Single Blog

Discover the Top 15 Server Security Practices

March 14, 2020, Written by 0 comment

In this article, we will release the best server security practices for all time. Since security is challenging subject for all, it is often ignored and many get caught unknowingly when a issue occurs. But these best practices can surely help you to lower the risk of being compromised by any malicious actor.

1. Be Alert. Teach Yourself.

The first and foremost thing to enhance your server security is to always be alert about your security. It is similar to locking doors at night or ensuring that windows of your cars are rolled up. These practices indicate that you are cautious against the possibility of being compromised.

This doesn’t mean that you should always be logged in to your server and monitor the logs or constantly block connections in the firewall. Your life doesn’t only focus around your WooCommerce store or blogging platform of choice. If your business is your bread and butter then it should be your significant part of the day. It is recommended to think broadly on security and setup a good plan in advance to restrain the attackers. So, ensure that your crucial data is locked down and is accessible to only some important people that you trust.

It’s a fact that we don’t know, what we don’t know. Read it carefully again…

This means if you don’t know what question to ask, you will miss something. No, you don’t need to be a security expert. But yes you are the one responsible to be alert and secure your business.

Some of you might be paying for the managed services and so you might thing why should I be alert?

Remember security is a shared concern. That means both you and MilesWeb have to stay alert. Hence, educate yourself.

2. Physical Security

a. Limit Server Access

You can restrict the server access by using the iptables firewall which is available on most of the Linux servers. With the APF (Advanced Policy Firewall), you can easily manage your iptables firewall rules. More advanced technique is using CFS (ConfigServer Firewall) which controls your iptables but comprises of a more robust feature set. Here the idea is about blocking any unused open ports in your server firewall. With this, only the ports required to your server will communicate with other users. Additionally, you can implement cPHulk’s brute force protection option via WHM to automatically block users that continuously try and fail to login with invalid credentials to the running services.

Your first step towards server security is to limit the physical access to the server. You can ask the query that mainly arises is related to your server’s location. Is your server located in the basement or is it secured in a data center with verified virtual and physical policies and procedures that concentrate on the physical integrity of the server.

Below are some of the questions that should be asked prior to housing your server:

  1. Who can physically access my server? The monitoring team? Yes. Someone from accounting? NO! not good. When you know in advance who can touch the server, it answers a lot of questions.
  2. How does your hosting provider offer access control? Keycards or FOBs? Biometrics? Or those neat retinal and palm print scanners seen in the movies? Based on your security requirement, these and other solutions may be implemented.
  3. Lastly, check for the ways your host logs and tests these systems? Do they have policies and procedures defined that can be reviewed? Do they follow the standards of NIST? These are only some questions that can be asked when gathering info about the servers’ physical security.

3. Secure Connections

a. VPN

A VPN or Virtual Private Network creates a secure “tunnel” or pipe from your computer to a secured network across an unsecured network such as the internet. All traffic is securely routed through the tunnel. Since a VPN take you into your business network, it must be considered your first layer of security.

So, always use a VPN.

b. SSH

When there is access required to the server via a command line (terminal), an SSH (SHELL) connection is used. With this connection, a secure pipe is created for your data to travel through. With this type of connection, integrity of your data is offered while it passes via an unsecured network like the internet. Is that it routes all the traffic via this connection such as a VPN? No. The information that is send via the terminal from your computer to the server is only secured. Alternatively, you can use SSH within a VPN for adding a second layer of protection to your data connection.

c. Fail2Ban

A server software, Fail2Ban reviews specific log files and blocks IPs that show signs of malicious behavior. Generally, valid login attempts take just a couple of tries to access the server (and in case SSH keys are used, no more than one). If any server hits with multiple unsuccessful logins within a given time, it indicates an attempt of malicious access.

After that Fail2Ban provides updates to firewall rules for blocking suspect IP addresses for a specified amount of time (although other actions can also be taken). It comprises of a default set of filters for services such as apache and ssh.

