Web Server Hardening: Best Practices for Securing Your Backend Infrastructure

Web servers underpin critical business infrastructure and face constant attacks. Proactively hardening your backend systems is essential to avoid devastating breaches. Let’s review techniques and technologies for creating an ironclad security foundation across common web server platforms.

General Hardening Fundamentals

Minimizing Software and Dependencies

Reduce potential vulnerabilities by removing all unnecessary programs, libraries, addons and components on servers to make web server hardening best practices. Unneeded software represents excessive risk exposure. Only retain essentials required for hosting duties.

Staying Up-to-Date on Patching

Consistently apply the latest security patches and updates for operating systems, software and databases supporting web servers. Patching resolves known bugs that attackers exploit. Automate patching for faster protection against emerging threats.

Enforcing the Principle of Least Privilege

Restrict user and program permissions to only those absolutely required for core functionality. Overly permissive defaults allow lateral movement if a server gets breached. Mandatory access controls limit potential damage from compromises.

Monitoring Authorization Attempts

Audit logs tracking all user and system authorization requests detect suspicious anomaly patterns indicating brute force attacks or insider threats. Promptly flag unusual volume, origin, or invalid input for security review.

Securing Administrative Access

Require strong passwords, multifactor authentication and IP allowlisting to secure admin panel access. Restrict direct root logins. Create dedicated limited admin accounts for specialized duties like database admins. Counter admin account compromise.

Employing Security Layers

Install network-based filtering like firewalls and proxy filters to provide a first line of server protection. They shield public-facing systems, conceal topology and thwart simple automated attacks. Defense in depth is key.

Hardening Apache Servers

Disabling Unnecessary Modules

Review loaded Apache modules and remove any not serving an active website purpose to limit the codebase exposed. Exploits often target specific modules. You can’t exploit what’s not there.

Securing Sensitive Document Directories

Block external access to directories like /scripts containing server-side code files. Attackers download files seeking vulnerabilities. Permitting directory listing enables easy reconnaissance too.

Encrypting Communications

Require HTTPS sitewide using SSL/TLS certificates to encrypt all client-server communications and prevent man-in-the-middle attacks intercepting unencrypted traffic. Redirect HTTP to HTTPS.

Strengthening Authentication Settings

Enforce strong password policies and multifactor or certificate-based client authentication to keep unauthorized users out. ModSecurity plugs into Apache for advanced traffic monitoring/access controls.

Using Secure Apache Configurations

SANS, CIS and NIST provide Apache hardening benchmarks prescribing configurations aligned to security best practices – disabling unused modules, protocols and example content, requiring encryption, IP allowlisting etc.

Hardening Nginx Servers

Limiting User Access

Create users with the bare minimum file and directory permissions needed to improve backend infrastructure security. Remove default admin accounts, anonymously writable directories and scripts starting with “cgi”. Minimize attack surfaces and consequences.

Securing the Configuration File

Restrict nginx.conf file read permissions to root only. Its contents reveal topology and vulnerabilities. Make config changes in chroot jails as best practice. Back it up securely offline.

Enabling HTTP Strict Transport Security

Add the HSTS header via sites-enabled configs. This forces browsers to only connect via HTTPS not HTTP, foiling man-in-the-middle attacks attempting HTTP downgrades on sites expecting encryption.

Setting Server Limit Directives

Rate limiting directives like limit_req_zone in Nginx help prevent brute force login attacks by restricting zones to a fixed number of requests per minute. This protects against password spraying attempts.

Removing Identifying Server Headers

Delete or randomize “Server” HTTP headers disclosing the Nginx version being used. This avoids exposing specific product information helping attackers research exploits. Unique server IDs can also reveal infrastructure relationships.

Hardening Microsoft IIS Server

Patching and Hardening with Microsoft Security Compliance Toolkit

Run Microsoft’s security scanning tool regularly to identify and resolve configuration issues on IIS servers violating recommended system hardening benchmarks from CIS, NIST and SANS.

Configuring Password Policies

Enforce account lockouts after X invalid login attempts to deter brute forcing. Set strong password complexity rules. Require frequent rotation and prevent password reuse with customization options via Password Filter DLLs.

