Do you want to make your webserver more secure? Look carefully at your web server security to prevent your server from being abused by attackers!
Security breaches on webservers can be a big threat to people and companies. If you are running a webserver on the internet, you are always a target of attacks. But don’t worry, there are some very effective ways existing to harden your webserver. Let me show you 6 simple steps to make your webserver more secure.
1. Always keep your applications up to date
Far the most important and also easy thing is to always keep all your applications up to date! There are so many vulnerabilities found in applications every single day. It is crucial to install the necessary security updates to prevent attackers from abusing these vulnerabilities. Consider, even if a web server like Apache or Nginx may be a solid system, it doesn’t prevent you from vulnerabilities in other packages or libraries.
Also, think of any pre-build web applications on your web server, you will need to check as well. With the use of your distribution package manager, you can easily update all installed software packages. Most distributions, like Ubuntu, also offer automatic installation of security updates.
But also, don’t forget to update any container packages like docker images as well!
2. Containerize your webserver and applications
There are a lot of good reasons to use containers to isolate applications. It is a much easier deployment and it also makes your webserver a bit more secure. If you isolate your webserver from other related systems it mitigates the risk of privilege escalation. In case of a security breach, the attacker probably could break into a single container. But it is much harder to break outside of the isolated container to infect the whole system. This also applies to other applications such as databases.
Best-practice is to create a separate container for every application or service you will need. You can even break it down further following the microservice principle. I recommend you to use docker and docker-compose to achieve this approach. It is a solid option to make your web server a bit more secure.
3. Use AppArmor security profiles
Don’t forget that containers are not as isolated from the host system as virtual machines! They’re using a separate namespace in the kernel, but they actually are running on the same operating system. To increase the security of isolated containers or applications, even more, you can also use the AppArmor security profiles. It can restrict application capabilities like network access, file permissions, etc.
The goal is to protect the host system and containers from one another. In case of a security breach, it is much harder to use vulnerabilities to attack the host system or other containers.
4. Use only HTTPs
HTTPs is currently the most used protocol on the internet, referring to w3techs reporting. It should be standard anyway on every website. If you still are using HTTP on your web server, which is recommended, make you always redirect to the HTTPs protocol on your web site.
You may also have a closer look at your applications, APIs or asynchronous requests. Don’t forget that without any proper encryption everyone in between can read the network traffic.
Attackers are also looking at the traffic from an information-gathering perspective. They want to observe weaknesses in network protocols and communication. Without HTTPs this is much more simple and probably could reveal certain security vulnerabilities.
5. Use a reverse proxy to protect your web server
A reverse proxy or WAF (Web Application Firewall) like ModSecurity adds another layer of security to protect your web server or application. You can also containerize it and put it in front of your web server or application. It will protect you from malicious attack patterns like XSS, exploits, e.g.
6. Use a good DDoS Protection
DDoS often is underestimated by people because it is a relatively easy attack method. But keep in mind that is, in fact, one of the most efficient attack methods! Especially when downtimes can cost you a lot of money, you will need good DDoS protection. Any online business can be affected by such an attack.
Modern DDoS attacks also use complex AI-driven multi-vector attacks. This can be very painful without any protection. To overcome these sophisticated attacks you will need a modern AI-based DDoS protection that is able to detect these.
To protect your webserver from DDoS attack you will need to use a DDoS provider. Here is my personal recommendation: