Even though decent providers of dedicated servers do check the servers before deployment and after that, you can get in on the act, too, and check these security points in details. It will give you peace of mind – all in all, what can be better than knowing that data is secure, and website users enjoy its steady work.
Basic security measures
Methods to boost dedicated server security and reduce the risk of attacks include the following:
- Replace the port of your SSH (Secure Shell) Listen Port of the server by something different than 22. This will prevent brute-force attacks by preventing guess of passwords and usernames on the server already.
- Prefer only TLS (Transport Layer Security) protected interfaces for administering your dedicated web hosting. TLS encrypts the traffic going between the server and your computer. This way, hackers will stand no chance to compromise login information and perform an attack. Please note that although cPanel, WHM, Webmail, SMTP, and IMAP/POP3 all offer TLS-protected access on cPanel, they are not used by default – you need to activate them.
- Manage your dedicated server only through trusted networks and computers.
- Make sure that the systems for administering the server are free from malware, because it allows hackers getting information from server’s admin interface, even if data is encrypted over the network.
- Keep tabs on the latest patches and releases for all active scripts. Take an eye out on developers whose scripts you’re using: add their websites to your RSS feed and use bug fix patches and other tweaked releases. That also applies to your cPanel.
Managed Dedicated Server Security Audit
Even if you use a managed dedicated server, you should perform some routine tasks to maintain optimal security. All in all, you’re still responsible for data stored on your server, and keeping it safe should be your primary interest.
- Check kernel version. Dedicated servers with Linux and Windows core system programs are available now. Inxyhost technicians will check the kernel version to ensure your dedicated server isn’t vulnerable. If any threats and vulnerabilities are discovered, our team will contact you to discuss options for problem solving and arrange a reboot.
2: Check PHP settings and disable some of them, since they aren’t required on servers:
- “allow_url_fopen” With this settings, PHP starts treating URLs as files, which poses risk to some PHP applications that incorrectly process “include” and “fopen” statements. “allow_url_fopen” isn’t required in most applications, so you should disable it, especially on applications with PHP4.
- “allow_url_include”. The vast majority of PHP applications don’t need “allow_url_include” to be enabled, so desctivate it. Once you disable this function, you can enable “allow_url_fopen”, if needed.
- “register_globals”. With this setting, PHP variables can be set at runtime through a URL. When it’s enabled, hackers can change arbitrary PHP variables and perform SQL inhection, arbitrary code execution, or use vulnerable PHP applications for some other purposes. This is why normally “register_globals” should be disabled.
Together with these functions you can also disable some other PHP variables in order to reduce the risk of PHP-based malware being used against you. Pay attention to the following functions:
dl, exec, shell_exec, system, passthru, popen, pclose, proc_open, proc_nice, proc_terminate, proc_get_status, proc_close, pfsockopen, leak, apache_child_terminate, posix_kill, posix_mkfifo, posix_setpgid, posix_setsid, posix_setuid
3: Check Apache mod_security ruleset. Apache mod_security is a software firewall that checks incoming HTTP requests for known exploits. As a rule, providers have their own rulesets for known exploits and always ensure that the latest rulesets are installed on a dedicated server before it’s implemented. If you want to make sure you have the latest ruleset, contact your provider and ask to update the ruleset on a daily basis.
4: Check CSF/LFD configuration. This is a firewall suite that prevents and detects brute force attacks, tracks processes and protects against SYN flood. It has many other security features, as well. Providers install and configure CSF/LFD by default on Linux servers – ask if you have it.
5: Check system binaries. Many companies offering managed dedicated servers provide full web server security checking on the binary package versions, including Apache, udev, and BIND to make sure that they’re up-to-date and there are no vulnerabilities.
6: Configuration partition mounting options. Ask if your provider can alter configurations on partitions to reduce the risk of filesystem-based attacks and diminish I/O overhead.
7: Disable services you don’t usually need.
8: Leverage initial security-focused configurations, such as MySQL, Exim, Cpanel, FTP, SSH, PHP.
9: Install RKHunter: this program checks your server for rootkits and modified system binaries. Your provider can install RKhunter and add its state database.
Point 10: Install BusyBox from Unix tools. It’s highle convenient and useful for Linux servers.
comments