The security of a server is often given high priority only after it is too late. However, a server can be protected from unauthorized access with comparatively simple means. In this entry we introduce you to a few options with which you can fundamentally increase the security of your server.
passwords
First you should make sure that you only use passwords that follow certain standards in order to make it difficult to guess the passwords. Passwords should contain at least 16 characters, contain no words or repeated sequences (eg "asdfasdf") and consist of both upper and lower case letters, numbers and special characters. A password should also only be used for one purpose and not be used multiple times. These standards can be easily enforced with a password generator and a password manager.
Updates and services
One of the most common problems that could allow attackers to access a server is exploiting security holes in services or operating systems. Regular updates are therefore essential for a secure server. Security updates should be installed as soon as possible.
Your servers should only contain services that you actually need. Check the installed software on your servers and uninstall unknown and unnecessary services. It is also important that services are always executed by a separate user with restricted rights and not by the root user.
Remote access restriction
You should keep access to your servers via SSH or RDP as limited as possible.
With SSH, direct login as a root user should be prohibited and a user without special permissions should also be used instead. To administer the server, this user can use the program sudo temporarily assigned higher rights. It is also recommended to forbid access with passwords and to only use certificates. A so-called public key procedure is used for this. This means that every client and every server must have both a public key with which other messages to the client or server can be encrypted and a private key with which these messages can be decrypted again. You should always keep the private key safe. In the case of SSH authentication without a password, the public key of each client that is to be allowed to connect to the server is stored on the server.
With RDP you should only accept secure connections. This ensures that the Network Level Authentication Protocol (NLA) is used, which checks the client's authentication before a session is established.
Where possible, the use of two-way authentication is also recommended, in which, in addition to the actual access data, an access code is used for authentication, which is sent to an authorized device, often a smartphone, for example.
Protection against brute force
With the fail2ban service, Broteforce attacks, i.e. attacks in which access to a system is to be gained by frequently trying out different combinations, can be detected and blocked for individual services. This is particularly recommended for SSH, and can be used for all services that record failed login attempts in logs.
Firewall
Finally, you can use a firewall to restrict incoming and outgoing connections. A software firewall is sufficient for this, such as iptables or the Windows firewall. Normally, only incoming connections should be allowed that are required and all other connections are blocked.
With these simple steps you can protect your server and your data from misuse and unauthorized access. The following steps depend on the use of the server and can include, for example, the special configuration of individual services or the detection of intrusions.
No Comments