More Best Practices to Secure Your Web Server

More Best Practices to Secure Your Web Server

In the first part of this article, we discussed how to secure WHM/cPanel login, as well as SSH network protocols. Now, let’s see how to secure other services, such as FTP, an Apache HTTP server and outgoing e-mail server (SMTP).

FTP

Use FTPS

The FTP (File Transfer Protocol) is a standard network protocol used to transfer computer files from one host to another host over a TCP-based network. However, this protocol does not encrypt the data, so it is strongly recommended to avoid it. FTPS (File Transfer Protocol Secure) should be used instead. It uses SSL or TLS connection to encrypt the username and password, as well as the data. The protocol for file transfer is selected in FTP clients (e.g. FileZilla) and should be set to “Require explicit FTP over TLS”. On the server side, we should configure the FTP server to deny insecure connections. Go to FTP server configuration in WHM and set TLS encryption support to “Required (Command/Data).

Use Pure-FTPD

There are two types of FTP server software: ProFTPD and Pure-FTPD. Use Pure-FTPD, as it is faster, more memory-efficient and can be protected from brute-force attacks by enabling cPHulk or Fail2ban.

Change default port

The default FTP port is 21. This is where the attackers would first try to find any vulnerability. It is good practice to change the default port to a non-standard one. Pick a port that is not used by any service (here?is the list of TCP and UDP system ports). After that, open /etc/pure-ftpd.conf and find the following line:

 # Bind                      127.0.0.1,21 

Change 21 to the number you have chosen as your new FTP port number. Save the file and restart your FTP server.

Apache

Use HTTPS

When using HTTPS, all communication between your server and the user is encrypted, thus preventing eavesdropping. For additional security, you could get an SSL certificate.

Jail Apache users

The Apache should be configured in a way that a user cannot see other users’ processes or files. This can be done by either enabling “Jail Apache” in tweak settings in WHM and setting users’ shell access to jailed shell. This can also be achieved using software, such as CageFS.

Enable symlink protection

One of the common Apache vulnerabilities is symlink race condition vulnerability. If you enable both the SymLinksIfOwnerMatch and FollowSymLinks configuration settings, a malicious user would be able to serve files from anywhere on a server, regardless of file permissions. Here?is a list of possible solutions along with their upsides and downsides.

Hide Apache version on error pages

By default, Apache error pages would include the Apache version, OS name and even the information about Apache modules installed on your server. It is advised to hide this information for security purposes:

 # vim /etc/httpd/conf/httpd.conf 

Find the following lines and change them to look like this:

 ServerSignature OffServerTokens Prod 

Save the file and restart Apache.

Disable directory listing

Another default Apache option is to list the contents of a directory when there is no index file. To disable this, open httpd.conf:

 # vim /etc/httpd/conf/httpd.conf 

Add the following code:

     Options -Indexes 

Save the file and restart Apache.

Use mod_security

Mod_security is an Apache module that provides many security features???it acts like a firewall, monitors traffic and prevents brute-force attacks. It can be installed via yum by running the following command:

 # yum install mod_security 

Use mod_evasive

Mod_evasive is an Apache module that protects the server against DoS and DDoS attacks. It detects attacks via the following three methods:

  • If a certain number of requests come to the same page in a few times per second.
  • If any child process trying to make more than 50 concurrent requests.
  • If any IP is still trying to make new requests when it’s temporarily blacklisted.

Mod_evasive can be also installed via yum package manager.

Disable Server side includes and CGI

Server Side Includes (SSI) and CGI scripts can be extremely dangerous if not carefully checked. It is a good idea to completely disable them and only enable them if needed on a case-by-case basis. Open httpd.conf and add the following code:

 Options -Includes -ExecCGI 

Note that you must specify a directory in which SSI and CGI are blocked.

