Server Hardening: The Ultimate Guide
The ultimate guide to server hardening: best practices, common mistakes to avoid. Secure your servers and protect sensitive information from cyberattacks with server hardening techniques.
In today's age of information and technology, server security has become more critical than ever before. These machines serve as the backbone of all our online operations, storing and handling sensitive information in immense quantities. Unfortunately, cybercriminals are always looking for new ways to exploit servers, steal data, and launch attacks. As such, it's crucial to protect servers from these threats and minimize the damage that occurs as a result of them. In this post, we will discuss server-hardening techniques, best practices, and common mistakes to avoid. Since I want this article to be as comprehensive as possible, it is quite long. Feel free to use the Table of Contents to the left to navigate.
What is Server Hardening and Why is it Important?
Server hardening is the process of securing a server and its applications to protect against cyberattacks such as malware. This is done by removing vulnerabilities or methods (a.k.a. attack vectors) that a hacker might use to access the server. The sum of these attack vectors is called an attack surface. When hardening a server, our goal is to minimize the attack surface.
Your servers must stay secure to protect users' information, minimize downtime, and reduce the costs of dealing with data breaches. Many industries (such as banking) have regulatory standards for security, which are required by law, and server hardening helps to meet those standards.
Common Server Hardening Techniques
Control User Access
While it might seem simple, restricting access to only authorized users is the most critical aspect of hardening a server, which is why I included it first. Users that access your server should be trusted, trained, and well-informed about good security practices. The most common way to control user access is to assign each user a unique account with only the required privileges they need to complete the task at hand. This concept is called the principle of least privilege (also applies to programs, processes, etc.), and is the fundamental building block is information security. Don't forget to regularly review and update user permissions to ensure that access is granted only on a need-to-know basis.
Implement Strong Authentication Methods
Strong Passwords
You should encourage users to use long, complex passwords that include a mix of uppercase and lowercase letters, numbers, and special characters. You should also consider enforcing a strong password for applications where security is of high importance.
Multifactor Authentication
Another step you can take is to implement multifactor authentication. Server admins tend to skip this step because they think it's too complicated to set up or only applicable for enterprise settings, but this is far from the truth. How you set up MFA will depend on your OS but typically consists of installing a package and changing one or two configuration files. According to Alex Weinert, Group Program Manager for Identity Security and Protection at Microsoft, "Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA."
Go Passwordless
Passwords are arguably inferior to other authentication methods like key-based authentication. Of course, this is only a problem because humans are generally bad at using passwords effectively. According to research by iProov, a security company that sells commercial biometric authentication services, people share, reuse and write down their passwords, which is a HUGE security risk.
The alternative to passwords is key-based authentication which provides several advantages like being more convenient for users, preventing brute-force attacks, and is even a form of multi-factor authentication. You can learn how to enable key-based authentication for SSH by following this guide by Digital Ocean.
Preventing Brute-Force Attacks
By default, SSH will allow an attacker to try as many passwords as they want, albeit with some time delay. The default SSH settings allow an attacker to issue 10 connections in parallel, with each connection allowing 4 connection attempts before being reset. This means an attacker can try over 10K passwords in an hour. This is obviously not great for security. One way to mitigate this problem is to use tools like fail2ban, which will automatically ban or jail hosts that have too many failed authentication attempts.
Disable Unused and Obsolete Features
The SSH protocol was first introduced in 1995 and has gone through several changes since then. However, some not-so-secure features like X11 forwarding are still enabled by default on most SSH configurations. If you are not familiar with X11, it's a windowing system first introduced in 1984 but still commonly used in some Unix systems. Because of its age, it has many severe vulnerabilities that cannot be fixed without causing catastrophic changes to its API.; vulnerabilities that are so severe that they allow privilege escalation with a simple script. Simply put, a "secure" shell with X11 forwarding enabled is just a shell.
Another thing to consider is to disable SSH for certain users. Again, this is the principle of least privilege. If a user does not need or use SSH, then SSH access should be disabled for them.
Use a secure, up-to-date operating system
A secure and up-to-date operating system is often the most overlooked aspect of server hardening. Your operating system is the foundation of all your applications and services so it's essential to do your research and choose a secure and reliable option. Generally, you want to avoid rolling-release operating systems like Arch Linux and choose a point-release OS like Debian instead. You should also avoid outdated versions and choose an LTS version if possible. Some good OS options include Red Hat Enterprise Linux, Debian/Ubuntu, Fedora Server, and FreeBSD. Regardless of which OS you choose, it's important to install updates and security patches regularly.
Advanced Server Hardening Techniques
Use a Virtual Private Network (VPN)
No, probably not the VPN you're thinking about. When most people hear the words "VPN" they think of consumer VPNs, which don't actually give you access to a private network. Instead, they function more like a middleman between your computer and the service you are accessing. While consumer VPNs can be helpful in some scenarios, they're almost useless for server hardening. Instead, we want to use a "true" VPN that allows us to access the private network.
Instead of having servers exposed on the internet, we can place them inside a private network (our intranet). That is, the servers cannot be accessed from outside the intranet. To facilitate communication between the servers and clients, we can use a VPN gateway which has access to both our intranet and the internet. Typically, the VPN gateway only allows authorized users (like yourself or an employee) to access the network with a key. Popular choices for a VPN gateway include Wireguard (fastest), OpenVPN, and Tailscale (easiest to use).
