As administrators, we all hope that our servers will never be breached. However, there is always a group of hackers silently watching, waiting for the right moment to strike a fatal blow.
There is no "one-shot cure" shortcut for server security hardening. The core principle lies in building a defense-in-depth system. This means setting up defenses at every layer¡ªfrom the network and system to applications and data¡ªcreating a progressive barrier to keep attackers at bay. To help you better understand and implement this, this article outlines seven core lines of defense. Please prioritize and implement them based on your own operations and maintenance scenarios.
The seven core lines of defense:
Apply system patches -> Use a zone-based firewall -> Remote login protection -> Protect against tampering -> Defend against trojans and viruses -> Ensure application software security -> Perform data backups
1. Apply System Patches
There is no doubt that applying system patches is the cornerstone of all security work, as it directly fixes known security vulnerabilities for which public exploit code (PoC/EXP) exists. If a system has known high-risk vulnerabilities that are not patched, firewalls and complex passwords become useless¡ªattackers can gain control directly by exploiting the vulnerabilities without needing to crack any credentials.
How to update patches on CentOS:
Note: The following command updates both security patches and feature updates. yum update -y If you only want to update security patches, run the following command: yum update --security -y
How to update patches on Ubuntu/Debian:
Note: The following commands update both security patches and feature updates. sudo apt update # Refresh the package list sudo apt upgrade -y # Upgrade all installed packages sudo apt autoremove -y # Remove old, unneeded dependency packages If you only want to update security patches, run the following commands: sudo apt update # Refresh the package list sudo unattended-upgrade # Install only security updates
How to update patches on Windows:
Windows has a built-in patch update feature. Right-click on "My Computer," click "Properties," and then click "Windows Update." You can also use [Hw.safe Server Security System] to update system patches, which also supports automatic patch updates¡ªvery hassle-free!
2. Use a Zone-Based Firewall
Applying system patches addresses internal vulnerabilities¡ªit's about "fixing holes" from within. A firewall, on the other hand, guards against external threats¡ªit's about "controlling access." These two are complementary and indispensable core components of a defense-in-depth system. The firewall serves as the first gate between the server and the external network. Since almost all intrusions occur over the network, its importance cannot be overstated.
Firewalls primarily restrict port access. Traditional firewalls can only block access from all regions, which no longer meets the increasingly complex network security demands of today. For example, internal enterprise systems such as OA, financial systems, and ERP generally do not need to be accessible from overseas. Yet most intrusion attempts originate from abroad. If you can block overseas access at the firewall level, security is significantly enhanced.
Unfortunately, the built-in system firewall does not have region-restriction capabilities. You would need to manually collect overseas IP addresses¡ªbut that's hardly useful either, given that there are millions of overseas IPs, and figuring out how to add them all to the firewall is a challenge in itself. As a result, using a commercial firewall becomes a necessity. We recommend the MagiAegis Defense System. For around a hundred dollars, you get comprehensive one-stop protection, including host protection, website protection (WAF), zone-based firewall, tamper prevention, antivirus and anti-malware, and application software protection. In the firewall module, you can restrict port access by region. The system also comes with a massive built-in database of malicious IPs, stopping hackers before they even begin their intrusion.
(Restrict port 888, allow access only from Malaysia)
(Malicious IP protection, with support for region selection)
3. Remote Login Protection
SSH/RDP are the most common methods for remotely maintaining servers, and they are also the favorite intrusion routes for hackers. Hackers often use brute-force attacks, credential stuffing, and other methods to crack administrator passwords, so setting a strong password is the first priority. However, a strong password does not guarantee security, as hackers can exploit vulnerabilities in SSH/RDP to directly compromise the server. Therefore, additional protective measures are necessary. MagiAegis Defense System provides multiple layers of protection for both SSH and RDP.
First, you can enable or disable remote services online. Once remote services are disabled, no hacker, no matter how skilled, can exploit SSH/RDP to intrude.
Second, you can restrict the IP addresses and regions allowed to log in remotely. For example, you can allow login only from Hong Kong and deny access from all other regions. Obviously, the likelihood of a hacker being in the same city as you is extremely low.
Third, when a remote login occurs, the system sends a notification to the administrator, allowing you to be informed immediately and detect any signs of hacker activity promptly.