DDoS attack protection

Although the best tools against the DoS and DDoS attacks would be network-level tools (such as software or hardware firewalls and other OS configurations), there are a number of Apache configuration settings that can help mitigate problems (according to Apache security tips):

  • The RequestReadTimeout directive allows you to limit the time a client may take to send the request.
  • The TimeOut directive should be lowered on sites that are subject to DoS attacks. Setting this to as low as a few seconds may be appropriate. As TimeOut is currently used for several different operations, setting it to a low value introduces problems with long running CGI scripts.
  • The KeepAliveTimeout directive may be also lowered on sites that are subject to DoS attacks. Some sites even turn off the keepalives completely via KeepAlive, which has of course other drawbacks on performance.
  • The values of various timeout-related directives provided by other modules should be checked.
  • The directives LimitRequestBody, LimitRequestFields, LimitRequestFieldSize, LimitRequestLine, and LimitXMLRequestBody should be carefully configured to limit resource consumption triggered by client input.
  • On operating systems that support it, make sure that you use the AcceptFilter directive to offload part of the request processing to the operating system. This is active by default in Apache httpd, but may require reconfiguration of your kernel.
  • Tune the MaxRequestWorkers directive to allow the server to handle the maximum number of simultaneous connections without running out of resources.

SMTP Server

Require SSL connection

Forcing clients to connect with SSL would significantly improve the e-mail security by preventing eavesdropping of usernames and passwords. This can be configured through WHM in the Exim configuration manager. Also, “Allow weak SSL/TLS ciphers” should be turned off.

Prevent dictionary attacks

Dictionary attacks are a type of brute-force attack where the malicious user tries to guess the correct username and password by testing the possible combinations using a pre-made word list. SMTP servers can be attacked using this type of attack, so it is important to protect it. In WHM in Exim configuration manager, set “Dictionary attack protection” to on. That will block or rate limit hosts with more than 4 failed login attempts.

Limit hourly number of e-mails per domain

This is a popular technique to prevent SPAM e-mails. It can be configured in Tweak settings in WHM and represents the maximum number of e-mails that each domain can send in an hour. On shared hosting accounts, the limit is usually 200 per hour.

Use DNSBL

DNS-based Blackhole List (DNSBL) or Real-time Blackhole List (RBL) is a blacklist of IP addresses on the internet known for sending SPAM e-mails. The most popular DNSBL servers are SpamCop and Spamhaus and can be directly turned on through WHM.

New threats emerge all the time, but if you follow these best practices, your Web servers should?be secure???at least for now.

devx-admin

devx-admin

Share the Post:
Savings Extravaganza

Big Deal Days Extravaganza

The highly awaited Big Deal Days event for October 2023 is nearly here, scheduled for the 10th and 11th. Similar to the previous year, this

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs

Savings Extravaganza

Big Deal Days Extravaganza

The highly awaited Big Deal Days event for October 2023 is nearly here, scheduled for the 10th and 11th. Similar to the previous year, this autumn sale has already created

Cisco Splunk Deal

Cisco Splunk Deal Sparks Tech Acquisition Frenzy

Cisco’s recent massive purchase of Splunk, an AI-powered cybersecurity firm, for $28 billion signals a potential boost in tech deals after a year of subdued mergers and acquisitions in the

Iran Drone Expansion

Iran’s Jet-Propelled Drone Reshapes Power Balance

Iran has recently unveiled a jet-propelled variant of its Shahed series drone, marking a significant advancement in the nation’s drone technology. The new drone is poised to reshape the regional

Solar Geoengineering

Did the Overshoot Commission Shoot Down Geoengineering?

The Overshoot Commission has recently released a comprehensive report that discusses the controversial topic of Solar Geoengineering, also known as Solar Radiation Modification (SRM). The Commission’s primary objective is to

Remote Learning

Revolutionizing Remote Learning for Success

School districts are preparing to reveal a substantial technological upgrade designed to significantly improve remote learning experiences for both educators and students amid the ongoing pandemic. This major investment, which

Revolutionary SABERS Transforming

SABERS Batteries Transforming Industries

Scientists John Connell and Yi Lin from NASA’s Solid-state Architecture Batteries for Enhanced Rechargeability and Safety (SABERS) project are working on experimental solid-state battery packs that could dramatically change the

Build a Website

How Much Does It Cost to Build a Website?

