Really Simple Guide to Web Server Security
Web Server Security is a Never Ending Beast to TackleWe’ve covered some of the finer details about web servers in our Really Simple Guide to Web Servers although we didn’t go into too much detail about the security side of web servers. This is because it is an enormous topic to cover so we thought it would be best to cover in a separate guide.
Daily Realities of Server Security
Most businesses are quite blasé when it comes to website and web server security with thoughts often being along the lines of…. Its ok, it’ll never happen to us. The reality of the situation couldn’t be further from the truth. You needn’t look any further than a daily newspaper to likely read about one of the latest data or security breaches on websites. And this is only the tip of the iceberg for what is actually reported. The reality of this is that there are even more business websites hacked into and taken offline through a variety of means on a daily basis than you could ever imagine.
At the time of writing, we’re experiencing such an enormous increase in this problem that not only are we talking to more and more businesses about these exact threats but we are also experiencing a rise in businesses coming to us with problems to solve after they have been attacked or hacked. It is a never ending battle dealing with website and server security, one which is hugely important to dedicate time and money to so that you can be confident your website will be online well over 99% of the time. You have to accept the fact as a business owner that your website will never be online 100% of the time. Even websites as large as Google, the BBC and Twitter have fallen over due to a variety of reasons.
For many business owners, their websites and web server often gets caught in the firing line of a sophisticated cyberattack robot which is often fully automated or being run by someone just trying to prove they can bring down a website. It is absolutely essential that you are taking as many measures as possible to minimise the risks involved by controlling the factors that you can.
Web Server Security Threats
So let’s take a look at some of the more common web server security threats we see before we jump into how to protect against these.
Social Engineering Attacks
Social engineering attacks are when you are an actual target. This is when a cybercriminal is actively trying to get into your systems by understanding you as a person. This could be by trying to understand your behaviours, habits and what you are most likely to fall for.
As a prime example, hearing a story from a large cyber security organisation recently, they sent out over 500 USB pen drives to Chief Financial Officers with details of an invitation to an exclusive party contained on the device. Generally speaking, it’s the CEO who gets the invites so all of the CFOs were no doubt excited to receive the invitation and all too eager to plug the pen drive into their computer. Lo and behold, as soon as they plug this USB pen drive into the computer, the cybercriminal then has access to all of the files, data and information that is accessible on the system by this user. The scariest part of this story is that out of these 500 businesses who were targeted as part of a publicity stunt, over 350 businesses fell for this trick. You would have thought larger businesses would have known better but this really is not the case. Be vigilant.
Unpatched Software Attacks
A common problem we see that is a little more specific to websites and web server technologies is when attacks happen as a direct result of software being left unpatched. All too often businesses will leave their unpatched software running on their website and web server only to find a week or two later when they were planning to get around to doing the upgrade that they find their website or web server has been hacked into.
You cannot wait to patch your software on your website or web server. This is absolutely essential that you are keeping up to date and only using trusted technologies, 3rd party plugins and code that you are confident is safe, secure and is patched regularly.
Sloppy Development Attacks
Sloppy software and website development can cause a lot of problems. It is absolutely essential that you are working with a company who understands how technology choices and development methods work hand in hand with security.
You needn’t look any further than the short story we recently wrote about whereby sloppy website development lead to anyone being able to register as an administrator on the website without authorisation.
Phishing Attacks
Phishing attacks are designed to trick you into giving out your username and password for websites. You will no doubt have seen suspicious emails come from your bank or PayPal asking you to login to verify who you are. These attacks are designed to make you believe that this request came from one of your trusted partners so that you will act upon the information by logging into their system. When you click the link in the email, while the website you visit may indeed look like your favourite website, you will actually be sending your username and password directly to the hackers.
We’ve been seeing these types of attacks increase recently with phishing emails targeting business owners and specific website domain names. Phishing attacks are not limited by industry, the same techniques are often used to gain access to your web servers and websites by tricking you into believing you have received a valid email from a service you use.
Distributed Denial of Service (DDoS) Attacks
Denial of Service attacks are when a specific website or web server is attacked in the simplest way possible, by keep requesting a page again and again and again. This could be the homepage or another page on your website. The smarter Denial of Service attacks we see are when the attack is specifically targeting a page on your website that uses a lot of server resources such as the WordPress Cron which requires a lot more resources to run than the homepage does.