Securing Remote Administration

How to apply web server protection techniques? Restrict remote admin ports like RCP or FTP to authorized management machines only. Disable unused remote services entirely. Require multi-factor authentication for any external management access.

Removing Unnecessary Modules and Script Mappings

Default installations may contain unneeded legacy modules and unused script mappings vulnerable to exploits. Remove them via Properties – Home Directory – Configuration – Mappings for security. Review the Request Filtering module too.

Enabling Failed Request Tracing

Use Failed Request Tracing logs to detect exploit attempts by recording detailed forensic data on malicious requests triggering application crashes or performance problems. This reveals vectors requiring hardening.

Securing Master/Slave Database Servers

Encrypting Database Connections

Encrypt all traffic between web servers and backend databases using SSL/TLS or SSH connections. Encrypted tunnels prevent data sniffing or injection on the traffic flows between the decoupled systems.

Masking Database Errors

Error messaging reveals back end database vendor, structure and row names. Mask errors or create custom pages avoiding exposing this sensitive fingerprinting information during failure conditions.

Securing Replication

Encrypt database replication flows via SSL/TLS. Enforce mutual authentication so only approved master and slave servers are permitted to communicate. Require ACLs and allowlists to limit visibility

Hardening Data-in-Transit

In addition to TLS traffic encryption, consider adding IPSec VPN tunnels or enabling HTTPS reverse proxy modes to further protect data moving between web and database tiers from tampering or interception. Defense in depth.

Preventing SQL Injection

Scrub inputs on web apps to counter SQL injection attempts that compromise database integrity or trick queries into exposing info. Avoid directly injecting inputs into dynamic SQL. Favor parameterized queries or stored procedures.

By proactively hardening your web and database server layers via actions like network segmentation, patching, input sanitization, encryption enforcement, protective monitoring and limiting unnecessary exposures, you construct a robust security barrier standing guard over backend systems and data. Defense drives doubt into the minds of attackers, sending them elsewhere.

Secure Web Development Practices

Practicing Principle of Least Privilege 

Restrict accounts and roles to only essential permissions needed for development duties. Be especially stringent regarding production credentials. Excessive privileges expand attack surfaces. Manage access with identity management systems.

Securing Code Repositories

Repository platforms like GitHub provide source code access controls to shield projects. Enable 2FA, whitelist contributors, create read-only guests and control permissions granularly. Make repositories private by default.

Establishing Code Review Processes 

Require vetted peer review of code changes checking for errors or vulnerabilities before approval, especially changes touching credentials or sensitive functions. This distributes accountability.

Scanning Dependencies for Vulnerabilities

Scan libraries and dependencies used in projects for outdated versions with published CVEs. This identifies packages requiring patching or upgrading. Avoid commonly attacked libraries with safer alternatives.

Embedding Security in CI/CD Pipelines

Integrate security analysis tools into automation workflows triggering scans during code commits or builds. Stop deployments if tests reveal critical vulnerabilities. Fixing threats should be mandated, not optional.

Fostering a Culture of Security

Promote organizational data safety, privacy and ethics through policies, training, awareness campaigns and incentives rewarding secure development. Make AppSec experts accessible as resources for teams.

Common Web App Vulnerabilities to Address

Input Validation and Sanitization

Scrub all inputs on public web forms to counter XSS injection attacks before processing or storing data. Validate expected formats. Encode or sanitize output. Many successful attacks start with insufficient input security.

Preventing IDOR Flaws

Stop IDOR flaws allowing users to access unauthorized records by verifying users are only interacting with their own data record IDs on actions like account updates or record deletion. Cross reference session user IDs against requested data record IDs.

Implementing CSRF Defenses

Require security tokens on forms to confirm valid originating users, not fooled cross-site requests. Double submit cookie patterns also defeat cross-site forgery attempts. Origin referrer headers provide added verification.

Secure Data Parsing

When parsing data like CSV uploads, strengthen code to handle edge cases and malformed input attempting buffer overflows or injection versus assuming well-formedness. Defensively parse to prevent disaster.

Encrypting Sensitive Data

Any sensitive data like passwords must be stored encrypted rather than plaintext. Use approved cryptography like Bcrypt and protect keys. Transmit data over encrypted channels only. Follow encryption best practices universally.

