, only services that are meant to be consumable by clients on the public internet need to be exposed on the public network.
- Public Key Infrastructure and SSL/TLS
Public key infrastructure, or PKI, refers to a system that is designed to create, manage, and validate certificates for identifying individuals and encrypting communication. SSL or TLS certificates can be used to authenticate different entities to one another. After authentication, they can also be used to established encrypted communication. Establishing a certificate authority and managing certificates for your servers allows each entity within your infrastructure to validate the other members identity and encrypt their traffic. This can prevent man-in-the-middle attacks where an attacker imitates a server in your infrastructure to intercept traffic.Each server can be configured to trust a centralized certificate authority. Afterwards, any certificate that the authority signs can be implicitly trusted. If the applications and protocols you are using to communicate support TLS/SSL encryption, this is a way of encrypting your system without the overhead of a VPN tunnel (which also often uses SSL internally).
- Service Auditing
A big portion of security is analyzing your systems, understanding the available attack surfaces, and locking down the components as best as you can. Service auditing is a process of discovering what services are running on the servers in your infrastructure. Often, the default operating system is configured to run certain services at boot. Installing additional software can sometimes pull in dependencies that are also auto-started. Servers start many processes for internal purposes and to handle external clients. Each of these represents an expanded attack surface for malicious users. The more services that you have running, the greater chance there is of a vulnerability existing in your accessible software. Once you have a good idea of what network services are running on your machine, you can begin to analyze these services.
- Isolated Execution Environments
Isolating execution environments refers to any method in which individual components are run within their own dedicated space. This can mean separating out your discrete application components to their own servers or may refer to configuring your services to operate in chroot environments or containers. The level of isolation depends heavily on your application’s requirements and the realities of your infrastructure. Isolating your processes into individual execution environments increases your ability to isolate any security problems that may arise. Similar to how bulkheads and compartments can help contain hull breaches in ships, separating your individual components can limit the access that an intruder has to other pieces of your infrastructure.
- Install all security patches on time
Although having fully patched software does not necessarily mean your server is fully secure, it is still very important to update your operating system and any other software running on it with the latest security patches. Upto this day, hacking incidents still occur because hackers took advantage and exploited un-patched servers and software.
- User accounts
Unused default user accounts created during an operating system install should be disabled. There is also a long list of software that when installed, user accounts are created on the operating system. Such accounts should also be checked properly and permissions need to be changed required. The built in administrator account should be renamed and is not to be used, same for the root user on a linux / unix installation. Every administrator accessing the web server should have his own user account, with the correct privileges needed. It is also a good security practice not to share each others’ user accounts.
- Remove all unused modules and application extensions
A default Apache installation has a number of pre-defined modules enabled, which in a typical web server scenario are not used, unless they are specifically needed. Turn off such modules to prevent targeted attacks against such modules.
The same applies for Microsoft’s web server; Internet Information Services. By default, IIS is configured to serve a large number of application types, e.g. ASP, ASP.NET and more. The list of application extensions should only contain a list of extensions the website or web application will be using. Every application extension should also be restricted to use specific HTTP verbs only, where possible.
- Use security tools provided with web server software
Microsoft released a number of tools to help administrators secure IIS web server installations, such as URL scan. There is also a module called mod_security for Apache. Although configuring such tools is a tedious process and can be time consuming, especially with custom web applications, they do add an extra bit of security and piece of mind.
- Stay informed
Nowadays, information and tips on the software and operating system being used can be found freely on the internet. It is very important to stay informed and learn about new attacks and tools, by reading security related magazines
and subscribing to newsletters, forums or any other type of community.
- Use Scanners
Scanners are handy tools that help you automate and ease the process of securing a web server and web applications.