Web System Hardening in 3 Easy Steps
To harden a
computer system means to make it more difficult for a malicious hacker to
attack. In formal terms, system hardening means reducing the attack surface.
The attack surface is the combination of all the points where an attacker may
strike.
Many
computer systems by default have an exceptionally large attack surface. This is
because a lot of software is installed with too many permissions and as many
functions as possible. System hardening, therefore, is basically all about
skimming down options.
We will look
at 3 hardening process steps that you can take.
Step 1.
Operating System Hardening
The base
level of system hardening is taking care of operating system security. A
hardened operating system lets you avoid a lot of security threats.
To harden
the operating system of your server:
· Uninstall all unnecessary software.
Each program may have a potential vulnerability that may allow the attacker to
escalate the attack. This includes, for example, even unnecessary
compilers/interpreters, because they may enable the attacker to create reverse
shells.
· Remove all unnecessary user accounts
and make sure that user accounts that are used to run services do not have
excessive privileges. For example, if you use a user account to run your web
server, it may not need shell access at all, and it should have minimal
privileges.
· To avoid unauthorized access, require
strong passwords as part of access control (but do not require regular password
changes; such practices were found to be less secure) or use key-based
authentication.
· Turn on detailed logging if you can
afford the resources. The more details you have in your logs, the easier it
will be to analyze the logs after an attack.
· Enable automatic OS patching or
enable patch notifications. Security patches are of critical importance and
installing them automatically is more secure.
Note that
the above general tips apply to all operating systems: Linux/UNIX, Microsoft
Windows, macOS, and any others. However, specific cases may apply to specific
systems. For example, on Windows, you may additionally want to focus on group
policies.
Step 2.
Network Hardening
Network
hardening spans beyond the server and often includes additional network
devices. However, on the level of the server that you are managing, there is
already a lot that you can do to improve network security.
To harden the network connections on your server:
· Shut down and uninstall all
unnecessary services if they are not used on this server. For example, FTP,
telnet, POP/SMTP, and more. This will let you eliminate all unnecessary open
network ports.
· Enforce strong firewall rules. If
this is a dedicated web server, make sure that the only incoming connections
that are allowed are web connections and potentially administrative connections
(e.g. SSH).
· If you can afford the resources,
monitor outgoing connections for potential reverse shells.
A lot of
network hardening is already done when you harden the OS. However, if you are
not the only person with access to the server, it is a good idea to safeguard
against someone else opening unsafe network connections.
Step 3.
Continuous Hardening
The most
important thing to realize about hardening is that it is a never-ending
process. You should perform regular system hardening check-ups to make sure
that your security configuration is up to date, all the security measures are
still in place, and there are no new threats to your information security. Such
new threats may come from other users of the server, the developers of web
applications, or simply due to vulnerabilities found in existing software.
Luckily,
part of the process can be automated. For example, you may use patch management
software to make sure that your key software is always up to date. You may also
run scheduled scans using a web vulnerability scanner to make sure that new and
updated web applications do not introduce cybersecurity threats.
The best way
to do it is to maintain a hardening checklist, which you create initially with
your first hardening exercise and then modify as you discover new ways to make
your system less prone to attacks.