You can monitor several protocols using Fail2Ban including HTTP, SSH, and SMTP. But by default, Fail2Ban only monitors SSH and acts as a helpful security restriction for any server since the SSH daemon is usually configured for continuous functioning and listen for connections from any remote IP address.

d. Restrict Root Access

Restrict SSH to a limited subset of users. This task can be completed by adding the below information to the /etc/ssh/sshd_config file:

12 PermitRootLogin noProtocol 2

Then add ssh users group to /etc/ssh/sshd_config:

1 AllowGroups sshusers

e. SSHKeys

Using SSHKeys you can turn off the SSH feature that is needed for accessing the server as the root user, and so you don’t need to use a root password. With this, you get an additional layer of security when connecting to the server. SSHKeys are highly secured than just using a password. Additionally, SSHKeys also enable users to create a cryptographically secure keypair which stores unique connection information locally on your computer and the server.

SSHKey pairs are generated cryptographically, particularly, the larger the size of the key, the more secure it is. For your information the smallest key size is 1024 bits and the maximum is 4096 bits. Also, the number of entropy bits will depend on the algorithm used, eg. RSA.

f. Alternate SSH Ports

For further security, you can modify the port on which SSH listeners on. You can modify this ssh port setting to a random port. Generally, you can modify this SSH port setting to a random port. Usually, port 22 is used by SSH but it is recommended to use a port range of 32768 to 61000. With this being said, depending on security by complexity is not an effective means to fight against incursions. IANA suggests using ports 49152 to 65535.


When you transfer files to and from the server, you should use SFTP (secure FTP). With SFTP, you can connect to the server in a secure way, similar to the way of SSH usage. Multiple FTP software titles such as Filezilla or WinSCP have excellent features to enable for this connection type.

h. SSL

You should ensure that the use of SSL certificates is implemented across all domains and services on the server. In this way, even connections that are seemingly less important are secured.

i. EMail

Email is still one of the primary attack vectors used by malicious actors. Attackers use this medium widely as millions of people use emails for conversation. Today, almost all are aware of the dangers of opening an unknown email but it is still an issue in several companies. This can be restricted with continuous security training and reinforcement of security policies.

MilesWeb offers SpamExperts to secure your email account from spam mails.

j. Secure Application Logins

Some of the typical applications such as WordPress, email, cPanel, or webmail are accessed by you on your server. It is possible to configure connection methods for each service for secure connections so that there isn’t any information transmitted via plain text between your computer and the server.

Insecure Application logins

You can access these default server applications from any web-browser and pass the official data in plaintext when accessed from any of these insecure URLs:

  • cPanel –
  • cPanel – 2082
  • WHM –
  • WHM – http://serverIP#:2086
  • Webmail –

Secure Application Logins

These same services can be accessed on your server over https to keep your credentials encrypted and transmitted securely you would use these URLs:

  • cPanel –
  • WHM –
  • Webmail –

Just log into WHM and then go to Tweak Settings >> Redirection and turn on Always redirect to SSL to force all cPanel applications for using https by default.

4. Make Use of Strong Passwords

This is the first security measure for most services on your server. For this, you should always use a strong password for anything that has an access to the server. Check the below guidelines for securing your server.

a. Use Password Management Software

It is recommended by the NIST to use a password manager for the storage and dissemination of passwords. With the software, you can use stronger as well as secure passwords daily. Below are some of the software suggested by some reviewers for generating strong passwords:

  • Lastpass
  • Dashlane
  • 1Password
  • KeePassXC
  • Keeper
  • Bitwarden

b. Use A Passphrase Instead of a Password

While selecting a password, it is often better to use an altered phrase or a passphrase which is easy to remember but hard to guess. Check this example: T0 3Rr 1$ Hum@Nt0 F0rg1v3 D1v1n3!

As per an expert, the above passphrase would take a computer about 2 SEXDECILLION YEARS (that is 1051 power or a 1 followed by 51 zeros, or in Great Britain 1096 or by 1 followed by 96 zeros) to crack it.

c. Expire Passwords After X Time

If you want to find the expired password, use the chage command that lists and changes the password aging info for a Linux user account. To lists specific info for a user use the chage -l command and the chage -M command for modifying the value of the number of days prior to the password expires again:

123456789101112131415161718 [root@host ~]# chage -l userLast password change : Jan 01, 2019Password expires : neverPassword inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 90Number of days of warning before password expires : 7 [root@host ~]# chage -M 90 userLast password change : Jan 1, 2019Password expires : March 1, 2019Password inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 90Number of days of warning before password expires : 7[root@host ~]#

d. Password Policy Requirements

Make sure you follow the latest NIST standards for your password policy.

e. Define what passwords NOT to use

Remember don’t use the words that are commonly found in the dictionary. Also avoid using well known places, person’s names, events or pet names. Never reuse passwords instead use an adjacent keyboard string of characters.

