Stories about new viruses circulating through e-mail have become common. Reports of hackers stealing a company’s data or crashing its Web site are less common, but the danger of it happening is ubiquitous and real. As you prepare to Web-enable your business, it is vital that you take the necessary steps to secure your server and business data.
As discussed in previous articles, you have two primary options for hosting your Web site: you can either hire a Web hosting company, or you can host the site yourself on your own server.
If you hire a Web hosting company such as Verio, they will configure your server’s operating system, configure the basic services (Web, FTP, and e-mail), and manage the server’s security. Make sure the hosting company offers comprehensive virus protection, spam protection and e-mail filtering, power backups, and 24/7/365 network monitoring. If you plan on building an e-commerce site, check that the company also offers an SSL secure server. Working with a Web hosting company that offers these services will relieve you of 95% of the work involved in securing your business. The additional issues to be aware of involve collecting and managing customer data, which are discussed in our two articles “E-Commerce: What You Need to Know” and “Creating a Customer Database for Your Site.”
The remainder of this article discusses the most important security issues and procedures when hosting your own server.
When it comes to securing a Web site that you host yourself, it doesn’t matter what type of Internet connection you have (DSL, cable modem, T1, etc.). Also, don’t let the hype regarding Microsoft Windows vs. Linux/Unix security fool you. All operating systems have security issues. We tend to hear more about Windows security issues because there are many more Windows servers than Linux/Unix servers, making Windows a more frequent target for hackers and viruses.
Securing your own Web server requires basic and sometimes advanced knowledge of technologies like firewalls, NAT, anti-virus software, intrusion detection, and file-level security.
Firewalls: The First Line of Defense
First and foremost, your server must be behind a firewall. A firewall is a device (software or hardware) designed to prevent unwanted Internet traffic from gaining access to your server. Communication over the Internet takes placing using a protocol called TCP/IP. As you know from our article about domain names, every computer on the Internet (including servers) has an IP address. A single server may host a Web site, e-mail server, FTP server, and other services: each of these services requires a different type of data and communications. To ensure that e-mail data gets to the e-mail server, that Web page requests get to the Web server, and so on, a server communicates over multiple ports. Ports are separations within the IP address that direct data to the correct services on the server.
Firewalls allow data to reach certain ports and prevent data from reaching others. In general, you should set up your firewall to only allow access to the ports being used on your server. For instance, if your server only hosts a Web site, set your firewall to block all traffic except port 80, the port for Web services. By doing this you ensure that your server is shielded from all hack attempts except those that come from the Web service. This technique is akin to boarding up all the windows in your house and nailing all the doors closed but one. Burglars are less likely to attempt breaking in, and if they try, there’s only one door unlocked so it’s much easier to guard.
Network Address Translation (NAT): Second Line of Defense
A Network Address Translation (NAT) is similar in function to a firewall. A NAT device–which is most often your router–is the networking hardware that is directly connected to the Internet. All the computers and servers on your internal network have IP addresses (for example, 192.168.1.143 or 188.8.131.52) that have been reserved for private, internal networks. The NAT device is configured to redirect traffic from a public IP address to a specific server on your network. Most redirecting is done on a port-by-port basis. For instance, if the NAT device’s public IP is 184.108.40.206 and access to an internal Web server is needed, the NAT can be configured to direct port 80 traffic to your internal Web server and not allow any traffic on other ports.
In essence, a NAT gives the same results as a firewall, but it does it in a slightly different manner. Properly configuring your NAT device to direct traffic to the appropriate server and excluding all other traffic is key to securing your business.
Know Your Server’s Operating System
If you are hosting your own Web server, you must be familiar with your server’s operating system and know how to secure it via file level permissions and passwords. If you configure your own system, don’t assume that once you get that first Web page displayed that your work is complete. Always have a full understanding of your server’s operating system; go to the manufacturer’s Web site every day to check for updates and patches, and install them immediately.
Every computer on the Internet, including your Web server, is a potential victim of viruses. Thousands of malicious viruses circulate the Internet, and unscrupulous programmers release new viruses weekly. There are many types of viruses: some are designed to delete data on your computer, some attempt to find data on your server and send it back to the person that created the virus, and some viruses simply attempt to shutdown your server by overloading it with information.
Regardless of their ultimate purpose, most viruses attempt to turn the infected computer into a bot that automatically seeks out new computers to infect. Because of this, it sometimes takes only minutes for a new server on the Internet to be hit by an infection attempt. If the infection is successful, your server may quickly spread the virus to other computers on your private network, as well as other servers on the Internet. Whether your server runs Microsoft Windows, Unix, or Linux, you will need to secure it against viruses.
