Server security is theoretically vast and intimidating; but in practice tends to be a series of simple common-sense steps that you can take to make your server progressively more secure.
For the novice, it’s best not to think of it as “if I don’t do x, y and z, we’re all doomed”. Instead, think of the process as “if I do x, everything will be better, and then I’ll look at y as soon as I’m finished”.
Physical security is often seen as an afterthought- a clever extra step only really taken by the larger companies. This can be especially true of self-taught programmers, who are often obsessed with clever data encryption and cryptographic standards at the cost of all else.
Physical security should in fact always be your first step. If someone has physical access to the server, or physical access to computers which have admin access to the server, all of your other measures are totally worthless.
Your first step, therefore, should be to restrict and monitor physical access to the server and to work computers connected to the server.
Restrict Administrator Access
Wherever possible, find ways to grant as few people as possible access to your administrator role. By restricting admin access, you’re carrying out an effective and straightforward method of ensuring server security.
Admin access is rarely a legitimate necessity for anyone other than a dedicated sysadmin. For everyone else, it is almost wholly a matter of convenience, and convenience should never compromise security.
Improve Your Defence Against Injections
SQL injections are hardly the most complex or interesting kind of attack vector, but should it succeed it can be devastating. The worst thing to do with respect to SQL injections is implement a couple of defences and call it a day. There is always some way of improving your defence against SQL injections, so this is a step that everyone should carry out, no matter how secure they think their code is.
For beginners, make sure you’re sanitising and validating all user input, minimise the number of times you use dynamic SQL queries, and assume that your data is already compromised before you get started.
For more experienced developers, if you’ve not already found it, BobbyTables is a great place to start looking more deeply into the issues, and CWE International is a fantastic way to audit your code for such vulnerabilities, while sqlmap is an automated tool which allows you to perform large-scale pen testing for sql injections.
Make Use Of Existing Software
The irritation of working around over-sensitive firewalls on personal computers has left a generation of users slightly suspicious of firewalls, and often leaves them with a misleading impression of firewalls as unsophisticated & simple blacklist/whitelist filters.
The difference between personal firewalls and server firewalls, however, is immense. Server anti-virus software, including firewalls, tends to be highly specialised to a specific sector and a specific use-case. So, for instance, you have smoothwall for education, health and other widely-accessed public sector servers; and WebApp Secure for large-scale private business web servers which risk equally large-scale attacks.
With the software being already tailored to your specific needs (and a number of open source solutions available if your security needs are less intense), server firewalls lack the irritating set-up and configuration process of personal firewalls.
Follow these four steps and you’ll have the foundations in place for a server which is as secure as it can be. You can always find ways to improve server security, though; so hopefully this advice serves as your jumping-off point rather than your final destination.
Do you have any further resources on server security to share? Let me know in the comments!