A server is a powerful computer that stores and processes a lot of data, and when you’re setting one up you want to make sure your data is kept under lock and key from the get-go. Whether you’ve got a dedicated server, VPS or bare metal server, security is at the top of the priority list and we’ve got a checklist of 14 server security tips to get you started.
Why is server security important?
Cutting straight to it, an insecure server opens you up to all sorts of security threats and cyber attacks – you wouldn’t just leave your phone or laptop lying around unlocked, would you? Setting up and using an insecure server is like leaving your data sitting open on the internet waiting for someone to compromise it.
In today’s online world, anyone can be a target and security vulnerabilities can lead to data loss, jeopardising your users’ security, and losing control of your server. Taking server security seriously means reducing the risk should anyone try and target your systems. The good news is that there are loads of things you can do to secure your server.
Did you know... over a 12-month period, ransomware attacks affected 73% of UK businesses? You can read more about it in the UK cyber security and cyber crime statistics (2024) report!
What are some common server security issues?
Whether you’re managing a VPS, dedicated or bare metal server, you can run into some potential security issues if you don’t have the right processes in place to mitigate them, including:
- Data breaches
- DDoS (distributed denial-of-service) attacks
- Malware
- Insider threats from employees
- Poor configuration
- Phishing
- Outdated software and/or OS
- Poor API design
- Man in the Middle (MitM) attacks – similar to an eavesdropper or impersonator
- Unencrypted data
- No audit logging
- No backup and recovery
- Cross-site scripting (XSS) – which can allow hackers to run malicious code
- Resource exhaustion
What can I do to keep my server secure?
From something as simple as using strong passwords to setting up slightly more complex firewalls and VPNs, there are plenty of things you can do to nail your server security. Here’s our checklist of server security tips to get you on the right track.
1. Disable unnecessary services
When protecting your data, you want to minimise the number of ways someone can hack/gain access to it. This is often referred to as reducing the number of attack vectors (methods of gaining unauthorised access) your server has.
You can do this by only installing the bare minimum you need to run your systems and applications. If you’re setting up your own server, then you can start from the ground up. But if you’re using a third-party hosting provider, you’ll want to check if there are any services that are included with your package that you don’t need. If there are, then you should disable or uninstall them if you can.
2. Make sure software is up to date
Probably one of the simplest ways to secure your server is to make sure it’s all up to date. It’s easy to forget, but new updates bring security patches and bug fixes that sort out any issues that have been reported.
What needs to be kept updated depends on what you’ve installed on your server. First off will be your OS, then any applications you’ve configured and any other tools you may have set up. Depending on your hosting, you may be able to set up automatic updates, but you’ll want to make sure any updates that do get installed are compatible with your setup.
3. Check firewalls
Do you know how a fire door protects a room and its contents? Well, you can think of a firewall in a similar way – it stops malicious data packets from gaining access to your server by monitoring incoming and outgoing traffic. They’re a must-have for setting up a server, but with different types of firewalls to choose from, you need to make sure you’re using the right one.
Host-based firewalls
If you’ve ever used a Windows computer, you’ll be familiar with Windows Firewall, a good example of a host-based firewall. As it sounds, a host-based firewall is one that's installed on the host computer or server to protect it from attacks.
It’s directly installed as software and controls traffic to and from a specific host. Because it’s connected to the host itself, using one means that your server is protected no matter which network it’s connected to.
Network firewalls
Pretty much doing what it says on the tin, a network firewall protects a whole network, controlling traffic and only allowing secure packets of data to reach your servers. A network firewall will defend any server (or computer) connected to the network which is essential if you have a network of servers set up.
4. Changing default passwords
When you set up a server, you’ll probably find it comes with default passwords. One of the first things you should do is change these to your own secure passwords and make sure that you use best practices for all users.
What makes a strong password?
While it's still a good idea to aim for longer passwords (not just one word), best practices have evolved and a few tips would be:
- Make every password unique – don’t use the same one for multiple accounts
- Passphrases > passwords – Passphrases are multi-word phrases that use a jumble of random words that would be hard for a hacker to guess. The buzzword here is randomly generated. Ones you 'think up' yourself are likely to be weaker. An example would be: 'Baseball.Passengers.Sunshine'
Enforce password requirements for enhanced security
- Make sure users can’t use consecutive numbers in their password (e.g. 123 or 789)
- Maintain a blocklist of passwords that cannot be used – particularly if you’ve experienced any breaches in the past
- Have a session timeout
- Enable two-factor authentication
- Don’t allow default or empty passwords
- Ensure passwords must be of a certain length and have specific characters (such as numbers and symbols)
Password no-nos
There are also a few things you shouldn’t do:
- Don't use obvious/simple dictionary words
- Don’t use sequences, like numbers (123…) or letters (abc…)
- Don’t use personal info
- Don’t write passwords down
- Don’t use repeated words or sequences
If you’re worried that your passwords aren’t strong enough, you could use a random password generator like Avast’s one.