5. Turn Off All Unwanted Services

a. Audit Services

With service auditing, you can explore services that actively run on the server, the protocols used and the ports they interact with. Keeping these factors in mind will help to decrease any attack vectors in the system.

Certain services are by default enabled on most servers. These services can enable you to use several features available on the server but in case you don’t want to use these extra features, you should disable them. To find these services execute the below commands on a RedHat based system and you get the below outputs:

Redhat/CentOS Enabled Services

1 systemctl list-unit-files | grep enabled
1234567891011121314151617181920212223242526272829303132333435363738 [root@host ~]# systemctl list-unit-files | grep       enabledvar-lib-snapd-snap-core-7917.mount             enabledvar-lib-snapd-snap-hellox2dworld-29.mount     enabledvar-lib-snapd-snap-snapcraft-3440.mount    enabledacpid.service       enabledauditd.service      enabledautovt@.service     enabledcrond.service     enableddbus-org.fedoraproject.FirewallD1.service   enabledfirewalld.service    enabledgetty@.service    enabledirqbalance.service    enabledmicrocode.service    enabledNetworkManager-wait-online.service    enabledpostfix.service    enabledqemu-guest-agent.service    enabledrhel-autorelabel.service    enabledrhel-configure.service    enabledrhel-dmesg.service    enabledrhel-domainname.service    enabledrhel-import-state.service    enabledrhel-loadmodules.service    enabledrhel-readonly.service    enabledrsyslog.service    enabledsonarpush.service    enabledsshd.service    enabledsystemd-readahead-collect.service    enabledsystemd-readahead-drop.service    enabledsystemd-readahead-replay.service   enabledtuned.service    enabledsnapd.socket   enabled[root@host ~]#

and running the below command outputs:

1 systemctl | grep running
1234567891011121314151617181920212223242526 [root@host ~]# systemctl | grep runningsession-2969.scope               loaded active running Session 2969 of user rootacpid.service                    loaded active running ACPI Event Daemonauditd.service                   loaded active running Security Auditing Servicecrond.service                    loaded active running Command Schedulerdbus.service                     loaded active running D-Bus System Message Busfirewalld.service                loaded active running firewalld – dynamic firewall daemongetty@tty1.service               loaded active running Getty on tty1irqbalance.service               loaded active running irqbalance daemonpolkit.service                   loaded active running Authorization Managerpostfix.service                  loaded active running Postfix Mail Transport Agentrsyslog.service                  loaded active running System Logging Serviceserial-getty@ttyS0.service       loaded active running Storm management console on Serial Getty ttyS0snapd.service                    loaded active running Snappy daemonsonarpush.service                loaded active running MilesWeb Sonarpush Monitoring Agentsshd.service                     loaded active running OpenSSH server daemonsystemd-journald.service         loaded active running Journal Servicesystemd-logind.service           loaded active running Login Servicesystemd-udevd.service            loaded active running udev Kernel Device Managertuned.service                    loaded active running Dynamic System Tuning Daemondbus.socket                      loaded active running D-Bus System Message Bus Socketsnapd.socket                     loaded active running Socket activation for snappy daemonsystemd-journald.socket          loaded active running Journal Socketsystemd-udevd-control.socket     loaded active running udev Control Socketsystemd-udevd-kernel.socket      loaded active running udev Kernel Socket[root@host ~]#

To disable a service, use:

1 systemctl disable bluetooth

Debian/Ubuntu Running Services

The below commands will show you the services active on a Debian/Ubuntu based server:

123456789101112131415161718192021222324 service –status-all |grep ‘+’root@host ~# service –status-all |grep ‘+'[ + ] apache-htcacheclean[ + ] apache2[ + ] apparmor[ + ] apport[ + ] atd[ + ] binfmt-support[ + ] cron[ + ] dbus[ + ] ebtables[ + ] grub-common[ + ] irqbalance[ + ] iscsid[ + ] lvm2-lvmetad[ + ] lvm2-lvmpolld[ + ] lxcfs[ + ] procps[ + ] rsyslog[ + ] ssh[ + ] udev[ + ] ufw[ + ] unattended-upgradesroot@host ~#

lists the state of the services that the system regulates. The plus (+) and (-) indicators indicate if the service is active or not.

