After giving you some show tips to make your website faster, I am going to share some of my knowledge about securing your VPS or dedicated server. In this article I decided to share with you some important information for managing your own private server. The topics which I am going to cover are:
- Securing your server against DDoS
- Backups 101
- Isolating applications
- Hacked, now what?
How to secure your server against DDoS attacks?
A big part of securing your server against DDoS attacks is your hosting & ISP provider. If you own a domestic server, things might be harder to manage, but if you have bought a VPS or dedicated server from a provider, most of them already provide some sort of DDoS security. Of course this is not enough. There are several options, one of which might be configuring your iptables properly.
Two basic things you need to know are how to block a single IP from you server and how to limit single port connections withing given time. This will provide you with basic DoS security. But what if thousands of IPs hit your server 5 times a second? 5 times a second is not much at all, but if this is done from 10000 different IPs and connections, then you are in trouble, like in a big trouble.
The next important things is to setup your application properly, so you can actually handle those 10000 different IPs and eventually blocking them. For web servers, nginx or apache, both have anti DDoS modules which might help. For nginx, you might want to read this article about ddos protection and apache users should read this.
Backups are important and therefore you need to be careful with what you do there. There are some basic backup strategies I want to take a look into the 3-2-1 backup strategy, which is the most appropriate one in most cases. The 3-2-1 rules says:
- Keep at least 3 copies of your data, meaning your original files + two backup files
- Use 2 different backup formats, meaning hard drive and external storage for example local storage + NFS storage
- Have at least 1 offsite backup – what if your server dies, where is the data?
It’s simple – keep at least 3 copies of your important data like application files, database and everything else which is important. Use two backup formats, for example store in a local backup folder and mirror this backup folder somewhere external, like Dropbox or any other storage. Having at least 1 offsite backup will help you recovering if your server dies completely and you need to deploy a new one.
Almost every server runs multiple applications, not everyone has separate server for website #1 and website #2. The idea is to isolate the applications on your server in such way that if application #1 gets hacked, application #2 is not affected at all. How can you achieve this? Simple – using users, groups and simple chmod rules. It could be even easier deploying with Docker, but let’s not complicate things so much. Lets imagine the following structure on your server:
Now the idea is, that if website_two gets hacked, website_one should not care at all, right? This is simple. Every website should have different owners allowing the files to be read and executed.
If website_one has user_one as owner and group_one as a group, this means website_two should have different user and group, like user_two and group_two. Of course, the chmod rules should not allow 3rd party to read/write/execute the files.
One really useful article that will help you understand the concept is this one from DigitalOcean for hosting multiple applications with nginx and fastcgi server.
Hacked, now what?
If you have read and implemented the tips above, the reason your application being hacked would rather be either from a mistake from your application’s code or because some of your passwords have been leaked. The first, most important thing when you get hacked, is to check, how you got hacked. If you are being DDoS attacked, you need to check, where the attacks come from. If your website has been hacked and files have been changed, you need to inspect how this happened. Simple file edit monitors or security plugins for WordPress (if you are it) might help you track this.
If you do not find out how you got hacked and just recover directly, be sure that you will be hacked again 100%. So remember – first find out how you got hacked, then continue. If it is critical for your business, first recover, then find out how you got hacked and patch it!