Capping Brute Force Attempts

Lock out accounts after limited invalid login attempts to deter credential stuffing. But avoid account lockout abuse by allowing renewal via email token or after an expanding time interval. Balance security with availability.

Security excellence starts with development teams writing defensively secure code, not just performing swift deploys. Make AppSec central to all programming from start to finish. The most devastating data breaches begin with simple coding oversights.

Securing Public Cloud Environments

Major platforms like AWS, Azure and Google Cloud offer built-in tools and settings for hardening cloud servers hosting web apps and infrastructure. But misconfigurations cause frequent cloud security incidents.

Avoiding Misconfigured Privileges

Audit that IAM policies, roles and permissions are not granting overbroad access to cloud servers and storage accidentally. Catch issues like public S3 buckets early. Reassess regularly.

Enabling Traffic Encryption

Require SSL/TLS for all cloud-hosted websites and backend communications between cloud servers like app and database tiers. Encrypted traffic foils common mitm and snooping threats.

Securing Access and Data Flows

Leverage cloud firewalls, access control lists and managed identity providers to limit connectivity to approved sources and wipe credentials from memory after use. Control data flows tightly via encryption and tokenization.

Configuring Alerting for Anomalies 

Cloud services generate rich logs and metrics. Set alerting rules to detect anomalies pointing to brute force attacks, data exfiltration attempts and other feint fingerprints indicating threats for rapid incident response.

Separating Production and Non-Production

Segregate cloud accounts, permissions and networks isolating production to limit lateral movement in the event of a breach. Confine risks to non-production areas through thoughtful environment segmentation.

Enabling Event Logging

Institute centralized logging with SIEM integration to retain, analyze and correlate security events across cloud servers. Review regularly for risks like escalating authorization attempts signaling credential stuffing attacks.

Threats evolve rapidly in cloud environments. But leveraging robust platform security controls and proactive hardening makes exploiting misconfigurations orders of magnitude more difficult. Reduce your cloud attack surface and trust no one.

Securing DNS Infrastructure

As a vital navigation system, DNS represents a major vector for attacks – often the first breach point in the chain. Minimize threats across authoritative and recursive DNS layers.

Recursive DNS Protections

Harden recursive resolvers by disabling open query recursion, enacting rate limiting, and mandating source port randomization. Recursive servers should only process requests from approved clients.

Authoritative DNS Hardening

Restrict ZONE transfers only to slave DNS servers needing them. Enforce TSIG authentication for updates and connections from secondary servers or clients. Log all requests.

Enabling DNSSEC

Enable DNSSEC across all domains for authenticated denial of existence and data integrity checks. Prevent cache poisoning and MitM attacks. Use NSEC3 hashed authenticated denial of existence.

Filtering Outbound Queries

Reduce data leakage by filtering outbound DNS queries to suppress information like OS details, server names and topology. Permit only essential query types like Address, MX, NS and SOA records.

Controlling Dynamic DNS

Scrutinize any use of dynamic DNS updates which allow real-time address changes. Weigh the convenience against security risks or disable entirely in favor of manual updates after change control reviews.

DDoS Mitigation for DNS Infrastructure

Enact blacklist-based filtering of DDoS traffic targeting DNS servers by redirecting or dropping traffic from nefarious IP ranges. Maintain relationships with DDoS mitigation service providers for added protection.

Securing Serverless Functions

Serverless architectures have unique security demands. Stateless functions executing ephemerally require robust identity and permissions controls.

Applying Least Privilege

Allocate minimal function permissions following security best practices. Give functions only necessary database, storage and service access. Revoke all unused privileges.

Encrypting Secrets and Data

Developers must securely encrypt secrets like database credentials and data in transit/at rest without baking them into function code. Secret management services facilitate encryption best practices.

Enforcing Authentication and Authorization

Establish secure identities and access controls for functions. Connect them to user pools with MFA login for identity verification tying traffic to authorized entities. Require function-level permissions.

Configuring Function Monitoring

Gain visibility by aggregating ephemeral serverless traces into monitoring tools assessing performance anomalies indicative of security events. Rapidly address unusual traffic spikes.

Preventing Injection Attacks

Scrutinize inputs to guard serverless apps against code injection attempts in headers, payloads and binding event data. Follow coding best practices and sanitize inputs.