(SSH/RDP Remote Protection)
(Remote Login Notification, with email notification support)
4. Tamper Prevention
Tamper prevention is an essential component of a deep security protection system. This is especially true for websites¡ªwithout a tamper prevention mechanism, it is nearly impossible to defend against intrusions. Tamper prevention can be divided into two types: file tamper prevention and database tamper prevention. Their protection principles differ, so separate protection mechanisms need to be established.
A. File Tamper Prevention
Professional-grade tamper prevention systems are complex to deploy and expensive (often costing tens of thousands of dollars), so they are not recommended. Instead, lightweight tamper prevention systems are a better choice.
A lightweight tamper prevention system works by blocking hacker tampering attempts at the system kernel level. Compared to professional-grade systems, it lacks distribution and restoration functions. However, most users do not actually need these two features, and the price is less than one-tenth that of a professional-grade system.
Even among lightweight tamper prevention systems, there are significant differences in protection effectiveness, primarily in terms of compatibility. Some simple tamper prevention systems, while able to prevent tampering, have major side effects. For example, they may block write operations to cache directories as well, causing the website to fail to run properly. We still recommend using MagiAegis Defense System because it supports setting independent tamper prevention rules for subdirectories (e.g., granting write permissions to directories such as runtime and caches). Additionally, the system comes with built-in tamper prevention rules for almost all CMS platforms. You only need to select the website path and rule template to quickly add powerful tamper prevention rules without side effects.
(One-click addition of website tamper prevention rules)
B. Database Tamper Prevention
Database tamper prevention generally works by cleaning data at the data entry point to achieve protection, such as SQL injection prevention. There are three implementation methods:
First, set up an independent WAF platform. All access requests first pass through the WAF platform to clean the data, block injection attempts, and allow legitimate requests.
Second, implant a plugin into the WebServer. All access requests first pass through the plugin to clean the data, block injection attempts, and allow legitimate requests.
Third, parse communication data. All communication data from the WebServer to the database is inspected, blocking injection attempts and allowing legitimate requests.
We strongly recommend the second method. The first method is essentially the same as the second, but it requires deploying an additional server to set up a WAF platform, which is costly. The third method is the best, but it is very expensive (often costing tens of thousands of dollars). This method has a professional name: database auditing.
MagiAegis Defense System adopts the second method by directly installing a plugin into the WebServer to block threats. In its injection protection module, it provides both SQL injection protection and XSS injection protection.
(SQL Injection Protection)
5. Trojan and Virus Prevention
Server trojans and viruses are divided into two types: web trojans and software trojans. MagiAegis Defense System provides both scanning and removal functions, allowing you to accomplish two tasks with a single investment.
(Webshells Protection)
(Software Virus Protection)
6. Application Software Security
Almost all commonly used server software (such as Apache, Nginx, Tomcat, etc.) has security vulnerabilities. These programs typically run with the highest privileges, so if a vulnerability is exploited, the consequences can be disastrous. Relying solely on patches is not enough to resolve the issue, because patches always come after the vulnerabilities are discovered. By the time an official patch is released, the server may have already been compromised. An effective approach is to restrict the access permissions of these applications¡ªfor example, allowing them to access only website directories and preventing them from executing executable files. When combined with a tamper prevention system, this can block intrusions even when new vulnerabilities emerge.
Very few systems can restrict software access in this way. Fortunately, MagiAegis Defense System supports this feature. In the "Process Protection" module, simply add the software you wish to restrict, specify the file paths it is allowed to access, and the security issue is easily resolved.
(Restrict the range of files that software is allowed to access)
7. Perform Data Backups
As the last line of defense in security protection, backups are actually the most important protective measure. No matter how robust a protection system is, nothing provides peace of mind like a backup.
Backups can be categorized into local backups, remote backups, disaster recovery backups, snapshot backups, and more. Implementing local backups and remote backups can meet 99% of your needs. If you are using a cloud server, you can also create snapshot backups, which allow for rapid recovery in the event of a ransomware attack.
Backup methods can be implemented by writing your own scripts or by using third-party software.
By implementing the seven security lines of defense outlined above, your server security will be impenetrable. These protection methods apply not only to Linux servers but also to Windows servers.
As can be seen from the protective measures described above, the MagiAegis Defense System provides comprehensive one-stop protection for both servers and websites. With just one system, all security issues can be resolved. If you have such needs, take action now!