Skip to content

What is the Most Secure Web Server Configuration? (2022)

  • 14 min read
  • by

The most secure web server configuration is a question that often comes up. But it can be difficult to find the answer and many people are not sure how to configure their servers.

How To Secure Web Server with Best Configuration?

The most secure web server configuration is one that has the least number of vulnerabilities and exploits.

A typical web server configuration has two main components: the operating system, which provides resources such as memory and CPU power, and an application server, which provides a web application framework.

The two main types of application servers are CGI (Common Gateway Interface) servers and Java Servlet Servers.

The following are some of the most common configurations:

  • Apache HTTP Server with mod_security, mod_headers, and mod_evasive
  • Nginx with Nginx security modules
  • IIS with Applocker
  • Microsoft IIS with Windows Defender Application Control.
  • Operating system, such as Linux or Windows.
  • Network hardware like a router and/or switch
  • Application software, such as MySQL or Microsoft SQL Server

Many people find Apache with mod security, mod headers, and mod evasive to be secure. and the most secure web server configuration.

The most secure web server configuration is Apache with mod headers, and mod evasive.

The Web Server is a vital part of web-based applications. Apache Web Server is frequently placed at the edge of the network hence it becomes one of the most susceptible services to attack.

Having default configuration supplies much sensitive information which might help hackers to get ready for attacks on the applications.

The majority of web application attacks are throughout XSS, information Leakage, Session Management, and SQL Injection attacks which are due to feeble programming code and breakdown to sanitize web application infrastructure.

The most secure web server configuration is to use a load balancer and a reverse proxy. This will allow the webserver to be accessed by multiple users at a time.

The load balancer will distribute the requests evenly among the servers and the reverse proxy will redirect all requests to the correct web server based on the server’s IP address.

The reverse proxy creates a layer of encryption between your website and the users so that nobody can access your data without knowing the correct password or having access to your computer.

The downside to this is that if one of the web servers fails, it will take down all of the other web servers in its cluster. However, it avoids any single point of failure.

So what can your association do to solidify your web server to keep attackers at bay — or at least frustrated enough to get a weaker target?

In this article of the web server protection series, we will review several of the best practices when it comes to Web server security.

Web Server Security Checklist

  • Disable the HTTP Trace & Track requests
  • Remove or Turn off All needless Services
  • Upgrade the Software & the Operating System
  • Perform safety exercises
  • Log server access
  • Disable the signature
  • Configure Your Computer to File Backups
  • Hide Server Information
  • Install SSL Certificates
  • Keep an Eye on Passwords

Web Server Best Practices

Servers play a very important role in organizations. Their main function is to offer both data & computational services.

As of the critical role they play, servers hold private organizational data & information. Information is like gold these days, & hackers are gold miners.

An insecure server is susceptible to all sorts of security threats & data breaches.

Security vulnerabilities can lead to the loss of significant data or loss of ability & control that can jeopardize the entire organization.

If you do not protect your servers, then you are treading a risky path.

You might not know how to protect your servers correctly. This piece of writing will explain several of the server security tips that you can use to protect your servers.

Disable the HTTP Trace & Track requests

Although allowing your web server to react on HTTP Trace & Track requests can be used for justifiable purposes, such as debugging errors within your network, these protocols can also compromise the safety of your web server.

One of the most ordinary exploitation techniques is cross-site scripting attacks, where attackers could use & maneuver the TRACE and TRACK methods to intercept normal traffic connections, session cookies & possibly some data in transit.

The most excellent method to address this problem is to disable the TRACE HTTP technique by adding a directive command to the HTTP.conf file of an Apache web server. For instance:

• TraceEnable Off

• Reload Apache

Security-minded organizations and individuals should always be on the lookout for new security threats. One of the biggest threats is the use of HTTP, which can be used to steal data and compromise sensitive information.

While HTTPS does not provide a 100% guarantee against all attacks, it does offer a much higher level of protection than HTTP.

HTTPS is an encrypted protocol that creates an encrypted connection between your computer and the website you are visiting. It prevents third parties from intercepting your data or tampering with it as it travels across the internet.

Remove or Turn off All needless Services

This cyber-security term refers to setting & maintaining simply the bare minimum requirements required to keep your services running.

