This repository has been archived on 2024-09-12. You can view files and clone it, but cannot push or open issues or pull requests.
svrjs-blog/source/_posts/8-Tips-for-Securing-your-Web-Server.md

152 lines
8.8 KiB
Markdown

---
title: 8 Tips for Securing your Web Server
date: 2024-05-18 21:44:32
tags:
- cybersecurity
- web
- webserver
- webmaster
- http
category: Tips
thumbnail: /images/covers/8-Tips-for-Securing-your-Web-Server.png
---
Securing a web server is an essential step, when deploying a website or a web application. Securing a web server will keep bad actors from breaking your website or web application.
In this post we will show you 8 tips to ease up process of securing your web server.
## 1. Update your web server software
Updating your web server software is a neccesity, when it comes to web server security. Older versions of web server software may contain vulnerabilities.
These web servers have dedicated security vulnerability listings:
* [Apache httpd (2.4.x)](https://httpd.apache.org/security/vulnerabilities_24.html)
* [NGINX](https://nginx.org/en/security_advisories.html)
* [SVR.JS](https://svrjs.org/vulnerabilities)
## 2. Enable HTTPS
HTTPS protects communication between client and server, so that eavesdroppers don't see your data, and tampering is harder.
You need a TLS certificate to enable HTTPS. There are many paid TLS certificate providers. Fortunately, you can obtain such a certificate for free from Let's Encrypt using [Certbot tool](https://certbot.eff.org/).
Enabling HTTPS also allows for speeding up your website with HTTP/2 and HTTP/3 protocols.
### Example: SVR.JS
If you're using SVR.JS, you can modify its configuration file (for example in `/etc/svrjs-config.json` file) like this:
```json
{
...other configuration properties...,
"secure": true,
"cert": "/path/to/certificate.crt",
"key": "/path/to/private.key"
}
```
For additional security, you can enable OCSP stapling by setting `enableOCSPStapling` property in SVR.JS configuration file to `true`. SVR.JS automatically redirects clients accessing unencrypted website to HTTPS by default.
After these changes, restart the server with `sudo systemctl restart svrjs` or `sudo /etc/init.d/svrjs restart`.
### Example: Apache httpd
If you're using Apache httpd, you can change the website configuration (configuration file in `/etc/apache2/sites-enabled/` directory) to:
```apache
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R=301,L]
</virtualhost>
<VirtualHost *:443>
#...anything that was in the *:80 virtual host...
SSLEngine on
SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
</VirtualHost>
```
This configuration also ensures, that client accessing unencrypted website is redirected to HTTPS.
For additional security, you can enable OCSP stapling by adding these directives to `*:443` virtual host:
```apache
SSLUseStapling On
SSLStaplingCache "shmcb:logs/ssl_stapling(32768)"
```
You may need to enable `mod_ssl` for HTTPS and `mod_rewrite` for redirects:
```bash
a2enmod ssl
a2enmod rewrite
```
After these changes, restart the server with `sudo systemctl restart apache2` or `sudo /etc/init.d/apache2 restart`.
## 3. Add security headers
Adding security headers like Content Security Policy (CSP), Strict-Transport-Security (HSTS), and X-Frame-Options protect against various types of attacks, like [cross-site scripting](https://blog.svrjs.org/2024/05/07/What-is-cross-site-scripting-How-to-prevent-it/), clickjacking or downgrade attacks.
You can view [documentation for Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) for more information.
### Example: SVR.JS
If you're using SVR.JS, you can modify its configuration file (for example in `/etc/svrjs-config.json` file) like this:
```json
{
"customHeaders": {
...headers here...,
"X-Example-Header": "example-value"
}
}
```
After these changes, restart the server with `sudo systemctl restart svrjs` or `sudo /etc/init.d/svrjs restart`.