Securing Dependencies

Scan libraries that functions rely on to catch vulnerable dependencies early. Keep all components like compilers, runtimes and packages updated and maintained to avoid potential exploits.

Serverless brings simplicity but also new concerns like granular identity and secrets management. Adopt leading practices to avoid missteps made by early adopters. Functions executing outside your control magnify risks.

Offensive Security: Staying A Step Ahead

Adopting a penetration tester mindset highlights weaknesses before attackers by mimicking their technical and social engineering tactics. Think offensively to patch gaps.

Performing Red Team Exercises

Pay external offensive security specialists to safely attack infrastructure mimicking live hackers in controlled red team tests. Hand them insider knowledge to launch realistic attacks, creating teachable moments.

Vulnerability Scanning and Pen Testing

Run scans with automated tools followed by manual verification by penetration testers identifying and proving flaws missed by bots like business logic issues or privilege escalation routes.

Assessing Social Engineering Vulnerabilities 

Attempt to phish or bait employees into disclosing passwords, granting harmful access or enabling malicious payloads. Failures spotlight awareness gaps and technical controls requiring hardening.

Exploring Third-Party Risks

Pressure test external dependencies like vendor APIs and partner integrations which broaden attack surfaces. Compromise of third parties often enables breach of primary targets.

Inventorying Public Attack Data

Search breach data aggregators and exploit databases for exposed credentials or technical intel like configuration files pertaining to your infrastructure. Attacks exploit the low hanging fruit.

Assuming Compromise Inevitable

Reframe thinking to assume breach is inevitable by advanced threats despite best efforts. This mindset prioritizes rapid attack detection and containment capabilities as crucial final layers. Prepare to respond.

Offensive knowledge secures systems against the most cutting-edge assault techniques. Pair red team pen testing with purple team threat modeling to stay ahead of real-world attacks seeking weaknesses. Think like an adversary.

Securing Infrastructure via Hardenered Coding

Beyond infrastructure security controls, programmers have immense power to nip bugs and architectural flaws in the bud by adhering to secure development best practices.

Practicing Principle of Least Privilege

Code restricts component access permissions to only resources required for legitimate functioning. Limit privileges and sensitive data access through authorization controls, sandboxing and isolation.

Sanitizing All Inputs 

Never trust any parameter or input as valid. Validate and sanitize all external inputs and data to counter injection attacks and protect backend processes before they reach databases and OS commands.

Handling Errors Responsibly

Catch all errors and handle them gracefully to avoid bleed of damaging technical details. Log errors safely and present generic error messaging hiding system specifics from clients.

Securing Application Secrets

Encrypt and tightly manage all credentials, keys and sensitive strings in code. Never hardcode secrets or check them into repositories. Securely populate them at runtime only.

Using Code Signing and Verification

Require valid cryptographic signatures proving code authenticity across all executables, third-party libraries and dependencies. This prevents deployment of modified code or forgeries.

Implementing Identity and Access Controls

Build authorization checks implementing access rules for every user action and resource request. Session managements also sets appropriate data visibility perspectives.

Protecting Back end Connections

Authenticate and encrypt all traffic between decoupled app tiers like APIs or databases. Limit direct connectivity to them through firewall rules for defense in depth.

Enforcing Account Security Policies

Require strong passwords, institute lockouts after failed attempts, flag suspicious IP locations, set non-default username conventions, invalidate stale logins and mandate MFA to thwart account takeovers.

Implementing hardened coding practices nullifies a massive number of preventable software vulnerabilities exploited daily. Secure foundations prevent disastrous architectural concessions down the line.

Kendrick Jamison

I’m a web developer at WebSumo, where I get hands-on with site audits and tweaking websites for peak performance. I enjoy diving into the nuts and bolts of web development, solving puzzles along the way. In my articles, I share tips and tricks from the field to help you navigate the digital world with ease.

0 0 votes

Article Rating

Subscribe

Login

Notify of

new follow-up comments new replies to my comments

Label

{} [+]

Name*

Email*

Website

Label

{} [+]

Name*

Email*

Website

1 Comment

Oldest

Newest Most Voted

Inline Feedbacks

View all comments

Alexander Mitchell

1 year ago

Web server security is improved by implementing strong authentication, encryption, and updates. Ongoing protection is ensured by routine audits and supervision.

0

Reply