The more complicated a password is, the harder it can be to remember it. If you think you’ll struggle, you can use secure password managers to store the information for you while keeping it all locked up safe.
5. Using a non-root account
Every server comes with a root (Linux) or administrator (Windows) user. This is a user that gets full access to the server and can execute any command. This power makes it a prime target for hackers looking to gain access to your system. That’s why it’s standard practice to disable the root user and create new user accounts with limited access so you can give root permissions only when you need to. This way, you can protect your server while still having access to root-level functions.
6. Set file permissions correctly
If you’re going to have multiple users accessing your servers, you need to make sure you set file permissions correctly. For example, limited read access can keep confidential information private.
You can also restrict who can modify files so they’re only edited by the people who should be editing them. Normal practice is to not give all users full access – only giving the minimum amount of access they need is a good way to go about it.
7. Configure secure backups
Hands down, backups are one of the most important things you should be implementing when setting up a server. You can take all the steps you can to secure your server, but should the unthinkable happen, having a backup of your data could be a lifesaver.
Keeping regular backups means that you have a safe copy you can easily restore if you need to. These backups can also be encrypted to keep them extra secure. You should also test them regularly to check that you're backing up the right information – you don't want to be trying to restore your server only to find you've got the wrong data.
Backups can be really simple to set up and can often be scheduled to automatically run without you having to think about it. Or, you could do them manually, but you need to make sure it’s a part of your routine so you don’t forget to do it.
8. Use TLS (SSL) certificates
Still often referred to as SSL certificates, TLS (Transport Layer Security) certificates are the shinier, upgraded, more secure version of the protocol. They encrypt data when it’s transferred from server to server or from your server to a client’s browser. More often than not, they’re used to keep confidential information like bank details, names, addresses and financial records safe.
And even though they’re most known for encrypting personal information, they can also authenticate users, checking they have the right authority to connect.
9. Use a VPN
VPNs are the fourth most used security product/service for a reason – they keep your data away from prying eyes. More of a Windows server thing (although you can still use one for Linux), connecting using a VPN allows you to access your server using your own private network that encrypts data as it’s transferred between your device and the server. Plus, they let multiple servers under the same account communicate privately, so, if you want to keep your server secure a VPN is a no-brainer.
10. Upgrade your OS regularly
Whether you’re with Windows or Linux, you’ll need to upgrade your OS to ensure you have the latest security updates.
11. Use server logs
Whether you use cPanel or Plesk, it gives system admins the ability to keep an eye on and record suspicious login attempts. It’s important to take a look at the server logs on a regular basis, as this helps spot potential threats so the right steps can be taken to deal with them.
12. Set up SSH keys
SSH key authentication makes server security much stronger by replacing passwords, which can be guessed, with a pair of special “keys”.
These keys use complex mathematics to protect against unwanted access. Using two keys (a private one and a public one) guards against password guessing and forced entry attempts. Users keep their private key safe, often adding a secret phrase to make it even more secure.
This method doesn't just offer better protection, it also lets admins control who gets in and track what they do. Plus, each authorised user can have their own unique set of keys for when they need to access the server.
13. Use FTP
FTP allows users to transfer files on an encrypted network to and from your server. This is beneficial for when you want the transfer to be encrypted to lessen the chances of it being intercepted by hackers – particularly if you are transferring sensitive data.
But how do you do this? You can connect to an FTP server when you use a command-line interface like a terminal in macOS, Linux, or Windows, use a web browser for more convenient access to large directories (though it's slower), or opt for a dedicated FTP client like FileZilla, Transmit, or WinSCP.
14. Choose a secure host
We’ve talked a lot about things you yourself can do to secure your server, but if your host isn’t doing all they can, then it’ll be like taking one step forward and two steps back – all your effort could be wasted.
Starting from the beginning, you should try to pick a host that takes security seriously. That includes using the latest software and hardware security measures in their data centres, having the right certifications to show security is a priority for them and doing what they can to help you secure your server.
What is server security hardening?
Server hardening is a term you may have seen thrown around when looking up how to secure your server. Put simply, it’s the process of securing your server by applying a combination of both basic and advanced security measures, addressing vulnerabilities in your server software and OS.
Typically server hardening includes things like using strong passwords, encrypting data, using backups and installing firewalls – all things we’ve included in our security tips. So, if you follow our checklist above, you’ll have a good head start on your server hardening!
From our VPS hosting to our Dedicated Servers, we do everything we can to help you secure your server, including full root access, easy firewall management and security add-ons like Cyber Protect and SSL certificates. Plus, they’re all hosted in ISO 27001-certified data centres that are monitored round-the-clock by on-site engineers.
If you ever need any help with your server security, our expert support team is on hand 24/7 to help. Plus, we have loads of security-focused blog posts that keep you in the loop.