Use Intrusion Detection Systems (IDS)
An IDS is a security tool that monitors a system for suspicious activity and alerts system administrators when threats are detected. An IDS typically operates at the network level (NIDS) or the host level (HIDS), each with its own advantages and disadvantages. At a minimum, you should have either a NIDS or a HIDS, but it's better to have both. Some popular HIDS include OSSEC, Tripwire, and Wazuh. And some popular NIDS include Snort, Suricata, and Zeek. The above IDSes also work as Intrusion Prevention Systems, which can take action instantly without needing to wait for a system admin.
Avoid Supply-Chain Attacks
A supply-chain attack is one where the attackers target a third party that has access to your server (a.k.a your supply chain). A recent supply-chain attack happened in March 2021, where more than 20,000 US organizations were compromised through a back door that was installed via flaws in Microsoft Exchange Server. Supply-chain attacks can usually be prevented by choosing only reputable vendors with strict security compliance. You can also choose to use a third-party (ironic, I know) monitoring service like Snyk to identify and mitigate supply-chain risk. Following the other guidelines mentioned in this article is also a good way to minimize the damage when a supply-chain attack does occur.
Understand your Operating System
Understanding the ins and outs of your operating system is essential for effective server hardening. This means going beyond surface-level knowledge of your OS and delving into the details of how it works, what security features are available, and how to configure them properly. Some areas to focus on include understanding the default settings and services that come with the OS, knowing how to secure the file system and permissions, and configuring network settings securely. To effectively harden a server, you should know exactly what your operating system does when a file is opened or when you type google.com in the search bar and hit enter. If this seems like too much for you, read the next section.
Hire a Security Expert
Okay, if you're just using this guide to keep hackers out of your Minecraft server, you can probably skip this step. But if, for example, you are the proud owner of a medium- to large-scale business, then you should seriously consider hiring a security expert. The information security field is a lot more complex than it seems. While guides on the internet may help you prevent immediate security risks, they do not protect you against more advanced attacks. A security expert would have the knowledge and experience to make advanced attacks much more difficult. For example, most guides for setting up key-based SSH authentication tell you to use the default RSA encryption; but a security expert will have the foresight that RSA will be cracked with quantum computing in the near future making your encryption practically useless.
Common Mistakes to Avoid
When hardening a server, it's important to avoid certain common mistakes that can leave your server vulnerable to cyber threats. Here are some of the most common mistakes to avoid:
Not Keeping Backups
Regular backups of your server data can also be crucial in case of human error, such as accidental deletion or corruption of data. It is important to not only create backups but also to test them regularly to ensure that they are functioning correctly and that you can restore your data quickly and efficiently in case of an emergency. In addition, it is recommended to keep multiple copies of backups, including at least one off-site or cloud-based backup, to protect against physical disasters such as fires or floods that may damage your physical storage devices. By having a comprehensive backup strategy in place, you can minimize the impact of any potential data loss and maintain business continuity in the event of a disaster.
Relying on Default Security Settings
Customizing security settings for your server is crucial for proper hardening and protection against potential cyber threats. While default settings may offer some baseline protection, they may not be sufficient. To determine your server's specific security needs, conduct a thorough analysis of its purpose, data handling, and access requirements. Once these needs are identified, tailor your security measures accordingly. This may include configuring firewalls, intrusion detection systems, access controls, and other measures. It's important to regularly review and update these settings to stay ahead of evolving security threats. By customizing your security settings, you can significantly reduce the vulnerability of your server to cyber-attacks and safeguard your sensitive data.
Not Testing Your Security Measures
Maintaining the security of your server requires regular testing to stay ahead of evolving cyber threats. Merely setting up security measures is not enough, as attackers frequently discover new vulnerabilities and adapt their methods. Regular testing helps to identify potential weaknesses in your security measures and allows you to address them proactively. It also ensures that your security measures are functioning correctly and that you are aware of any changes that could impact your security posture. Testing should be a regular part of your server security maintenance routine to help identify and address vulnerabilities, reduce risk, and safeguard against cyber-attacks.
Not Staying Informed About Security Threats
To protect against potential cyber threats, staying up-to-date with the latest security news and trends is essential. Cybercriminals are continuously looking for new ways to breach security measures, making it crucial to remain informed. This involves regularly reviewing security bulletins and patches from your software and hardware vendors, subscribing to security newsletters and alerts, and attending industry conferences and training sessions. It's also important to stay aware of current events and how they may impact your organization's security posture. For instance, if a new ransomware attack is making headlines, it may be necessary to review your incident response plan and ensure your backups are up-to-date. By keeping yourself informed and prepared, you can stay ahead of the game and protect against potential cyber threats.
Final Thoughts
Server security is not an issue that should be taken lightly. It is a fundamental requirement for any organization that handles sensitive data or provides critical services online. By following the server-hardening techniques, best practices, and avoiding common mistakes discussed in this post, you can significantly reduce the risk of a cyber attack and ensure the integrity, availability, and confidentiality of your server data. Remember, securing your server is an ongoing process, and it's essential to stay vigilant against emerging threats and vulnerabilities. By keeping up to date with the latest security trends and regularly testing your security measures, you can keep your server safe and secure in today's rapidly evolving digital landscape.