Just allow the network ports used by the OS & installed components. The less you have on the system, the improved.

A Windows OS server must only have the necessary operating system components. A Linux operating system server must have the least installation with only the truly essential packages installed.

As most Linux distributions listen for incoming connections on the internet, you desire to configure a firewall to allow only particular ports & deny all other preventable communication.

Check for the need before setting up software on your system to make sure you are not adding something you do not need. Moreover, inspect which dependencies were auto-started on your system & whether you desire them there.

Always Upgrade the Software & the Operating System

In server security, staying up to date on whole software and operating system-related safety fixes is essential. Server systems & software technologies are so complex that a number of the security vulnerabilities they carry can effortlessly go unnoticed.

Because of this, safety vulnerabilities usually exist in both old and newly updated software versions. Also, hackers constantly try to develop new and ground-breaking ways to get illicit entries into a system.

Luckily, dealers & cybersecurity professionals are constantly working to make sure that their software and operating systems are as protected as possible. Once they find out a security loophole, they will normally move rapidly to have the loophole fixed.

Once that’s completed, they will release a more protected and upgraded version of their OS or software. For your server’s security, you should instantly install the update once the vendor has tested and released it on the marketplace.

Even though most vendors act quickly to address safety vulnerabilities, there is constantly a gap between the time the security vulnerability is discovered, the time it takes to fix it, & the time it takes you to set up the new update.

This gap can provide hackers an upper hand as they can effortlessly breach your servers before you make the update.

To keep this gap as little as possible, constantly remain vigilant and conscious of any new developments as far as your servers’ security is concerned.

You must also be aware of the instant measures you can take to ensure that you are not affected by the susceptible software.

For example, uninstalling the software could be a necessary thing to do. Finally, you must install the new update right away once it has been released.

Installing the protected operating system and software version can help decrease your vulnerability.

Perform safety exercises

One of the most excellent ways to check if your sensitive information is safe is to carry out mock attacks. This is the major assumption behind penetration testing but penetration tests are just spot-checks.

To entirely and incessantly evaluate your security stance, the most excellent way is to perform incessant security exercises such as red squad vs. blue squad campaigns.

The thought behind red teaming is to hire an exterior organization that incessantly tries to challenge your safety and to set up a local team that is in charge of stopping such attempts.

There are several advantages to this approach. A constant exercise means that your business is constantly prepared for an attack.

It also helps with maintaining general safety awareness, since the blue team involves much more than just a devoted security team.

A devoted red team does not just exploit safety vulnerabilities. They frequently perform different types of mock attacks (including phishing, social engineering, DDoS attacks, & others) to help you defend against real ones.

The added benefit is also the recognition of how different safety elements are woven together and cannot be treated individually.

Log server access

By default, Apache & Windows servers are not configured to detain login information as users authenticate into the device and carry out other requests.

In Apache, these logs can be modified for your organization’s specific requirements, written directly to a file, or sent to an exterior application. Conditions can also be set so particular criteria presented are excluded or integrated.

While the information logged can be broad, key information could comprise the IP address of the requestor, the session ID, the host & bytes received/sent, among others.

Configure Your Computer to File Backups

You must always keep a file backup and have a restoration policy. You never recognize when a hacker will be successful in breaching your servers.

When such a breach occurs, a backup file could be your savior.

Frequently backing up your data let you restore all the information resources that your server held before the data breach took place.

So, for the sake of your data, you must make sure that you frequently undertake data backup.

When developing a backup plan, ensure that you do a detailed analysis of the following:

  • The cost of the backup plan,
  • Its effectiveness and speed,
  • The effort necessary to restore your data after a data breach,
  • The speed of the backup procedure, and
  • The amount of disc space that you require to store the data.

You also must carefully consider the site where you store your backup files.

You can select to keep the files either nearby or on the cloud, which is a safer approach.

Disable the signature

Ordinary way attackers start to probe a web server for possible use is by sending a remote request that pulls back precious information served up through the server signature.

Also recognized as the server footer, disabling the server signature stops the server name, server version number & other information such as recent error messages, module information & other directory information from displaying upon demand or when a 404 error page is presented.

