Sunday, 13 September 2015

79 Web Server Security Tips

Here are 79 tips to help you improve your web server security. I start with passwords as you would be surprised at the number of cases we handle that boil down to bad passwords. Web application security can also be improved with some simple steps and it is time everyone stop using insecure communication protocols. Check out the list and send in your tips to get up to 100.

Password Security

  1. Use passwords with at least 8 characters.
  2. Use complex passwords that include numbers, symbols, and punctuation.
  3. Use a variety of passwords for different accounts or roles.
  4. Test passwords in a secure password tool.
  5. Do not use dictionary words as passwords, e.g. myblackdog
  6. Do not repeat sequences of characters, e.g. 3333, abcdabcd.
  7. Do not use personal information in passwords, e.g. your birthdate.
  8. Do not store passwords on laptops, smartphones or tablets that can be lost.
  9. Use a password manager to securely keep track of your passwords (See our post on LastPass).
  10. Setup two-factor authentication when available.
  11. Use a secure password generator.

Secure Communications

  1. Use Secure FTP instead of plain FTP.
  2. Use SSH instead of telnet.
  3. Use Secure Email Connections (POP3S/IMAPS/SMTPS)
  4. Secure all web administration areas with SSL (HTTPS).
  5. Secure your web forms with SSL (HTTPS).
  6. Use VPN when available.
  7. Use firewalls on all endpoints, including servers and desktops.
  8. Use residential/office firewall/IPS systems.
  9. Encrypt highly sensitive emails.
  10. Do not use public computers to access sensitive information.

Web Application Security

  1. Sign up for notices about web application updates.
  2. Update your web applications promptly.
  3. Scan web applications using remote security tools such as Nessus.
  4. Use a web application firewall.
  5. Test file upload fields to assure code cannot be uploaded.
  6. Have custom code reviewed for security issues.
  7. Use coding frameworks with good security history.
  8. Do not rely solely on obscure directory/file names for security.
  9. Secure web application admin areas with IP based restrictions.
  10. Sanitize user input.
  11. Put sensitive files outside of document root or restrict access.
  12. Avoiding using shell commands within scripts.
  13. Don’t trust HTTP Referrer fields as they are easily forged.
  14. Use POST instead of GET to submit data so sensitive information is not in the URL.
  15. Validate data server-side not client-side.
  16. Do no rely on relative file and path names. Always set base directories.
  17. Specify permissions when creating files.
  18. Limit file upload, creation activities to specific directories.
  19. Create safe error messages by not disclosing sensitive information in errors.
  20. Be careful of what data you trust from a cookie; it can be manipulated.
  21. Encrypt configuration files that contain sensitive logins.
  22. Guard against application level DOS attacks by limiting field input length.
  23. Disable url fopen if possible.
  24. Enable safe mode, include directory and open base restrictions if possible
  25. Disable dangerous PHP functions if possible
  26. Be careful of naming files *.bak, *.txt or *.inc within the web document root.
  27. Be careful using version management tools on your doc root.
  28. Set default reply-to’s for web applications and monitor the email for bounces.
  29. Use version control systems.
  30. Use bug tracking and change log systems

Server Security


  1. Update your OS regularly – as in within hours of critical updates.
  2. Update your control panel regularly.
  3. Reduce information disclosure, e.g. changing ServerTokens in Apache.
  4. Don’t install software that is not used.
  5. Don’t store backups or old versions of software on the production system.
  6. Restrict access to directories with proper permissions
  7. Make sure logs are working properly.
  8. Make sure you log all admin level accesses with date, times and usernames.
  9. Make sure you use a firewall.
  10. Remove default accounts in MySQL.
  11. Disable direct root login in SSH.
  12. Get rid of passwords with SSH keys.
  13. Disable unused services.
  14. Maintain backups.
  15. Test backups.
  16. Do not do development on production systems.
  17. Stay updated with subscriptions to security notification services.
  18. Monitor web traffic for unusual activity.
  19. Conduct regular, remote security scans.
  20. Conduct regular, local security scans.
  21. Harden default service settings in Apache, SSH and other services.
  22. Use root account only when required.
  23. Use sudo to grant others root level access.
  24. Enable SELinux if possible.
  25. Use private networks for internal server traffic.
  26. Use encryption when appropriate.
  27. Conduct password audits.
  28. Enforce strong passwords and change policies.

No comments:

Post a Comment