The only way to secure a server from the horrors of the internet is to never hook it up to the internet.
The moment you plug any server into a data centre or network, it will immediately start getting attacked by bots trying to access it and take it over. It’s just the nature of the way things are on the internet. Most of these attacks are harmless if you’ve taken proper precautions. But no computer is 100% secure.
So, here is a rundown of basic security tips to keep your dedicated server secure against the internet, other than shutting it off. Also, even though I run my own dedicated server, I am a security amateur – this is based on my own experience and should not constitute legal advice in any way. You should always consult an IT pro. Until you do, here are a few things you can do in the meantime.
(Note – many of these principles also apply to VPS/Cloud servers as well)
Have a Firewall
The first thing you should install, if it wasn’t installed for you by your host, is a firewall. This will keep most bots and hackers out of your server. I know for my own server, Blacknight operates a massive firewall within the datacentre that keeps my server safe. You can choose this option when you order your server, or you can choose to rely on your own software firewall. There are several options available.
Give as few people as possible access to your server backend/admin interface (and file upload access), and even then, give even fewer people root/shell access. But even basic users on a server can cause harm. One email account being insecure can ruin your server’s reputation or hog resources if it’s taken over by a SPAMMER. Seriously, keep as many users as possible away from your production/consumer-facing server. If you need a server for internal intranet stuff, this should be separate from your external-facing production server.
Don’t just set up your server and forget about it. Actively monitor it. See who’s trying to log in. See what resources are being used (and possibly abused). Kill process harming performance. Many hosting control panels will have monitor built-in, but a lot of monitoring is ad-hoc. Just log in every day and keep an eye on things. If you notice your websites are sluggish or outbound email volume is up, you’ll know something isn’t right. Also, use a tool like UptimeRobot to monitor your server’s uptime.
Two Factor Authentication for everything
TFA is the future. Well, it’s not new, at least. Where it’s available, you should enable two-factor authentication. This keeps your software and server secure by requiring a second form of authentication other than a password. To log in to my server, for example, I have my regular username and password. Then I have it set up with Google Authenticator that generates a unique code. Someone would have to physically have my phone (and the passcode to that) to get the code. There’s simply no way to log in to the server without it.
Use generated, difficult passwords (but store them)
Do not use a password using easy to guess words, phrases, and numbers (like your birthday or anniversary). You need to generate passwords randomly. Use a password generator and a password manager to keep track of them. Never write them down. Never share them. Never forget the master password.
You Need Brute Force Protection
I had an incident last year where my server was flooded with traffic of a bot trying to brute force its way into my WordPress based websites. It caused my server to screech to a halt and overload everything. I had to install brute force detection and monitoring software in WordPress that prevents someone from repeatedly trying to log in. There are free tools that do this, but there are also paid services like WordPress that can do this for you. You should also install brute force protection at the server level, so you lock out people trying to access your server admin. cPanel has cPHULK, which will lock out those trying to log in too much (and block them for a set period of time). You can also block by country and create whitelists. Plesk has a similar program call fail2ban.
Monitor email for spamming (enable TFA or complicated passwords)
If you’re running a mail server, people are going to try and use it to send SPAM. You should monitor outgoing mail on your server and keep an eye on what’s going out. You should also limit who you give email access to and make sure you require them to have complicated passwords. I had an email account on my server compromised because the password was easy, and a spammer started using my server to send SPAM. I caught it within minutes, thanks to all the warnings and monitoring I have on my server, but it was enough to ding the sending reputation of my server. Both Plesk and cPanel have tools built-in for monitoring the email your server is sending (and it will automatically alert you if something unusual is happening).
Keep software you use up to date
Use SFTP or FTPS for transferring files
FTP – file transfer protocol – is fundamentally insecure. SFTP uses an SSL to secure the connection between you and your server, and it’s much more secure. Don’t use FTP, and don’t hand out FTP usernames/passwords to just anyone. There’s also FTPS (which uses TLS), and it’s becoming more popular.
There will be forces on the internet trying to steal your bandwidth. As it’s a limited resource that you’re paying for, you don’t want someone to do that. Hotlinking is a common abuse, where another website will link to an image you’re hosting and put it on their own website. You can disable this in cPanel/Plex. I would do this. I also have a snarky image that’s replaced every hot-linked image (it says this person is stealing).
Disable unnecessary network ports and services
It’s another good rule of thumb that you should only be running software constantly that you actually need. If you’re not using it actively, shut it off. Close TCP/IP ports that you’re not using. This limits access for anything trying to connect to your server (and makes it easy to detect).
Get an SSL, obviously
This is the bare minimum you should have for any domain you’re hosting and actively using. An SSL is not magic pixie dust, simply having one does not automatically make your server secure. But it does make connections to and from your server secure. You have to have one. If you don’t, your websites will not be able to be opened in most modern browsers (without effort).
Backups backups backups
You must have a backup strategy. Follow the rule of three: one local backup, one external backup, and one backup not connected to the internet. And update them regularly. If you don’t have a secure backup of your content and data (and your user’s data), it’s just another form of insecurity. One hack that takes down the server could end your business. If a ransomware attacker takes over, and you don’t have a backup, you might have to pay the ransom (which is something you should not do, ever). So, back up your stuff. And keep those backups updated. Automate. Keeping an offline backup is harder to automate, but do it at least once a month.
Of course, Blacknight can help you with all of this if you have a managed dedicated server with us. to audit your server and practices, and we’ll help you keep your server secure from the bad forces on the internet.
Do you have any more tips for keeping a dedicated server secure? Please let us know in the comments.