If you desire to protect your Apache web server from enumeration, for instance, go to your web server’s configuration file and adapt the code by adding in the command “ServerSignature Off” & “ServerTokens Prod.”

Hide Server Information

Try to offer as little information about the fundamental infrastructure as possible. The less that is recognized about the server, the better.

Also, it is an excellent idea to hide the account numbers of some software you have installed on the server. Frequently they reveal, by default, the exact release date which can aid hackers when searching for weaknesses.

It is generally easy to remove this information by deleting it from the HTTP header of its greeting sign.

Install SSL Certificates

Secure Socket Layer certificates are safety protocols that guard the communication between two systems over the web.

The Secure Socket Layer is an important element of server safety. You need to make sure that any communication or data transfers between your server & clients’ browsers or other servers are encrypted.

SSL certificates mess up data in transit so that sensitive and private information such as health details, credit card details, & financial records remain protected. A hacker who succeeds in accessing the data cannot decode its meaning.

Only the intentional recipient who has the precise key to decrypt the information will recognize its meaning.

Separately from just encrypting the communication between your servers & other parties, SSL certificates also play a critical role in user verification.

SSL certificates can authenticate diverse systems to their particular owners. The certificate, so, helps establish your authority. To strengthen your safety, you must get & install an SSL certificate.

Passwords

Everybody who has access to the backend of your website should have strong passwords. The administrators & other workers on this panel should also change their password if some hacking effort is detected.

There should be password power policies in place, and everyone should comply. If one can’t come up with strong passwords, safe password managers can create unique and difficult ones for them.

Password Don’ts

If you desire to maintain a secure server, there are a few things you desire to avoid when it comes to passwords. Initially, be watchful where you store passwords. Do not write them on pieces of paper & hide them around the workplace.

It is usually sensible not to use private information like your hometown, birthday, pet names & or other things that can join you, the user, to the password. These are very easy to guess, particularly by people who recognize you personally.

Passwords that simply contain simple dictionary words are also simple to crack, particularly by dictionary (brute force) attacks. Mindful of the similar risk, try to avoid repeating sequences of characters in a similar password.

Lastly, do not use a similar password for many accounts. By recycling passwords, you put yourself at major risk. If a hacker manages to get access to a single account, all other accounts with a similar password might be in danger.

Try to utilize a different password for every separate account & keep track of them using a password manager.

Installing & Configuration of Apache Web Server Securely

  • Update your available packages to the latest versions by following the command: sudo apt update
  • Install Apache from the repository: sudo apt install apache2
  • Confirm if it is running by browsing to http://[external IP of your server]
  • Now stop the server with the command: sudo systemctl stop apache2
  • Then restart it with sudo systemctl start apache2
  • Check its status with systemctl status apache2.
  • Check the configuration files under /etc/apache2 especially /etc/apache2/apache2.conf
  • Use less to simply view them, or the vim editor to view and edit it.
  • In /etc/apache2/apache2.conf there is a line with the text: “IncludeOptional conf-enabled/*.conf” which tells the Apache web server that the *.conf files in the subdirectory conf-enabled should be merged in with those from /etc/apache2/apache2.conf at load.
  • The default webpage location is defined by the DocumentRoot parameter in the file /etc/apache2/sites-enabled/000-default.conf.
  • Use less or vim command to view the code of the default page – normally at /var/www/html/index.html.
  • Use View Source in your browser to see the code of http://00.00.00.00/sample, copy it
  • Now, in your ssh session sudo vim /var/www/html/index.html first, delete the existing content, then paste in this simple example and view that in http://[external IP of your server]
  • Apache webserver keeps its logs under /var/log/apache2
  • In the access.log file, you can see the session from when you browsed to the test page.
  • Finally, to secure your Apache Web Server you have to regularly check for updates & upgrades by running the following commands: sudo apt update, then sudo apt upgrade

Conclusion

After reading this piece of writing and implementing the server security measures we clarify, that you must feel more secure about your server’s safety.

As most excellent practice, you must implement these security measures when you first set your server up. It also helps if you apply more than one of these measures.

As a common rule, the more security measures you have, the more protected your server will become.