As you will have read in our Really Simple Guide to Web Servers, your web server is limited by resources including CPU and Ram. Denial of Service attacks are designed to flood your web server with requests to serve your website which simply cannot be handled, causing your web server to become unresponsive and ultimately crashing. Denial of Service attacks are reasonably straight forward to deal with as you can set up automated systems to block certain IP addresses which are causing problems which we’ll cover a little later. The problem lies with Distributed Denial of Service attacks which are extremely difficult to deal with if you are receiving small number of requests from a large number of IP addresses which automated systems cannot separate from a genuine spike in traffic to your website. Take a look at the illustration about how a DDoS attack works.
Brute Force Attacks
Brute Force attacks are designed to guess your usernames and passwords for the systems you are using. It is relatively straight forward to see what technology your website and web server is running in the background when you know where to look and how to identify this information. So this can then be built into an automated system to attack a website or web server.
It is all too common that people still use easy to guess usernames and often easier to guess passwords that they really shouldn’t be doing. Brute Force attacks are essentially a more structured approach to the Infinite Monkey Theorem which will run through a list of common passwords first then start working their way through the dictionary before moving onto more complex passwords to test to see if they work. Eventually for weak passwords the attack will breach your poor security and the cybercriminal will have access to your data.
Rent a Hacker
The majority of the security threats outlined above are automated with scripts created by people with a bit of knowledge about how to do these types of things. The more worrying threat are around services whereby you can actually rent a hacker and employ someone for a fixed fee to hack into a website or webserver for you. You will no doubt likely be the company being attacked rather than the company employing such an individual we would hope, so it’s important to protect yourself as much as possible.
Methods of Protection
The above cybersecurity threats are just the tip of the iceberg, they really are. Understanding what is actually happening in the background is the first step to becoming aware of the threats that are happening on a daily basis which you will no doubt be blissfully unaware of until there is a problem that needs to be fixed.
So let’s look at some of the methods of protecting your website and web server from these types of attacks. This is by no means a definitive list of items that need to be implemented, more of a guide to get you on the right track.
The below methods of protection are looking at how the internet traffic actually arrives at your website in the different orders. The sooner you can block an attack in the process the more effective your solutions are and most importantly the safer you are. This being said you can never 100% protect yourself at only a single level which is why it is essential to build in security throughout the entire technology stack.
When a person or attacker wants to access your website they have to go through various technology steps before they actually receive the information from your web server in the form of the web page they requested;
- Request example.com
- Which routes to a specific IP address such as 123.456.789.123
- Which routes through the hardware infrastructure of a data centre of some sort and into your web server
- Which then routes through your web server into the specific application running, likely your Web Server technology such as Apache or Nginx
- Which then routes through to your website software such as WordPress or Magento
- Which then may do other things such as third party calls to other technology and services
- And potentially more…
So let’s look at what you can do to protect yourself at the different levels. It is vital that you have the right levels of protection in place at every level to block as many attacks as possible.
Hardware & Configuration Level
This is the first port of call when someone is attacking your website which is why it is important to have the right level of protection in place at the hardware level. At the hardware level there are many configurations you can implement based on the size of business you are along with the amount of risk you are willing to take by not having these things in place which is generally down to the amount of money you are willing to invest. Protecting your web server at the hardware level doesn’t come cheap.
Hardware Firewall
First of all you absolutely must have a hardware firewall in place. This hardware firewall sits in front of your web server meaning that only valid looking traffic will be allowed to reach your web server and request content. This can be extremely valuable as this means that any basic level attacks can be thwarted by the hardware firewall.
Changing Default Ports
Think of a Port on your web server as a Shortcut on your personal computer. Just as a shortcut when accessed sends you to your favourite application such as Microsoft Word, in the same way when someone accesses Port 80 on your web server for example, this will send the user to the Web Server software that is running on your hardware. Likewise port 21 will send users to FTP and port 22 will generally send users to your Secure Shell. Depending on the configuration of your web server, you will have a set of ports which are open which are needed to allow people to access your web server so they can view things like your website and other services you may be running.
Some of these ports you cannot go and change. For example, if you change your web server to not use port 80 to view your website, then quite simply, no-one would be able to view your website. Port 80 is the default that is used with web browsers and is what they expect. On the other hand, it is possible and most importantly it is recommended to change other ports on your web server to avoid automated robots trying to break into your web server using these default ports. For example, instead of having your Secure Shell (SSH) being on port 22, change this to something else. This is an important service that is running since when someone accesses your web server via SSH, you are basically screwed. It is too late and the hackers have won, they have access to all of your data on the server and have probably already either deleted everything or changed the files to suit their needs.