1 systemctl | grep running
12345678910111213141516171819202122232425262728293031323334353637 root@host ~# systemctl | grep runningproc-sys-fs-binfmt_misc.automount        loaded active running Arbitrary Executable File Formats File System Automount Pointinit.scope                               loaded active running System and Service Managersession-1726.scope                       loaded active running Session 1726 of user rootaccounts-daemon.service                  loaded active running Accounts Serviceapache2.service                          loaded active running The Apache HTTP Serveratd.service                              loaded active running Deferred execution schedulercron.service                             loaded active running Regular background program processing daemondbus.service                             loaded active running D-Bus System Message Busgetty@tty1.service                       loaded active running Getty on tty1irqbalance.service                       loaded active running irqbalance daemonlvm2-lvmetad.service                     loaded active running LVM2 metadata daemonlxcfs.service                            loaded active running FUSE filesystem for LXCnetworkd-dispatcher.service              loaded active running Dispatcher daemon for systemd-networkdpolkit.service                           loaded active running Authorization Managerrsyslog.service                          loaded active running System Logging Serviceserial-getty@ttyS0.service               loaded active running Storm management console on Serial Getty ttyS0snapd.service                            loaded active running Snappy daemonssh.service                              loaded active running OpenBSD Secure Shell serversystemd-journald.service                 loaded active running Journal Servicesystemd-logind.service                   loaded active running Login Servicesystemd-networkd.service                 loaded active running Network Servicesystemd-resolved.service                 loaded active running Network Name Resolutionsystemd-timesyncd.service                loaded active running Network Time Synchronizationsystemd-udevd.service                    loaded active running udev Kernel Device Managerunattended-upgrades.service              loaded active running Unattended Upgrades Shutdownuser@0.service                           loaded active running User Manager for UID 0dbus.socket                              loaded active running D-Bus System Message Bus Socketlvm2-lvmetad.socket                      loaded active running LVM2 metadata daemon socketsnapd.socket                             loaded active running Socket activation for snappy daemonsyslog.socket                            loaded active running Syslog Socketsystemd-journald-audit.socket            loaded active running Journal Audit Socketsystemd-journald-dev-log.socket          loaded active running Journal Socket (/dev/log)systemd-journald.socket                  loaded active running Journal Socketsystemd-udevd-control.socket             loaded active running udev Control Socketsystemd-udevd-kernel.socket              loaded active running udev Kernel Socketroot@host ~#

To disable a service, use:

1 systemctl disable apache

Remove X Windows from the system.

There is no need for a GUI on most servers for general server administration tasks. A management panel may be used by some servers to perform administrative tasks. This doesn’t matter but know the number of open paths to the server and just enable the ones you essentially need.

1 yum groupremove “X Window System”

6. Keep Your System Updated

One of the security precautions for any operating system is to keep all of your software up to date then be it a desktop, laptop or mobile. The software updates include critical vulnerability patches to minor bug fixes, and many software vulnerabilities are actually patched until they become public.

a. Don’t use default yum-updates.

It is important to update your system for keeping it secure but the default versions of yum-updatesd contain some glitches. Therefore, set up a cron job to apply updates. You can accomplish this via the following steps:

  1. Use this code to disable the yum-updatesd service: /sbin/chkconfig yum-updatesd off
  2. Create the yum.cron file with the below code:
123 !/bin/sh/usr/bin/yum -R 120 -e 0 -d 0 -y update yum/usr/bin/yum -R 10 -e 0 -d 0 -y update

This file should be run and placed in /etc/cron.daily or /etc/cron.weekly.

b. Hide Server Information

Provide at least some information about the underlying infrastructure. It is better to display less about the server.

Additionally, hiding the version numbers of any software installed on the server is a good idea. By default, the exact release date is revealed which can help hackers while searching for weaknesses. You can remove this information simply by deleting it from the HTTP header of its greeting banner.

