Secure your Web Server - Best Practices To Follow

Configure Operating system

Remove unwanted services

Less is always better. Do you know that you can minimize the operating system load by running only necessary services and packages? Most importantly, less services, less security holes.
Done This!
Show Me How?

Have only few user accounts

Create only necessary user accounts and set passwords to meet the secure password guidelines. If you are sure there will not be any more user accounts, then stop creating new users.
Done This!
Show Me How?

Avoid common User names

Most of the attackers, try to search for these common user accounts on a server. Names such as ‘henry’, ‘sam’, ‘root’, ‘admin’, ‘bob’ etc…are more vulnerable to brute-force attacks.
Done This!
Show Me How?

Force Password change

Enforce password change to every user account by setting password expiry policy.
Done This!
Show Me How?

Disable the root account

It is not a good idea to have enabled remote login to root user. If a hacker tries to brute force your root user password, then he would gain access to your system completely!
Done This!
Show Me How?

Enable Firewall

Run your website or service behind firewall. Linux comes with default firewall, which should be sufficient enough to secure any website. Open only necessary ports and drop the rest.
Done This!
Show Me How?

Enable LogWatch

LogWatch is a customizable, pluggable, log monitoring system for Linux. It can be configured to send daily reports to your email-id. Keep track of invalid login attempts from unauthorized IPs and blacklist those.
Done This!
Show Me How?

Disable ICMP Packets

Though ping is an useful utility to monitor your network connectivity, it can also bog down your network.
Done This!
Show Me How?

Update Kernel regularly

I know, this is not the easiest thing to do. But it is very important to run the latest version of Kernel. For instance, the kernel with bugs can allow hacker to sneak into your system. There are plenty of tools that allows an attacker to gain root access by exploiting the Kernel bugs
Done This!
Show Me How?

Run Yum Update regularly

Like Kernel, every package installed on your system might have bugs and they can allow an attacker to gain access to your system. Update all the packages regularly, by running yum update.
Done This!
Show Me How?

Using Windows server? Install Anti-Virus

If you are running a Windows based servers, then install Anti-Virus programs with latest signatures.
Done This!

Allow SSH from only trusted hosts and specific user accounts

If an attacker gains root login for your system, he can do more damage than if he gains normal user login.
Done This!
Show Me How?

Web Server Configurations

Install Web Server package in a CHROOT cage

The chroot utility allows to jail a daemon in a restricted environment. It is normally used to insulate services from one another, so that the security issue in a package doesn’t harm the whole server.
Done This!
Show Me How?

Disable Directory Listing

Directory Listing is enabled by default in Apache, it is always a good idea to disable it.
Done This!
Show Me How?

Disable Web Server version reporting

Disable the web server type and its version reporting. You should configure the Web Server to prevent reporting its signature information on error pages such as Forbidden access or Page not found.
Done This!
Show Me How?

Run Web Server as no-login user

Always run httpd daemon as no-login user. It means, the user account with least possible privileges.
Done This!
Show Me How?

Disable Unwanted DSO modules

By default, Apache loads plenty of Dynamic Shared Object (DSO) modules in httpd.conf file. It is a good idea to disable all the unwanted modules.
Done This!
Show Me How?

Set correct permission to Conf and Bin directory

Remember to set proper permission to Apache configuration and bin directory. It’s necessary to allow only authorized users to view the conf files. To do that, you can group set of authorized users and provide permission.
Done This!
Show Me How?

Choose modules/scripts carefully

As we saw earlier, removing the unwanted modules is a good idea. At the same time, you should consider security implications while implementing modules, plugins and scripts.
Done This!

Secure Web Server Administration Pages

Apache Tomcat will come with an Administration page where you can deploy applications. Such pages should be served after Two-step authentication process. Probably, a htaccess authorization will do good. You should also protect Content Management System login pages.
Done This!
Show Me How?

Hide PHPMyAdmin from Public

Do you really need PHPMyAdmin kind of clients? If yes, secure such clients properly.
Done This!
Show Me How?

Create Separate Log files for Virtual Hosts

It’s good to create separate log files for each Virtual Host in Apache that are part of a single physical server. Have you done this?!
Done This!
Show Me How?

Employ Web Authentication and Encryption technologies when needed

You should employ web authentication and encryption technologies such as SSL/TLS based on the nature of Web Server data. For example, Private, Confidential, Sensitive etc.
Done This!

Disable Open Proxy on Apache

Mod_proxy module of Apache implements Proxy/gateway for your web server. Though it is useful to perform “Proxy Pass” to web pages hosted on private servers, you should consider disabling “ProxyRequests”.
Done This!
Show Me How?

Disable libwww-perl on Apache

libwww-perl (LWP) is a WWW client/server library for Perl and it can help many hackers, spammers and bots to perform attacks on your site.
Done This!
Show Me How?

