Basic Web Server Security

Introduction

Linux and *BSD web server security does not have to be hard. In fact, some basic technical understand combined with common sense will get you quite far.

Keeping Things Up-To-Date

Thousands of developers are constantly improving open-source software for you by fixing bugs and security issues. Please don't ignore their effort by not applying the patches they provide. Software maintainer provide you with security advisories, please check them on a daily basis. If you haven't updated software on your server between Heartbleed and Shellshock you know you have to improve your patch management. Waiting longer between updates will also increase the chances of things going wrong. If multiple parties work on the server don't forget to define who is responsible for keeping the system up to date.

Uptime

Huge uptimes are nothing to be proud of. There are multiple projects working on replacing the kernel on a running system but most systems today have to reboot to apply kernel updates. Not having a box rebooted for three years also means you have ignored every kernel security improvement your operating system was offering you in the meantime.

SSH

SSH is the most important tool for accessing servers. It's great for so many things it really pays of to learn about every single option it's predominant implementation OpenSSH is offering. Here we will just focus on the most impoortant option as far as security is concerned: Disabling password authentication and forcing the usage of puiblic key authentication instead.

If you are not familiar with the OpenSSH public key infrastructure search for a tutorial online. After placing your public key on the server make sure the following options are set in your sshd config, usually /etc/ssh/sshd_config:

ChallengeResponseAuthentication no
PasswordAuthentication no
PubkeyAuthentication yes

Restarting the SSH daemon activates the changes.

Don't Trust Your LAN

Just because a service is not directly accessible from the Internet does not justify weak authentication mechanismns. Terms written in leetspeak that can be guessed with ease are a bad idea in private networks too.

Virtualization can Help

Security researchers often point out that virtualization is not an security feature at all. That might be right but in practice it can help to protect your server. Even if one of your services got infected by malware techniques like the FreeBSD Jails can help you to contain the problem and limit the consequences.

Keep it Simple

Complexity is your enemy: The lower the complexity of the system and its components is, the easier it is to keep things secure. Additionally we know that some services are just not as reliable as others (e.g. always favour SFTP over FTP). Install a minimal version of your operating system and start only the services you need to get your job done. Aavoid installing software like FTP daemons, a web interface for server or database administration or an X-window system.

If you are using Apache httpd disallow the usage of .htaccess files by setting AllowOverride None. Altering the Apache server config via .htaccess is a constant source for confusion.

Don't forget to avoid complexity with the software you are running on your web server too. Most software is extendable with plugins these days. While the base software gets fixed quickly in case of security bugs, many third party plugins are maintained poorly.

Reduce Verbosity

Many services are quite verbose by default, try not to give away too much information for free. Set ServerSignature Off and ServerTokens Prod in Apache httpd or use the equivalent options for your web daemon. If you are using PHP turn off expose_php. On a production system turn off every unnecessary logging.

Controversial Tools

Altough they could make sense in some rare cases in general it's better to avoid the following methods and tools:

  • disabling ICMP responses (ping)
  • using non-standard ports
  • Fail2ban and similar tools
  • port knocking
  • web application firewalls
  • virus scanners

It's much more useful to think about how to reduce the existing attack surface without the introduction of new tools.