Server Security Checklist
Last updated: July 6th 2021
This guide lists different ways to harden your Webdock server security and links to our respective guides. This checklist is split in two parts:
- Security enhancements which should be performed on any new server - these are already active on our Perfect Server stacks.
- Security enhancements which are optional and which we have not applied per default to our Perfect Server stacks.
Already configured on Webdock Perfect Server Stacks
Check open ports on your server
Malware attacks occur through open ports on your server. Always keep an eye on what services are running and stop unnecessary services on your server. This article describes different ways to find open ports on your Webdock server.
Configure firewall to block ports
Run your applications behind an active firewall. Allow the incoming network traffic only to specific ports and block the remaining ports. UFW is the default firewall we use in our Perfect Server stacks and is a versatile and easily configurable iptables manager. You can read about how to manage your firewall with UFW on your Webdock server here.
Secure the SSH daemon
We use SSH daemon defaults which does not allow for password authentication nor root logins. SSH is the door to your server and its security is paramount to the safety of your server. SSH provides different configurations to harden its security. This article describes the various SSH configurations options which impact SSH server security.
Configure fail2ban to protect your server from different attacks
Analyze incoming network traffic automatically to detect malware and take action against it. Fail2ban is an Intrusion Prevention System tool that is used to protect your server from different attacks. On our Perfect Server stacks fail2ban is active for SSH and FTP but can be expanded to do all sorts of malware detection for other types of systems and software. Read more about fail2ban configuration for common services on your Webdock server here.
Further, optional, security enhancements
Configure Naxsi firewall to secure Nginx
Protect your Nginx server from different malicious activities like SQL injection and cross-site scripting. Naxsi is a tool which can be used for this purpose. This article describes how to set up Naxsi firewalling on your Webdock server.
Configure security headers in Nginx and Apache
Secure your Nginx and Apache servers by configuring various security headers. Security headers protect your server from cross-scripting attacks, SQL injections and clickjacking. Read more about security header configuration in Nginx and Apache here.
Enable encryption for MariaDB
Enable encryption at rest for your MariaDB server. By default MariaDB stores data in plain text and anyone with read access or access to your server can read the data. This guide explains the procedure of enabling encryption for your MariaDB server.