Security Best Practices for Hosting
Security is paramount when hosting applications and websites. This guide covers essential security practices to protect your infrastructure.
Server Hardening
Operating System Security
Start with a secure OS configuration:
- Keep the system updated with security patches
- Remove unnecessary software and services
- Configure secure boot processes
- Implement system logging and monitoring
User Management
Proper user account security:
# Create non-root user with sudo privileges
adduser myuser
usermod -aG sudo myuser
# Disable root login
sed -i 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
# Set password policies
vim /etc/login.defs
SSH Hardening
Secure SSH access:
# Change default SSH port
Port 2222
# Disable password authentication
PasswordAuthentication no
PubkeyAuthentication yes
# Limit login attempts
MaxAuthTries 3
MaxStartups 2
Firewall Configuration
iptables Rules
Basic firewall setup:
# Flush existing rules
iptables -F
# Default policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# Allow loopback
iptables -A INPUT -i lo -j ACCEPT
# Allow established connections
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (custom port)
iptables -A INPUT -p tcp --dport 2222 -j ACCEPT
# Allow HTTP/HTTPS
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
# Save rules
iptables-save > /etc/iptables/rules.v4
UFW (Alternative)
Simpler firewall management:
ufw default deny incoming
ufw default allow outgoing
ufw allow 2222/tcp
ufw allow 80/tcp
ufw allow 443/tcp
ufw enable
SSL/TLS Configuration
Certificate Management
Use Let's Encrypt for free SSL:
# Install Certbot
apt install certbot python3-certbot-nginx
# Obtain certificate
certbot --nginx -d yourdomain.com
# Auto-renewal
echo "0 12 * * * /usr/bin/certbot renew --quiet" | crontab -
SSL Best Practices
Configure strong SSL settings:
- Use TLS 1.2 and 1.3 only
- Implement HSTS headers
- Use strong cipher suites
- Enable OCSP stapling
Application Security
Web Application Firewall
Implement WAF rules:
- SQL injection protection
- XSS prevention
- Rate limiting
- Geo-blocking
Database Security
Secure your databases:
-- Remove default accounts
DROP USER 'root'@'localhost';
CREATE USER 'admin'@'localhost' IDENTIFIED BY 'strong_password';
-- Grant minimal privileges
GRANT SELECT, INSERT, UPDATE, DELETE ON myapp.* TO 'appuser'@'localhost';
-- Enable SSL connections
REQUIRE SSL;
File Permissions
Set proper file permissions:
# Web files
find /var/www -type d -exec chmod 755 {} \;
find /var/www -type f -exec chmod 644 {} \;
# Configuration files
chmod 600 /etc/mysql/my.cnf
chmod 600 /etc/ssh/sshd_config
# Log files
chmod 640 /var/log/*.log
chown root:adm /var/log/*.log
Monitoring and Logging
Security Monitoring
Implement comprehensive logging:
- Authentication logs
- Access logs
- Error logs
- System logs
Log Analysis
Use tools like:
- rsyslog for centralized logging
- logwatch for log analysis
- fail2ban for intrusion prevention
- AIDE for file integrity monitoring
Intrusion Detection
Set up IDS/IPS systems:
# Install AIDE
apt install aide
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# Daily integrity check
echo "0 4 * * * /usr/bin/aide --check" | crontab -
Backup Security
Encrypted Backups
Secure your backup data:
# Encrypt backups with GPG
tar -czf - /var/www | gpg --cipher-algo AES256 --compress-algo 2 \
--symmetric --output backup-$(date +%Y%m%d).tar.gz.gpg
Backup Verification
Regularly test backup integrity:
- Verify file checksums
- Test restoration procedures
- Validate encrypted backups
- Monitor backup completion
Incident Response
Preparation
Develop an incident response plan:
- Identify critical systems
- Define response procedures
- Create communication plans
- Maintain emergency contacts
Detection and Analysis
When security incidents occur:
- Isolate affected systems
- Preserve evidence
- Analyze attack vectors
- Document findings
Recovery
Post-incident recovery steps:
- Patch vulnerabilities
- Update security measures
- Monitor for recurring issues
- Update incident response procedures
Security Auditing
Regular Assessments
Conduct periodic security audits:
- Vulnerability scans
- Penetration testing
- Configuration reviews
- Compliance checks
Tools and Testing
Use security testing tools:
# Nmap for network scanning
nmap -sS -O target_host
# Lynis for system auditing
lynis audit system
# OpenVAS for vulnerability scanning
openvas-start
Compliance and Standards
Industry Standards
Follow recognized security standards:
- ISO 27001 - Information security management
- NIST Cybersecurity Framework
- CIS Controls - Critical security controls
- GDPR - Data protection regulations
Documentation
Maintain security documentation:
- Security policies
- Procedures and guidelines
- Audit logs and reports
- Training materials
Automation and Orchestration
Security Automation
Automate security tasks:
#!/bin/bash
# Daily security check script
/usr/bin/aide --check
/usr/bin/rkhunter --check --skip-keypress
/usr/bin/chkrootkit
/usr/bin/lynis audit system --quick
Configuration Management
Use tools like Ansible for consistent security configurations across multiple servers.
Remember: Security is an ongoing process, not a one-time setup. Regularly review and update your security measures to protect against evolving threats.