7. Restrict Website Access

It is important to review website access logs for unwanted activity and block irrelevant users from your website of you find any. It is good to block bad users at the website level prior to blocking them in the server’s firewall. In case your website is developed in WordPress, you should ensure that it is secure from things such as WordPress Brute Force attack with WordFence or a similar product, so your account also remains secure.

8. Configure a Firewall

With a firewall such as IPtables can be used to block bad inbound traffic to your server and this offers a highly effective security layer. When you are high specific about the traffic you allow on your website, it becomes easy to avoid intrusions and other attempts to gain access from the internet.

One of the best ways is to allow only the traffic you need and deny the other. Furthermore, it comes with a newly implemented command-line utility called as nft. The command line syntax of nft is simpler as compared to iptables.

9. Setup Audits

With file monitoring, you can detect the unwanted file changes on the system. This is called as task auditing. Linux used audit.d for tracking and recording several characteristics of the system files when in a healthy state and then compare it to a then altered state. When different versions of the same files are contrasted side by side, it is possible to detect any inconsistencies that exist and track the changes.

10. User Management

a. Monitor Login Attempts

HIDs (Host Intrusion Detection systems) help to find the files that are being accessed, applications that are being used and the data that is present in the kernel logs.

NIDs (Network Intrusion Detection systems) help to review the data flow between computers within a network. Those connections are particularly detected for doubtful behavior.

It is possible to use HIDs for a more versatile solution and NDIs are majorly used for a LAN based solution. You can use below HIDs:

  • Wazuh (A fork of OSSEC that offers more reliability and scalability)
  • Tripwire
  • Samhain
  • Security Onion

A combination of NIDs and HIDs can form a strong, comprehensive IDS strategy. You can use the below NIDs:

  • Snort
  • Suricata
  • Zeek
  • OpenWIPS-ng
  • Sguil b

b. Limit User Permissions

To restrict the users’ access to critical systems, you can limit the permission sets such as 644 or 444 for files and 755 for folders.

c. Perform User Testing

You can set a specific date for performing a security audit and inform the users in advance about it. Mention your expectations and hold them responsible for any inadequacy.

d. Ongoing Security Training

You can send monthly reminders and train the staff every three months, with six-month testing across multiple platforms (email, physical and network) and find out failures to improve and start additional training in those areas.

e. Travel Security

Security isn’t just meant for the front end of your business. It is important to set up security parameter training for employees that are travelling abroad.

11. Secure the Filesystem

You can take several steps to secure the filesystem on the servers. Make sure you mount filesystems with user-writable directories on separate partitions. Don’t miss to use nodev, nousid, and no exec in the /etc/fstab file.

a. Make sure /boot is read-only

You also need to check that the /boot folder is set to RW mode by default, instead of only being used for reading/loading modules and the kernel. Additionally, ensure that it is set to ready-only in /etc/fstab:

1 /dev/sda1 /boot ext2 defaults ro 1 2

b. Disable booting from removable media.

For this, modify the bios setting to disable boosting from removable media such as a USB stick.

c. Set a password for the GRUB bootloader.

In case there is a physical access to the server, one can easily enter the server. You can setup a wall between the attacker and the server access by setting up a password on the GRUB bootloader. This can be done by setting up a password to limit access. The first step is to backup the current grub.conf file.

1 root@host ~# cp /etc/grub.conf /etc/grub.conf.bak

The next step is to generate a secure password. Then create a file and then the password with the help of grub-md5-crypt command. A prompt window will ask you to enter a password twice. Just copy the created password from the secure file into the grub.conf file.

12 root@host ~# touch secureroot@host ~# grub-md5-crypt > secure

After this, copy the password and paste it into the grub.conf file after the first line (in Redhat), as below. Then type the “:wq” in vim to save the file.

12 splashimage=(hd0,0)/grub/splash.xpm.gzpassword –md5 JnK!xdBep53lt1NVk@K6wb!js%!HEI#^

Now reboot the server to check if the changes have been implemented.

d. Ask for the root password prior to entering single-user mode.

In case a malicious actor can access your server, he can even select a particular kernel to boot into from the grub menu item by simply pressing “e” letter. Due to this, one can edit the first boot option so that booting gets enabled into single-user mode without asking for a password.

It is important for your system to be configured such that it prompts for the root password prior to entering single-user mode to restrict possible exploitation. You can get this done by following the instructions above in “Set a password for the GRUB bootloader.”