### Example: Apache httpd
If you're using Apache httpd, you can add these directives to your virtual host in website configuration file (configuration file in `/etc/apache2/sites-enabled/` directory):
```apache
#Syntax: Header set <header_name> <header_value>
Header set X-Example-Header example-value
```
You may need to enable `mod_headers` in order for custom header functionality to work:
```bash
a2enmod headers
```
After these changes, restart the server with `sudo systemctl restart apache2` or `sudo /etc/init.d/apache2 restart`.
## 4. Use WAF (Web Application Firewall)
Deploying a WAF (Web Application Firewall) allows you to monitor, filter, and block malicious traffic to your web server. WAFs offer an additional layer of defense against common web-based attacks.
You can use cloud-based WAF, like [Sucuri WAF](https://sucuri.net/website-firewall/) or [Cloudflare WAF](https://www.cloudflare.com/application-services/products/waf/), or install WAF locally. If you're using SVR.JS web server, you can use [easy-waf integration mod](https://svrjs.org/mods) (you may need to install `easy-waf` npm package via `npm install -g easy-waf` command). If you're using Apache httpd or NGINX, you can use [ModSecurity](https://owasp.org/www-project-modsecurity/).
## 5. Employ rate limiting
Implementing rate limiting helps you mitigate the risk of brute force attacks, DDoS (Distributed Denial of Service) attacks, and other malicious activities. Limiting the number of requests a client can make within a certain timeframe helps protect server resources and maintain availability.
### Example: iptables with persistence
If you're using GNU/Linux, you can use `iptables` with persistence. If you're using Debian-based system, you can install it using `sudo apt install iptables iptables-persistent` command.
These rules help in preventing denial of service attacks. You can enable them using these commands:
```bash
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j DROP
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -m limit --limit 20/min --limit-burst 30 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j DROP
```
You can save the `iptables` rules like this:
```bash
sudo bash -c 'iptables-save > /etc/iptables/rules.v4'
```
## 6. Conduct regular security audits
Performing regular security audits helps you in identifing vulnerabilities and weaknesses in your web server configuration. Security audits help you stay proactive in addressing security risks before they are exploited by attackers.
You can perform security audits in GNU/Linux systems using the [Lynis tool](https://cisofy.com/lynis/).
## 7. Watch out for software vulnerabilities
Stay vigilant for software vulnerabilities in your web server environment. Regularly monitor security advisories and apply patches promptly to address any known vulnerabilities.
We have written about [cross-site scripting (XSS)](https://blog.svrjs.org/2024/05/07/What-is-cross-site-scripting-How-to-prevent-it/), [SQL injection](https://blog.svrjs.org/2023/12/02/What-is-SQL-injection-How-to-prevent-it/), [path traversal](https://blog.svrjs.org/2024/04/06/What-are-path-traversal-attacks-How-to-prevent-them/), [cross-site request forgery (CSRF)](https://blog.svrjs.org/2024/05/14/What-is-cross-site-request-forgery-How-to-prevent-it/) and [ReDoS vulnerabilities](https://blog.svrjs.org/2024/04/17/What-is-ReDoS-How-to-prevent-it/). You can read these posts, if you're building web applications.
## 8. Disable unneeded server extensions
Reducing the attack surface of your web server by disabling unnecessary server extensions and modules minimizes potential entry points for attackers and simplifies server management.
For example, if PHP is enabled when it's not needed, an attacker could exploit a vulnerability in the server or in a server-side script to upload a backdoor written in PHP.
## Conclusion
Securing your web server is a crucial aspect of deploying a reliable and safe website or web application. By following the eight tips outlined in this post, you can significantly enhance your web server's security posture. Updating your web server software ensures you have the latest protections against known vulnerabilities. Enabling HTTPS encrypts data in transit, safeguarding it from eavesdroppers and tampering. Adding security headers, using a Web Application Firewall (WAF), and employing rate limiting further defend against a range of attacks. Regular security audits and staying alert for software vulnerabilities help you remain proactive in mitigating potential risks. Finally, disabling unnecessary server extensions reduces the attack surface, making it harder for attackers to exploit your server. By implementing these strategies, you can better protect your web server, maintain the integrity of your applications, and provide a secure experience for your users.