Tutorials

Tutorials about HTML, CSS, PHP, Javascript, and Photoshop

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that has been used in the blog.
  • Archives
    Archives Contains a list of blog posts that were created previously.
  • Login

Best Practices When Working With Sensitive Data Securing Your Server

by in Photoshop
  • Font size: Larger Smaller
  • Hits: 5565
  • 0 Comments
  • Subscribe to this entry
  • Print
5565

You can never be too careful, When it comes to sensitive data like credit card numbers, user addresses or social security numbers. You have to ensure to your users that the information they provided to you is safe on your servers. In this article, I will show you how you can make your sensitive data secure. This part will focus on the lower levels of security, like network and the server


Picking the Right Service Provider

The first thing to consider is your service provider. The rules are the same, VPS or even have a dedicated server, It does not matter whether you are only using hosting

Avoid Supercheap or Free Offers

But there are few reasons why you should avoid these kind of offers when choosing your provider, This rule applies to almost every buy that you make. Going too cheap will cost you more in the long run than the more expensive options will, In this business. In terms of hosting, Or, your app could land on an overpopulated server with too much traffic on it

The situation is similar - you will share the machine with too many people, If it's VPS. On the other hand, cheaper dedicated servers will usually have questionable hardware. Not only does this mean that your users will have a bad experience, but that your applications will also be more vulnerable to attacks. When going the cheaper route, it's much easier to DDoS such machines and extract the sensitive data

Check Their Security

Try to contact them directly (calling them is the best option) and ask them, how do they secure your application and data, If the provider's website tells too little about the security. But as you are their potential client, so they will probably not tell you what model of the firewall they use (if they do, they will try to assure you that they do what they can to secure their clients' data, Of course some of the information may be confidential, run away - it means they will also tell that to the potential attacker). Here are a few questions that you should consider asking:

  • How many people besides you, will have access to the server
  • What happens to the disks that are replaced (do they recycle them or sell to someone)
  • Is it possible to request tape backups of your data
  • If so, who will have access to them

In Case of Disk Failure, Request the Broken One

These things just happen from time to time. Request the provider to send it to you, But when one of your hard drives fails and there was some sensitive data on it. As they are happy they don't have to deal with recycling, Some of them will send it for free. Usually much cheaper than the market price since it's broken, Some will sell it to you. It may seem weird to buy a broken hard drive, but when you realise that the informations about your users or clients may leak somewhere because of that drive, you will realize that it's worth the cost


Isolate Your Servers

Disable it), It's a good practice to unplug the Internet connection from servers that don't need them (a golden rule to server security - if you don't need it. Your database server's security will greatly improve if you will only allow access to it over the LAN from your other machine(s), For example. Of course this is an option, only if your servers are in the same hosting center. So it's really easy to switch back to development mode later), Some of the providers will do it for you if you ask them to (I've even seen such options in one or two web-based admin panels. If it's not possible, don't try to disable it yourself by messing up the network interfaces. From my experience, their tools will detect that your machine does not have access to the Internet and they will try to "fix" it for you


Update Your Operating System

As with all software, operating systems are prone to bugs. You should update your operating system when it's possible to avoid attacks that exploit such defects. Also make sure you are running a stable (avoid experimental builds at all costs) long-term support (LTS) version of your favorite operating system. You don't want to wake up some day and see that the version you installed a few months ago, just died and is replaced by something entirely new


Block Ports & Disable Unused Services

Everything that is enabled on your server is a possible security threat. So to minimize the risk of some of the services failing and exposing you to attacks, you should disable everything that you don't need. Depending on your operating system, there are plenty of tools available to accomplish this task. For exampleSysv-rc-confOn Debianmanual stanzaOn Ubuntu (and everything using upstart) andMsconfigIf you have to use Windows

The situation is pretty much the same with the ports. You should deny access on all ports but 80 (for HTTP traffic), In most cases (HTTP(S) server plus SSH access), 443 (for HTTPS) and 22 (or any other port of your choice for SSH). This will make sure that even if you install some faulty software, so make sure you check what you are installing, it will not be exploited by a potential attacker - more likely it will fail by itself and cause a lot of trouble. You really don't want to guess the names of directories after the flawed file manager goes berzerk and renames them to random strings (and that is one of the less painful accidents that may happen), Believe me

If you have multiple HTTP servers running on different ports (for example multiple Node. You should use, js apps)nginxApacheOrVarnishTo proxy the traffic from port 80 to the appropriate ports for all of your servers