12. Utilize SELinux

SELinux, a kernel-based security module offers a method for supporting access control security policies, along with mandatory access controls (MAC). Basically, it is used for adjusting access control requirements. It is possible to designate the working of a process of user with SELinux. Operations can be restricted to their own domain and due to this any actions can only interact from the allowed domains with certain file types or other processes. The existence of SELinux is in any of the below three possible modes:

  • Enforcing – SELinux is active and enforcing the defined policy.
  • Permissive – Enforcement is not applied but is logged. It is mainly used for testing.
  • Disabled – When the system is inactive.

13. Use Multi-Server / Isolated Environments

a. Use A Multi-Server Environments

Having an isolated environment is one of the best types of server security. To get a full isolation, one requires having a dedicated bare-metal server that doesn’t share any components with other server. Though this being the easiest to manage and offers highest security, it is very expensive. In a data center, having isolated execution environments permit the Separation of Duties (SoD) and also allows to set server configuration as per the functions fulfilled by the server.

It is a standard security step to separate database servers and web application servers. Separate execution environment offer benefits in a large scale business that can’t afford any security breaches. Sensitive information and systems files remain secured from hackers on independent database servers that can manage to access your administrative accounts. Additionally, due to isolation system administrators can separately configure the web application security and reduce the attack surface by setting web application firewalls.

b. Use Virtual Isolated Environments

If complete isolation with dedicated server components isn’t affordable or you don’t require it, you can select to isolate execution environments. By doing that, you will be able to deal with any security issues that may arise without compromising the other data. It is possible to select between containers (based on top of the host OS) or VM virtualization which can be set up easily.

Creating chroot jails is another option for virtualized environments in a UNIX operating system. Chroot separates a process from the root directory of central operating system and allows it to access only the files present in its directory tree. But, this isn’t complete isolation and needs to be practiced only with other security measures.

14. Take Backups

a. Buy a Website Backup Plan
It is said many times, backups are an essential part of every security protocol. We recommend purchasing a website backup plan for backup retention.

b. Backup Testing
Make sure you test your backup systems in advance and clearly save the procedures and process for restoring them in a document.

15. Use LUKS Encryption

For configuring LUKS on CentOS, you need to have the cryptsetup package. You will find this software installed by default in later versions of CentOS. Using the cryptsetup command you can encrypt specific disks or partitions to protection all of the information stored on it.

123456789101112131415161718192021222324252627282930313233343536373839404142434445 [root@host ~]# cryptsetup luksFormat /dev/sdcWARNING!========This will overwrite data on /dev/sdc irrevocably.Are you sure? (Type uppercase yes): YESEnter LUKS passphrase:Verify passphrase: [root@host ~]# cryptsetup -v luksOpen /dev/sdc mysecuredriveEnter passphrase for /dev/sdc:Key slot 0 unlocked.Command successful. [root@host ~]# mkfs.xfs /dev/mapper/mysecuredrive[root@host ~]# mkdir -p /mnt/my_secure_drive[root@host ~]# mount -v /dev/mapper/mysecuredrive /mnt/my_secure_drive/ (***you may get an SELinux warning here***) mount: /mnt/my_secure_drive does not contain SELinux labels.You just mounted an file system that supports labels which does notcontain labels, onto an SELinux box. It is likely that confinedapplications will generate AVC messages and not be allowed access tothis file system. For more details see restorecon(8) and mount(8).mount: /dev/mapper/mysecuredrivemounted on /mnt/my_secure_drive. [root@host ~]# restorecon -vvRF /mnt/my_secure_drive/ Relabeled /mnt/my_secure_drive fromsystem_u:object_r:unlabeled_t:s1 tosystem_u:object_r:mnt_t:s1 mount -v -o remount /mnt/my_secure_drive/mount: /dev/mapper/mysecuredrive mounted on /mnt/my_secure_drive (***no selinux warnings seen***) [root@host ~]# cryptsetup luksDump /dev/sdcLUKS header informationVersion: 2Epoch: 3Metadata area: 12288 bytes[……]Digest: 49 20 4c 6f 76 65 20 77 72 69 74 69 6e 67 20 6162 6f 75 74 20 6c 69 6e 75 78 22 2f 47 55 b7 8f

Leave a reply

Your email address will not be published. Required fields are marked *