Have minimum possible executable code

Ensure less executable code on your Web server. Remove all sample files, scripts, manuals and executable code from the Web server public html directory.
Done This!

WordPress Security

Using CMS? Keep it up-to-date

If you are using Content Management System (CMS) like WordPress, Joomla, drupal etc…Make sure you always run the latest version.
Done This!

Secure CMS Login Pages

It’s recommended to secure the CMS Login pages with Two-step authentication. This can be achieved using .htaccess.
Done This!
Show Me How?

Disable default CMS user accounts

What’s the username of your WordPress administrator account? I hope it is not admin or any other common username. The hackers have a huge collection of common username and password, which is later used for Brute force attack on wordpress blogs.
Done This!
Show Me How?

Use Best Security Plugin for WordPress

Secure your website by using Popular security plugins. Such plugins assess your WordPress and lists down the elements that you should consider securing.
Done This!
Show Me How?

Lock accounts after Invalid login attempts

You might want to lock down user accounts after set number of invalid login attempts. This comes handy, when an attacker tries as many invalid passwords before finding the correct one. Such attacks are achieved using Brute-force and Dictionary methods. So it is important to lock those accounts after the set number of Invalid login attempts.
Done This!
Show Me How?

Have only minimum possible accounts

Using User Lock Plugin, you can disable those unused accounts. This will ensure, you have only minimum possible accounts in WordPress.
Done This!
Show Me How?

Disable WordPress version information

Right click on your WordPress article page and click view source. If you carefully see HTML source code, you will notice that few JavaScripts and stylesheets are taking query string arguments. These query strings mostly denote the version of your WordPress or plugin that you are using, which actually provides hint to the hacker. Removing the query string will also benefit in SEO aspect.
Done This!
Show Me How?

Add WordPress Security Keys

WordPress security keys was introduced in WordPress 2.6, which are randomly generated variables that encrypts the information stored in user’s cookie. It is very important to follow this for your sites security
Done This!
Show Me How?

Remove unwanted WordPress tags

By default, WordPress adds plenty of meta tags that might not be needed for your website. Make sure to keep your code as clean as possible.
Done This!
Show Me How?

Remove WordPress Logo in Admin page

By default, wp-admin page will have WordPress logo displayed. It’s recommended to replace it with your own website logo. Well, this might not make big difference, but little for sure.
Done This!
Show Me How?

Database Security

Upgrade Database

Keep your database up-to-date with latest bug fixes, patches and releases. Howover before updating database, make sure your code is compatible with the latest version.
Done This!

Run database server as least privileged user

It’s always a good idea to run service as no-login user, but however certain database servers needs user accounts to be created with login permission. In such cases, run database server as a user with least privileges.
Done This!

Do you really need Web based clients?

If you choose to use PHPMyAdmin or Postgresql web client, then make sure you really want it. If you prefer to use one, then make sure it is not publicly accessible.
Done This!

Remove unused database accounts

Perform regular audit to ensure that you have only necessary database accounts. Remove all the unwanted or unused user accounts.
Done This!

Allow connections only from trusted domains

Whitelist the valid domains or hosts that you wish to connect to database and GRANT necessary privileges.
Done This!
Show Me How?

Application Security

Consider security implications while choosing Technologies

One should consider all the security implications while choosing technologies. For instance, various client side technologies such as applets, vbscript, JavaScripts, flash etc…has its own strengths and weakness (along with associated risks). Similarly server side technologies such as JSP, PHP, ASP, Servlets comes with its own strengths and weakness. The technology should be used for implementation after careful consideration.
Done This!

Do not launch code with SUID

If the applications are to be deployed on UNIX based machines, then the code should not run as SUID. SETUID programs are dangerous, if they are not written with proper care.
Done This!

Inputs received by application should be scanned

If the applications are designed to receive input data from users, then such data should be verified against malicious inputs.
Done This!

Avoid Information Leakage

Avoid information leakage via comments, explicit application and system errors or exceptions.
Done This!

Remove unwanted codes

As seen earlier, less is better. Remove unwanted code snippets and files that are not related to the application.
Done This!

Beware of spamming, while creating online forms

Some applications contain online forms to forward links or documents on the website as mail. It is recommended that the mail should not be allowed to any external e-mail addresses, as it can be used to SPAM external users.
Done This!

Beware of SQL Injections, Cross-site scripting attacks

Consider security implications while writing code to prevent SQL Injections, cross-site scripting errors.
Done This!
Show Me How?

Backup all data periodically!

I need not explain about it. The title says it all. Apart from periodic backups, you should also take necessary backup before updating any software or package.
Done This!

Subscribe to security related announcements

You might also subscribe to appropriate mailing lists and/or web sites for security-related announcements and updates. For instance, If you are using WordPress, subscribe to WordPress mailing lists to keep track of bug fixes and patches.
Done This!
Show Me How?