Are you wondering how much it costs to build a website? The approximated cost is based on several factors, including which add-ons and platforms you choose. For example, a self-hosted

Battery Investments

Battery Startups Attract Billion-Dollar Investments

In recent times, battery startups have experienced a significant boost in investments, with three businesses obtaining over $1 billion in funding within the last month. French company Verkor amassed $2.1

Copilot Revolution

Microsoft Copilot: A Suit of AI Features

Microsoft’s latest offering, Microsoft Copilot, aims to revolutionize the way we interact with technology. By integrating various AI capabilities, this all-in-one tool provides users with an improved experience that not

AI Girlfriend Craze

AI Girlfriend Craze Threatens Relationships

The surge in virtual AI girlfriends’ popularity is playing a role in the escalating issue of loneliness among young males, and this could have serious repercussions for America’s future. A

AIOps Innovations

Senser is Changing AIOps

Senser, an AIOps platform based in Tel Aviv, has introduced its groundbreaking AI-powered observability solution to support developers and operations teams in promptly pinpointing the root causes of service disruptions

Bebop Charging Stations

Check Out The New Bebob Battery Charging Stations

Bebob has introduced new 4- and 8-channel battery charging stations primarily aimed at rental companies, providing a convenient solution for clients with a large quantity of batteries. These wall-mountable and

Malyasian Networks

Malaysia’s Dual 5G Network Growth

On Wednesday, Malaysia’s Prime Minister Anwar Ibrahim announced the country’s plan to implement a dual 5G network strategy. This move is designed to achieve a more equitable incorporation of both

Advanced Drones Race

Pentagon’s Bold Race for Advanced Drones

The Pentagon has recently unveiled its ambitious strategy to acquire thousands of sophisticated drones within the next two years. This decision comes in response to Russia’s rapid utilization of airborne

Important Updates

You Need to See the New Microsoft Updates

Microsoft has recently announced a series of new features and updates across their applications, including Outlook, Microsoft Teams, and SharePoint. These new developments are centered around improving user experience, streamlining

Price Wars

Inside Hyundai and Kia’s Price Wars

South Korean automakers Hyundai and Kia are cutting the prices on a number of their electric vehicles (EVs) in response to growing price competition within the South Korean market. Many

Solar Frenzy Surprises

Solar Subsidy in Germany Causes Frenzy

In a shocking turn of events, the German national KfW bank was forced to discontinue its home solar power subsidy program for charging electric vehicles (EVs) after just one day,

Electric Spare

Electric Cars Ditch Spare Tires for Efficiency

Ira Newlander from West Los Angeles is thinking about trading in his old Ford Explorer for a contemporary hybrid or electric vehicle. However, he has observed that the majority of

Solar Geoengineering Impacts

Unraveling Solar Geoengineering’s Hidden Impacts

As we continue to face the repercussions of climate change, scientists and experts seek innovative ways to mitigate its impacts. Solar geoengineering (SG), a technique involving the distribution of aerosols

Razer Discount

Unbelievable Razer Blade 17 Discount

On September 24, 2023, it was reported that Razer, a popular brand in the premium gaming laptop industry, is offering an exceptional deal on their Razer Blade 17 model. Typically

Innovation Ignition

New Fintech Innovation Ignites Change

The fintech sector continues to attract substantial interest, as demonstrated by a dedicated fintech stage at a recent event featuring panel discussions and informal conversations with industry professionals. The gathering,

Import Easing

Easing Import Rules for Big Tech

India has chosen to ease its proposed restrictions on imports of laptops, tablets, and other IT hardware, allowing manufacturers like Apple Inc., HP Inc., and Dell Technologies Inc. more time

Semiconductor Stock Plummet

Dramatic Downturn in Semiconductor Stocks Looms

Recent events show that the S&P Semiconductors Select Industry Index seems to be experiencing a downturn, which could result in a decline in semiconductor stocks. Known as a key indicator

Anthropic Investment

Amazon’s Bold Anthropic Investment

On Monday, Amazon announced its plan to invest up to $4 billion in the AI firm Anthropic, acquiring a minority stake in the process. This decision demonstrates Amazon’s commitment to