Change Passwords Frequently

This may seem obvious, but many people forget to do it. They may hold back from wreaking havoc over your machine and just stay low-profile, The reason for this practice is that after someone successfully hacks into your system, silently downloading all of your data or waiting for the right moment to strike. Changing the passwords frequently makes his work harder. If you have other users connecting to your server, you should force them to change their passwords periodically. On Linux systems, this can be done with thePasswdCommand. Warning them about it seven days before that date:, Use this syntax to make the user's password expire in 14 days

Sudo passwd --maxdays 14 --warndays 7

Where>username<Is the name of the user that will have to change their password in 14 days. There is an article aboutpassword policy in Windows ServerOn Microsoft Technet


Disable Root Access

You should never allow someone to log in as "root" using SSH - this is a major security threat. If someone cracks your password using a bruteforce attack, it'sGame over

Linux

If you don't have any other user yet, create one using theUseraddCommand (if you just type it and hit enter there will be a nice wizard that will help you creating the new user). Now make sure you haveSudoInstalled on your system and type:

Sudo -V

Install it using, If you don't have itApt-get install sudoThen you can enable it for the user you have just created:

Adduser  sudo

Where>username<Is the name of the user you just created. Now edit the/etc/ssh/sshd_configFile. Find this line:

#PermitRootLogin yes

And change it to:

#PermitRootLogin no

Now restart the SSH service and you are good to go:

/etc/init. D/sshd restart

Windows

Disabling the Administrator account on WindowsIs described on Microsoft Technet. Generally it will be disabled by default, but you should check yourself, to be sure that is the case


Use an Antivirus

For some, but there are people who think they don't need an antivirus (AV) software on their server, this is obvious. So many time I've heard, "Hey, I'm running Linux, I don't need any AV - there is no malware for Linux!". Compared to Windows the number of malicious software is a very little number, Sure. But why would you compare. It's a fact, It exists. And it can infect your machine

Of course AV is not always needed and in some cases it may do more damage than it's worth. For example, if you allow your users to upload anything on your server, youMustUse such software. But if you are in progress of developing something and you test it on your server with AV on, it may be reported to be a virus and you may have a hard time figuring out what happened

Exclusions

To make your system perform better with antivirus software, you should exclude some directories from the scan. This is a tradeoff between complete security and maximum performance. There is a great article onwhat you should do with your AVOn Windows Technet. There is also agood one for LinuxOn Symantec Connect Community


Accessing Your Server

The way you access your server is also important. Here are few tips on how to access your server securely:

Never Connect From Public Hotspots

This is a common mistake. Never use a public wi-fi hotspot to access your server. You don't know who is running it - it may be someone who is just spying on everyone who is connected to the access point. Even if the owner of the hotspot is not such a person (for example in a very popular coffee shop), if it's not secured, someone else may be sniffing on everyone using it (man in the middle attack). Be cautious - if you were accessing your server using SSH before and now it has a different fingerprint (your SSH client should notify you about it) abort the connection and try to find another access point, If you really have to use a public hotspot to access your server (for example your ultra-important application went down). Different fingerprint means someone who is connected to your network intercepted your communication and is trying to trick you into sending him your password

Use Secure Connection Channels

Using FTP to upload files to your server is not a good idea. So if someone can intercept your communication, The data is not encrypted, he could change what you are uploading so instead of some patch to your app you will get malicious software on your machine. Always use SSH for shell access and SCP to transfer files (it's based on SSH). These protocols use strong encryption to avoid such incidents

Use Verified Software

Use software from official sources like your operating system's package repository or trusted software provider. Never download any software you use to connect to your server from suspicious websites - it may be infected and communication between you and your server may be sent to the attacker. Don't try to find precompiled packages for your system - it's safer to compile it yourself or look for an alternative, if your favorite software is provided by the author only as source code, For example

In Conclusion

Hopefully this article has helped you in protecting yourServerFrom attacks and malicious software. In the next part of this article, we'll focus completely on the third layer of security - yourApplicationItself. So stay tuned where I will show you techniques that you can use to protect your application from attacks and intrusions

Read more: Best Practices When Working With Sensitive Data Securing Your Server

Web Design from 3D Web Design.
0
Trackback URL for this blog entry.

Comments

  • No comments made yet. Be the first to submit a comment

Leave your comment

Guest Wednesday, 12 August 2020

Testimonial

Thank you so much! We are very happy with our new website. It is easy to use and all of our customers tell us, they love it.

Contact Us

  • 13245 Atlantic Blvd. #4352
    Jacksonville, FL 32225
  • 904-240-5823