By changing the default ports on your web server and closing down any ports that you don’t need, you are securing your web server at the hardware level to protect yourself that little bit more.
Decoupling Your Digital Services
We have already talked in-depth about the importance of decoupling your digital services, so we aren’t going to repeat ourselves here. In summary though, it is absolutely essential that you decouple your digital services which includes; DNS, Hosting, Registrar, Emails, Backups and more. The reason why this is so important is that if someone does manage to hack into your web server, then this means at least they don’t have access to absolutely everything. If you have all of your eggs in one basket and the handle breaks on that basket then you have a lot of cleaning up to do.
Cloud Based Firewall
Beyond the hardware firewall, there are also cloud based hardware firewalls which start to get very interesting. Anyone who has run a popular website for any length of time or anyone who has managed a web server will be all too familiar with the realities of Distributed Denial of Service attacks (DDoS). This is when your website is flooded with requests from hundreds, thousands or even tens of thousands of computers around the world. What happens here is that your web server becomes overloaded and ultimately crashes, meaning your website is offline.
For many smaller businesses who don’t use their website that often you might not even know when this happens as your web hosting company would (or should!) probably have fixed the problem already. For businesses whose website is become an essential part of their business you will start to notice this even more and generally it will happen at a critical time you are using the website which becomes a little frustrating.
When you are at this stage, you need to start to understand more about how web servers work then once you have understood this and made sure you have the right hardware in place, you’ll need to have the right server monitoring technology in place too. Then once you have this in place you can understand what you need to do next. It is this insight which will allow you to make decisions based on what cloud based firewall you actually need in place.
A cloud based firewall is a system that sits between your web server and your website visitors. It is designed to block automated robots trying to bring down your website by requesting a lot of pages simultaneously. There are varying levels of cloud based firewalls starting with services such as Sucri for smaller businesses and WordPress websites, all the way up to enterprise level solutions including Akamai and CloudFlare.
Server Level
The next step in the process is server level security. By this point, there is a higher chance that the traffic is genuine. That being said, this isn’t always the case so it is important to implement server level security to block traffic that looks suspicious.
ConfigServer Security & Firewall
On cPanel based web servers there is an open source technology which can be enabled and configured called ConfigServer Security & Firewall. This comes bundled with technologies including mod_security and LFD. These individual technologies are a little in-depth for this resource, so for simplicity, these are additional pieces of technology which will identify and automatically block suspicious traffic to your web server.
CPHulk
Another tool that is designed to add an extra level of security to your web server is CPHulk. This tool is designed to identify and block brute force attacks to cPanel by detecting failed login attempts. This helps to keep your cPanel interface secure so that it is harder for attackers to simply guess your password.
Fail2Ban
For web servers that aren’t running a control panel interface, another tool which is often used is Fail2Ban. This is a command line tool which is configured to automatically identify and block suspicious traffic hitting your web server. Essentially doing a similar thing to the above tools.
Software Level
The next step in the journey is at the software level. By this point, you would have thought that all of the attacks would have been detected. Unfortunately this is not the case which is why it is essential to include software level security measures.
All in One WordPress Security & Firewall
For WordPress specifically, the leading plugin is All in One WordPress Security & Firewall which has the option to enormously improve the default security aspects of WordPress. WordPress is already an extremely secure platform, although as it powers 23% of websites on the internet, it is also an enormous target for hackers. For this reason, it is essential to boost the security of WordPress websites using plugins such as this.
Website Development Standards & Best Practice Training Level
The challenge with security is that a large amount of security issues are introduced by people and there is no software in the world that can prevent human errors. What this means is that security related training is essential to avoid preventable errors being introduced to your software projects and website.
OWASP Top 10 is the Open Web Application Security Project which provides guidelines for the top 10 methods to prevent attacks related to software and poor coding. By training all your staff and web developers on this topic, you can then introduce additional systems and checks within your web development process to prevent these types of coding errors being introduced to your software.
Summary
The summary of web server security that it is difficult and requires time, effort and investment to get right. Do not be misled into believing that your business will never be a target for attackers and do not underestimate the amount of time, dedication and expertise required to tighten your web server security.
The unfortunate reality is that no matter how many levels of security you have in place, if someone is determined enough to hack into your web server, they probably can do eventually. It is important to have the right level of protection in place for your business.
If you have any concerns about your web server and website security, get in touch to talk to us about your requirements.