You have a web server or a website and you want it to be secure from the bad guys. One thing we know about bad guys is that they are ALWAYS looking for the easiest route to perform their bad deeds. They are looking for the low-hanging fruit to pluck.
This blog post is about how NOT to be the low-hanging fruit.
Rule #1: Keep your software up to date
You can file this one under “everybody knows this but few actually do it.” These days every reputable software thinks about security updates and patches a regularly released to operating systems, control panels like Plesk, and even to website content management systems (CMS) like WordPress, Drupal, and DNN. Yes, keeping up with all of that can be a chore since different vendors release updates on different schedules.
So … pick one day per month and check for updates. If there are updates available, back up your systems and run them. Better yet, choose software that has version control available on the inside. For example, our Plesk control panel helps to keep track of its own security updates and can help you run updates to your CMSs, making the process even easier.
Still think it is hard to manage updates? Then consider high value-add services like patchman.co. Patchman will work seamlessly with your control panel behind the scenes to keep the CMS side of things up to date. This is perfect whether you are a web designer managing a handful of small sites or a large company hosting tens of thousands of installations … it just works.
But there is no question about it … well-maintained software is the best and most important first line of defense.
Rule #2: A Firewall – get one, there is no excuse
There are still tens of millions of websites that are not sitting behind a firewall. Black-hat types LOVE to find these websites. And there is really no excuse these days since adding a firewall has never been easier.
If you are working for a large enterprise organization and have a string of Barracuda or SonicWall hardware guarding the gates, then good for you, we wish we had your IT budget. But as great as all that hardware is, most websites do not have data that threatens national security and they can be hard to manage. Software-based firewalls can be more than enough and they are easy to set up and manage via a web interface. And you probably have access to one right now via your base operating system, or better still, inside your new control panel.
What’s that … your control panel doesn’t have firewall control functionality? Get one that does, you will thank us later.
Rule #3: Bad Firewall Settings Are Your Own Darn (De)fault
Great … you installed the firewall, but that’s not enough.
You wouldn’t use the bank’s default password on your savings account, so why would you use the default settings on your firewall? Let me give you an example.
Secure Shell (SSH) revolutionized web server security. It is really great, but not perfect. By default, most systems point SSH to server port 22. The problem is that all the bad guys know that the default setting is port 22. Simply setting this little config item to a more secure port (anything above 1024) will prevent malicious web scans from finding it easily.
A few simple configuration tweaks like this go a LONG way to prevents those bad guys from knocking at your website’s door. If you are using your control panel to manage your firewall, search their documentation for recommended firewall security settings and then implement those to start. You won’t be sorry you did.
Rule #4: Yes, You Do Need a CDN
If you think that you will never be the target of a Distributed Denial of Service Attack (DDoS), you’re wrong. I have personally seen dozens of these attacks—often on small innocuous sites that have done nothing wrong. And when an attack occurs, it can impact everyone in the datacenter—not just the target site.
So lets say that your server or site is just sitting there, minding its own business. Two server racks down the hall, however, there is a server housing the election website of some political candidate that the internet vigilantes just don’t like. This is exactly how your site can become the collateral damage of someone else’s political agenda.
In the old days, Content Deliver Networks (CDNs) were invented to bring content closer to the end user. This made pages load faster and more reliably and prevented spikes in global traffic from overwhelming a server. It was a really good idea and it worked. But having a CDN does something else too. By broadcasting a site from several locations and directing visitors to the best one, A CDN prevents DDoS attacks from bringing a site down by distributing the attack back out across the web.
The market leader in this space right now is CloudFlare. You can set it up a basic CDN for free, and then add additional features if you want to. And their system is easy to set up online in minutes.
Rule #5: What a difference a single letter makes – FTP vs. FTPS
As you know, FTP stands for “File Transfer Protocol” and it is the most common method to upload and download large files to and from websites. This includes everything from pushing up bulk content, images, and code blocks to your server or when your customers download content that you have provided.
FTPS stands for “File Transfer Protocol Secure” and is just a much more secure way to transfer files and manage them. Even thought the term SFTP is used generically for all types of secure file transfers, technically FTPS only applies to Linux environments. Windows more often uses “FTP over SSL” or “FTP over TLS.” But FTPS is used so often, now several commercial products market file servers as “FTPS for Windows.”
Any way you slice it, making sure that the bad guys don’t hijack your file server to upload bad stuff is what you want to do.
This should be fairly easy to configure in your control panel. If you are using Plesk, you can find instructions in the Plesk Administrator’s Guide.
You Are Off to a Great Start
Security takes consistent diligence, but it is worry it. We always recommend that you stay aware of all of the latest security updates and advancements and review all of your security options. This applies to everyone, but if you are using Plesk, you can find additional security configurations and options in the “Securing Plesk” section of your Administrator’s Guide.