|
How to Harden Your Web Server Against Hacking
by
17 Sep 2013
Rating:
 (3 votes
- 4.67 average) There is no way to completely prevent hackers from getting in to your server accounts but there are ways you can make it harder for them to do that. Here are a few tips for people to consider. Because there are so many different Web host management tools I cannot explain how this is done on every server or in every account. If when you log in to your server account you don't see these options you may have to search on the Web for references to their equivalent names. In some cases your hosting provider manages the features. If you can see the server logs that track login attempts, you'll know which services are being targeted and from which IP addresses the attacks come from. Common hack targets include FTP, TELNET, and EMAIL services. They use "brute force dictionary attacks" -- in which user name + password combinations are tried in rapid succession -- to find a way in. Your passwords should always be at least 11 characters long. You don't need to use special characters that are hard to type and remember ( # $ % & * ! ). Passwords that rely on these characters rather than length are just as easy to crack as "1234567". TCP Wrappers Start by installing and activating TCP Wrappers. In effect, this service allows you to restrict access to your server-level functions to only a small number of IP addresses. You should always block ALL IP addresses and then only allow those you know can be trusted. Your Web hosting provider's support IP address should be white listed here, as well as any IP addresses you yourself use (from home or from work). You can always update the list if you move or travel. If your home IP address changes when you log on to the Internet you should be careful about tracking them (just go to whatismyipaddress.com) so that you can document them. Keep in mind you may be sharing IP addresses with other people in your neighborhood. TCP Wrappers prevent people from logging in to your server even if they have the password to sysadmin accounts. FTP and Telnet Services Unless you are constantly using these services, just turn them off until you need them. They will be restarted every time your server is rebooted so you should get into the habit of checking to see if they are active. You can modify bootup scripts to NOT turn these services on but if you are not very familiar with how to edit bootup scripts you should leave them alone. Hackers use software to probe your FTP and Telnet services, looking for accounts they can log into. If the services are down they cannot probe them. Email Services You don't want to be an open relay server. You'll have to find out which email service you're using and research how to block spammers from exploiting it as an open relay. This takes some homework. Firewall A firewall is a program that filters all the inbound "packets" that are sent to your server. This is a different tool from TCP Wrappers. You use the firewall to tell your server that it will REJECT or DROP any packets coming from bad IP addresses. System administrators are divided in opinion on whether it is better to REJECT or DROP. You have to restart the firewall or "APPLY CONFIGURATION" after you add new IP addresses to it. You do NOT want to reload the default configuration, as that erases all the IP addresses you have entered. If you cannot configure your firewall then on a UNIX/LINUX server you can set up an .htaccess file to perform a similar function. There are tools for Microsoft's IIS platform that block IP addresses but I don't know what they are called or how they are managed. The syntax for a .htaccess file is simple: deny from A.B.C.D/bit-mask deny from A.B.C.D IP Address Formatting If you scan the Web for tips on how to block IP addresses, you'll occasionally come across forum discussions and blog posts that tell you to just block "165.27.9.0/24" or something like that. Rarely do these tips explain why you would do such a thing. IP addresses are assigned in blocks to major providers who in turn sub-lease these blocks to other providers. There are some Web tools (like IPDB.AT) that will show you all the IP addresses assigned to a hosting provider. People sometimes block all the IP addresses coming from a hosting provider. There are no fully reliable FREE tools that show you all the IP addresses assigned to a country but you can see what country a B-level block is assigned to. The four parts of an IPv4 address are designated A.B.C.D and each part can have a numeric value ranging from 0 to 255. A B-level block would look like 1.1.0.0/16. That number after the slash (which I called a "bit-mask" in the previous section) tells computers that the first X bits in the 32-bit string representing a full IP address are important, but that everything after those bits is to be treated as the same. So the A-part of the IP address uses 8 bits of data, the B-part uses 8 bits of data, the C-part uses 8 bits, and the D-part uses 8 bits. If you want to tell your firewall to REJECT all traffic coming from 1.1.0.0 through 1.1.255.255 then you would just add a REJECT rule specifying 1.1.0.0/16. In your VBulletin ADMINCP you don't have to use this format. You can just add 1.1 to the blocked IP addresses, but in a server-level tool you have to use the full format. A simple way to block by country is to look up the location of a B-block's first IP address (A.B.0.0). If it's, say, China, then you can block A.B.0.0/16 and that prevents about 65,000 IP addresses from accessing your server. You may find that a range of B-level IP address blocks have been assigned to the same country; but don't assume they are all being used to attack your server. If you receive legitimate traffic from that country you may have to be very judicious about what you block. Just Because They Cannot Get In Does Not Mean They Won't Try A lot of hackers are using robots/software to attack servers. They don't know until the software finds a hole if they can get in so they are not paying attention. Blocking Server Access May Not Protect Your Applications If you are running Wordpress or VBulletin, those applications can be hacked even if you use TCP Wrappers to prevent people from logging in to your server account. A hacked blog or forum will access your database from whatever server user account was assigned to it, not from whatever application user account the hacker creates. So when you do get hacked, if you are taking the measures described above, you should find out where the hacker came from (the IP address) and add that to your block list. Wordpress users can look for plugins like "STOP SPAMMER REGISTRATIONS" and "LIMIT LOGIN ATTEMPTS" and install those to protect their blogs from excessive attempts to exploit them. I know there are similar plugins for VBulletin. Prudence Helps But There Are No Guarantees Taking precautions against hacking is a good idea. If you don't know enough about all this technical stuff to understand everything I am saying you should really take the time to learn as much of this as possible. If you're going to run a forum on the Web you're inviting everyone to drop by. Unfortunately some of those people come by for the wrong reasons. I hope people find this helpful. |