February 9 marks, Safer Internet Day. Across the globe, software developers and everyday internet users all have to deal with online safety. With COVID19 restriction and most of people’s activities being moved to online platforms, this topic has become particularly important. In honor of the holiday, STDev specialists have put together a list of tips and hints to make 2021 your safest year yet.
These are the same practices and methods we at STDev use to make our products safe and secure. This year, the team decided to focus on server security.
1. Access to Your Server Should be as Limited as Possible
In any company, no matter how big or small, access to servers should be limited. This means that only members of your company who absolutely need access should have it. If someone outside that list needs access for some reason, create a chain of command and funnel the request through your IT department. This will keep access to a close-knit group of people.
Another tip you should consider is that only trusted IPs should be left with the IP connection. If this isn’t the case, at least use a private key and just not the password alone.
2. Keep All Server Applications Updated
All server applications should be updated as soon as new versions are available. The older your server applications, the more open your company is to security breaches.
3. Use Fail2Ban Program
Fail2Ban is a type of software that updates firewall rules to reject the IP addresses for a specified amount of time. More simple, is an intrusion prevention software framework that protects computer servers from brute-force attacks. This will keep you protected against hackers.
4. Close All Server Ports Except Web
All server ports except web server ports (unless otherwise specified) must be closed for external access. In layman’s terms, this is basically a preventative measure, limiting the number of access points to your server from the get-go.
5. Take Protective Measures for Mailservers
If you have a mail server operating on your main server, then use Fail2Ban to also check the mail server ports so that hackers do not try to guess the password.
6. What to do for DNS Management Cases
DNS management software is computer software that controls Domain Name System server clusters. DNS data is typically deployed on multiple physical servers. For DNS management cases, we strongly recommend using Cloudflare, which also protects against DDOS attacks, provides high quality caching and, if necessary, a free SSL certificate.
7. Be Careful With File Uploading
This is something you’ll want to check with your IT guy. But if there is a possibility to upload files to your server, then this process should be as restrictive as possible. Have your IT guy check the type of files (for example, if you need only images uploaded, then you should not allow other types of files like .exe or .bat etc.).
Again, file uploading is a heaven for hackers and means they can simply upload a file (e.g. from a flash drive) that would easily tamper with your programs. Best to avoid this scenario as well.
8. Check Incoming Data
Incoming data can also be potentially harmful. To check this, data received by any user should be checked against SQL injection, XSS attack and Cross-Site Request Forgery (CSRF) queries.
9. All Authentication Forms Must Have a Captcha
If your products have authentication forms, they all must have a captcha or better yet an invisible captcha. See an example here.
10. Passwords, Passwords, Passwords
Well, of course, you have to put passwords everywhere, both for users and especially for the admin, to prevent logging in with a program that does trivial password guessing. Where possible you should always use private keys instead of passwords, read more about private keys here.
Takeaways
Just as there are many risks in the internet world, there are also a lot of ways to keep yourself protected. If you’re not sure which of these solutions best fit your case, contact the STDev team and we’ll be happy to get on a call and consult with you to help you find the best route.
Happy Safer Internet Day!