A system administrator (or sysadmin) is perhaps one of the most stressful careers available to an aspiring computer science and information technology student. Sysadmins are typically responsible for network and computer systems, including but not limited to server security. A sysadmin’s job, therefore, is stressful because at any time an organization’s servers may fall victim to cyber attacks.
In May 2021, a cyber criminal group attacked the Colonial Pipeline with ransomware. The cyber attack prompted a shutdown of the pipeline, halting gasoline and jet fuel flow all up and down the east coast of the United States. As of writing this article, details are still forthcoming. For example, several news agencies ran a story that Colonial Pipeline paid a $5 million ransom to the criminal group who led the cyber attack.
One thing is clear, the team of sysadmins managing Colonial Pipeline’s server(s) is on red alert and scrambling to understand what went wrong. This ransomware cyber attack should be a wake-up call for all of us. With increasing frequency, cyber attacks highlight server security vulnerabilities that put our daily lives at risk. From Linux web server security best practices and beyond, it is crucial that web server security takes a holistic approach.
One way of looking at web server security best practices comes from the three-legged-stool analogy: people, software/hardware, and policy. All three legs must work together, and if one fails, the stool no longer functions. Let’s begin with a basic description for each leg.
Viewing best practices for web server security as this three-legged stool lets us list individual tips related to each leg of the stool.
Educate yourself. If an employee has any contact with their business/organization’s server, she should have current knowledge of what vulnerabilities could influence their workflows. At the very least, this should include the sysadmin and all IT staff. The U.S. Department of Homeland security sponsors a database of known Common Vulnerabilities and Exposures (CVEs). If a CVE is present in company infrastructure, it has been and still can be a threat to server security.
Password security. Strengthening password security involves two steps. The first is password strength. Strong passwords are generally long (between 12 and 18 characters) and contain a mixture of lower and uppercase letters, numbers, and symbols. The password should reset regularly, so that password crackers have little time for cracking. The second part of password security is multiple-step authenticity. The most common is two-step. However, many use three-factor authentication. Another password security safeguard is tiered access. Only let people with proper credentials have access to how the server functions. For example, giving root access to the mailroom is risky.
Software updates and patches. Each time a new CVE comes to light, OS developers quickly create a patch that prevents cyber criminals from using the CVE to infiltrate the server. The sysadmin should stay current with these updates as part of a best-practices foundation. This is true for any server, including Linux and Apache web server security best practices. One way of doing this comes from a service such as Imunify360's live patching that automatically takes care of software patching without rebooting the server. Server OSs are continually updated, so the sysadmin must also know about OS end-of-life plans.
Hardware obsolescence. Regrettably, computer hardware does not last as long as we would like. Thus, it is a good idea if you know the physical state of your server’s hardware. It is important to retire systems that are near or at their end of life. Please consult your hardware vendor for details regarding your systems viability.
Network Monitoring. A typical server used by a business/organization has components that let electronic information move throughout the business/organization. Unfortunately, cyber criminals are adept at using these components to hack into a network. One thing you can do is use network monitoring software that alerts sysadmins when the network is being tampered with.
Backups, backups, backups. Backups are a classic mainstay of security protocols. Your business/organization should maintain three copies of your data: The primary copy and two backup copies. Put the two backup copies on two different media types (hard drive, tape drive, etc.). Now store one of these copies offsite away from the server.
Limit Internet access. It would be best if you did not connect a server directly to the internet. Instead, use a combination of firewalls and virtual private networks (VPNs) for obtaining necessary access to the internet. For example, you need an internet connection for software patches and access to the cloud if your business/organization has a hybrid server.
Email encryption. Email scams are one of the most widely used ways of gaining criminal access to a server. But because our modern society uses email, you need a way of encrypting email messages, particularly emails sent between employees where confidential data might be an issue. Gmail and other email services have some built-in email encryption, but end-end-email encryption is not enabled by default. One option is public-key cryptography. The sender uses a public key to send a message that only the recipient can open with a private key.
Businesses use policies to impose rules across the business/organization uniformly. Generally, policy development is complex and time-consuming, most notably because policies set the tone for organizational behavior and culture. Every business function has specific policies, which include the IT business function. Two central IT-related policies complete our list of 10 server security tips.
Password use. Password use is part of the “people” leg of the server security stool. However, how employees use their passwords greatly influences server security. Having a robust and detailed policy about using passwords minimizes human error. For example, staying logged to a workstation and picking an easily remembered weak password. Remember, good policy minimizes human error, particularly if following the policy is part of the business’s organizational culture. Part of that policy should be the strict use of password managers.
Digital information and personal devices. Your business/organization should have policies about bringing personal devices to work and bringing business devices home after work. In other words, the policy should be that devices don’t cross-contaminate each other. What happens when you bring your work laptop home, and it gets stolen? Having strict policies that control how digital information moves into and out of the business/organization minimizes cyber criminal exploitation of human errors. If devices are stolen or lost, make sure you have a corporate device remote control. This service lets users lock devices or even erase information should it fall into the wrong hands.
Our 10 tips for server security are not exhaustive, and there are probably at least 10 more. This list, however, presents server security holistically, meaning one leg of the stool influences the other two. At Imunify360, we look at server security in much the same way. Check Imunify360 Linux malware scanner and Linux server antivirus for more information. Or simply try Imunify360 for 14 days and see the results in just one week.