Site   Web

May 6, 2011

How to Enhance the Security of Your Web Server – A SPN Exclusive Article

Running an online business like an ecommerce web site can be pretty hard at times, especially when you’re the only person working on it (which is not so uncommon these days) and you have to take care of everything, including customer support, sales, and the maintenance of your server.

Of course, there are a lot of various automation tools that can really help you and increase your productivity by taking your hands off the most mundane tasks, but not everything can be automated. Customer satisfaction is very important, and there’s nothing worse than having their security and privacy compromised.

Hackers and other shady people are always on the look for weaknesses and security holes that would allow them to gain access to important information like SSN and Credit Card numbers, which they can later use for their own profits or to damage a person’s reputation (most often the credit score is affected).

Even if they don’t find a way to break into your site’s database or server, they can still harm you by leaving broken software and ports or overloading your server’s resources and bandwidth using Denial of Service or other similar attacks. That’s why you must implement at least a couple of security measures that will stand between you and the offenders. Here are the most important ones:

Firewalls. Even though most servers have software firewalls installed and enabled by default, most of the times, they’re not configured properly (or at all, for that matter). That’s why one of the first things you need to do when receiving a new server is configure the firewall for your specific purposes and make sure it is not vulnerable to any external threats.

The best way to go about it is to lock down all the ports which you know are not used by anyone except you and allow external access only from a few trusted IPs. This is the single most important step you can take. For example, every single day, there are hundreds of bots scanning for open ports and trying to break in using general passwords and usernames, and limiting all ports to only a few external IPs will completely eliminate that threat.

Your MySQL, SSH, VNC and sometimes FTP ports need not be accessible by everyone. You can and should limit access to them only from your own IP addresses. This way, only you will be able to access them, and anyone else will get an “access denied” error, which will most probably make them mark your server as secure and move on.

You can also find or create your own list of bad IPs (of spammers and hackers, for example) and fully block their access manually. This is a good way of dealing with immediate threats, but it’s hard to do in the long run, as there are countless infected computers that attack others without the user’s permission.

Another thing you should consider installing or ordering is an external firewall. These are better suited for high loads (they do not tax your server’s CPU or RAM) and are even less vulnerable (software can be exploited and modified, hardware can’t). But you need to make sure that it will not limit your bandwidth (if you have a 1Gbit connection, a 100Mbit hardware firewall will slow it down considerably). Most of the times, a good, up to date software firewall should be enough.

DDoS Protection. DDoS attacks are very nasty things that can easily overload your server, cut off access to real users and make you lose money as well as spend more for bandwidth. Fortunately, they’re pretty easy to stop using a properly configured web server. There are a lot of instructions out there on how to configure Apache and other servers to cut or completely remove the chance of a DDoS attack, and you should implement them as soon as possible. It only involves changing the number of concurrent half open connections and time outs.

In addition, you could benefit from a separate DoS detection utility that can detect (obviously) and stop DDoS attacks in a matter of seconds from their start. The most advanced ones can also cut off access from attacking IPs for a limited or unlimited amount of time, effectively blocking any DDoS attack attempt in the future.

Data Encryption. If you are dealing with sensitive information (both yours and your users’), you absolutely must use encryption protocols for those purposes. You must use an SSL encryption with a real valid certificate for all outgoing and incoming connections and keep the user data stored in encrypted and password protected databases that can’t be accessed by anyone on the outside.

Implementing the above security measures will reduce the chances of your sites being attacked and exploited by 90%. The rest consists of being careful and installing the latest stable updates for all the software on your server. Stay safe!

Steve Cheng is a web publisher that writes anything relating to website management and how to make money online.