Securing a web server is an essential step, when deploying a website or a web application. Securing a web server will keep bad actors from breaking your website or web application.
In this post we will show you 8 tips to ease up process of securing your web server.
1. Update your web server software
Updating your web server software is a neccesity, when it comes to web server security. Older versions of web server software may contain vulnerabilities.
These web servers have dedicated security vulnerability listings:
2. Enable HTTPS
HTTPS protects communication between client and server, so that eavesdroppers don't see your data, and tampering is harder.
You need a TLS certificate to enable HTTPS. There are many paid TLS certificate providers. Fortunately, you can obtain such a certificate for free from Let's Encrypt using Certbot tool.
Enabling HTTPS also allows for speeding up your website with HTTP/2 and HTTP/3 protocols.
Example: SVR.JS
If you're using SVR.JS, you can modify its configuration file (for example in /etc/svrjs-config.json file) like this:
{
...other configuration properties...,
"secure": true,
"cert": "/path/to/certificate.crt",
"key": "/path/to/private.key"
}
For additional security, you can enable OCSP stapling by setting enableOCSPStapling property in SVR.JS configuration file to true. SVR.JS automatically redirects clients accessing unencrypted website to HTTPS by default.
After these changes, restart the server with sudo systemctl restart svrjs or sudo /etc/init.d/svrjs restart.
Example: Apache httpd
If you're using Apache httpd, you can change the website configuration (configuration file in /etc/apache2/sites-enabled/ directory) to:
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
#...anything that was in the *:80 virtual host...
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
</VirtualHost>
This configuration also ensures, that client accessing unencrypted website is redirected to HTTPS.
For additional security, you can enable OCSP stapling by adding these directives to *:443 virtual host:
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
You may need to enable mod_ssl for HTTPS and mod_rewrite for redirects:
a2enmod ssl
a2enmod rewrite
After these changes, restart the server with sudo systemctl restart apache2 or sudo /etc/init.d/apache2 restart.
3. Add security headers
Adding security headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options protect against various types of attacks, like cross-site scripting, clickjacking or downgrade attacks.
You can view documentation for Content Security Policy for more information.
Example: SVR.JS
If you're using SVR.JS, you can modify its configuration file (for example in /etc/svrjs-config.json file) like this:
{
"customHeaders": {
...headers here...,
"X-Example-Header": "example-value"
}
}
After these changes, restart the server with sudo systemctl restart svrjs or sudo /etc/init.d/svrjs restart.
Example: Apache httpd
If you're using Apache httpd, you can add these directives to your virtual host in website configuration file (configuration file in /etc/apache2/sites-enabled/ directory):
#Syntax: Header set <header_name> <header_value>
Header set X-Example-Header example-value
You may need to enable mod_headers in order for custom header functionality to work:
a2enmod headers
After these changes, restart the server with sudo systemctl restart apache2 or sudo /etc/init.d/apache2 restart.
4. Use WAF (Web Application Firewall)
Deploying a WAF (Web Application Firewall) allows you to monitor, filter, and block malicious traffic to your web server. WAFs offer an additional layer of defense against common web-based attacks.
You can use cloud-based WAF, like Sucuri WAF or Cloudflare WAF, or install WAF locally. If you're using SVR.JS web server, you can use easy-waf integration mod (you may need to install easy-waf npm package via npm install -g easy-waf command). If you're using Apache httpd or NGINX, you can use ModSecurity.
5. Employ rate limiting
Implementing rate limiting helps you mitigate the risk of brute force attacks, DDoS (Distributed Denial of Service) attacks, and other malicious activities. Limiting the number of requests a client can make within a certain timeframe helps protect server resources and maintain availability.
Example: iptables with persistence
If you're using GNU/Linux, you can use iptables with persistence. If you're using Debian-based system, you can install it using sudo apt install iptables iptables-persistent command.
These rules help in preventing denial of service attacks. You can enable them using these commands:
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j DROP
You can save the iptables rules like this:
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
6. Conduct regular security audits
Performing regular security audits helps you in identifing vulnerabilities and weaknesses in your web server configuration. Security audits help you stay proactive in addressing security risks before they are exploited by attackers.
You can perform security audits in GNU/Linux systems using the Lynis tool.
7. Watch out for software vulnerabilities
Stay vigilant for software vulnerabilities in your web server environment. Regularly monitor security advisories and apply patches promptly to address any known vulnerabilities.
We have written about cross-site scripting (XSS), SQL injection, path traversal, cross-site request forgery (CSRF) and ReDoS vulnerabilities. You can read these posts, if you're building web applications.
8. Disable unneeded server extensions
Reducing the attack surface of your web server by disabling unnecessary server extensions and modules minimizes potential entry points for attackers and simplifies server management.
For example, if PHP is enabled when it's not needed, an attacker could exploit a vulnerability in the server or in a server-side script to upload a backdoor written in PHP.
Conclusion
Securing your web server is a crucial aspect of deploying a reliable and safe website or web application. By following the eight tips outlined in this post, you can significantly enhance your web server's security posture. Updating your web server software ensures you have the latest protections against known vulnerabilities. Enabling HTTPS encrypts data in transit, safeguarding it from eavesdroppers and tampering. Adding security headers, using a Web Application Firewall (WAF), and employing rate limiting further defend against a range of attacks. Regular security audits and staying alert for software vulnerabilities help you remain proactive in mitigating potential risks. Finally, disabling unnecessary server extensions reduces the attack surface, making it harder for attackers to exploit your server. By implementing these strategies, you can better protect your web server, maintain the integrity of your applications, and provide a secure experience for your users.