When purchasing anti-virus software, be sure it is designed for use on a server and not just a desktop computer. Look for software that also protects you from malware, e-mail spam, macro viruses, and can automatically update itself 24/7 to handle new threats. Make it part of your daily routine to go to the anti-virus software manufacturer’s Web site to check for new information and recommendations for fighting viruses.
Many Windows and Unix/Linux security holes are related to buffer overruns: a malicious program simply sends more data to your server than it can handle, and then executes a series of commands to gain control of the server. When looking for anti-virus software, make sure that it also protects you against buffer overruns. Properly installing and updating robust anti-virus software will save you many headaches.
Scripting Security Issues
If your Web site is built only with HTML, then you have no additional security risks. However, most business Web sites are database-driven or have active content driven by some form of a scripting engine: PHP, Perl, ASP (Active Server Pages), JSP (Java Server Pages), CFM (Cold Fusion Markup), .NET Framework, or others. Scripting allows you to build a vibrant Web site of rich, interactive content but also exposes the site to additional security risks.
Each scripting engine has its own set of vulnerabilities and security techniques. If you are hosting your own Web site, the best advice is to purchase a book or consult a professional software developer about the scripting engine you are using. Configure the engine to be as restrictive as possible while offering the functionality you require. Also, never leave an unused scripting engine on your server, especially one that hasn’t been configured properly. A hacker may be able to use it to access your server and business data.
Even with anti-virus software in place, you can’t just put your server on autopilot. Vigilance is required to prevent your Internet server from being compromised. As your server operates, it generates log files that record who attempted to contact the server, what type of communication they requested, what time that request was made, and other vital data.
Many people only consult their log files when something goes wrong, but log files are far more important as preventative tools than disaster recovery tools. All Web and FTP applications keep logs of every transaction the server makes. Learning to read log files and taking the time to examine these files on a regular basis is crucial. If, for instance, the log file for your FTP server shows that in a 30-second time period the same person tried to access your server 100 times, you can be pretty sure that was an automated attempt to hack your server. To protect yourself, configure your firewall so that it does not allow any traffic from the IP address of the person who attempted to access your server.
To help you make sense of server log files, consider purchasing log analysis software. Look for analysis software designed for your server’s operating system as well as the services you offer (Web, FTP, etc.). Many log analysis packages operate in real-time and can notify you via a page, email, or other mechanism if they detect that your server is being attacked.
If you are hosting several servers, or if you are being regularly attacked by hackers, consider purchasing intrusion prevention system (IPS) hardware for your network. These devices offer increased protection, centralized intrusion prevention management, and real-time, automated notification of potential intrusions.
SSL or Secure Socket Layer is a protocol by which data is encrypted between client and server and protected as it travels over the Internet. Securing your site with SSL involves purchasing a certificate from a known certificate provider — such as GlobalSign or GeoTrust — and installing it on your site. SSL certificates vary in cost depending on the level of service you choose.
Requesting and installing a certificate can be simple or complex depending on the Web server software you are using. Having technical support at hand to implement SSL can often save much time and frustration.
If you host your site with a Web hosting company and implement an e-commerce solution from an established vendor, sometimes that arrangement can eliminate the cost and hassle of securing your own site with an SSL certificate. An e-commerce host can often integrate your needs (store, pay service, etc.) into their own domain, eliminating your need to purchase an SSL certificate.
In the end…
Stay vigilant! Lax security practices can result in significant downtime for your business, lost sales, lost data, frustrated customers, and perhaps the worst case: explaining to your customers why their private data was compromised.
‡ All promotional offers are subject to certain terms and conditions. To review these terms and conditions, please refer to the related product's offering page.
Verio is a leading global provider of web hosting and cloud services. As a part of NTT, one of the world's largest telecommunications companies, we offer the stability businesses need in a long-term technology partner.
Domain Name Registration Verio offers Domain Name Registration. Every domain purchased through Verio includes a FREE 3-page website. Our Web Hosting Plans include FREE design and marketing tools and a FREE domain name to help you start your business online.
VPS Hosting For businesses looking to control costs, but that require higher security and performance, Verio VPS Hosting is ideal. You can rely on it for your high-traffic ecommerce sites, content management systems like WordPress and Joomla, or multisite hosting.
Dedicated Hosting When uptime is critical, Verio Dedicated Hosting provides you with private managed servers that let you focus on your business, test environment or website, while Verio handles the hardware.
Verio, viaVerio, and Verio's product names and their related logos are trademarks, service marks, and/or registered marks of Verio Inc. in the United States and other countries. All other names are trademarks or registered marks of their respective owners. All rights reserved.