Data Protection
Keeping your data safe from interference is crucial in today’s age. A constant stream of threats exists across the internet landscape, from a solitary “curious” hacker to state sponsored hacker collectives, to hacktivist groups looking to bring attention to a social issue. The ‘why’ isn’t always clear; sometimes it is to steal information, such as intellectual property and banking information, other times it’s to disrupt operational activities or to hold your data to ransom. One thing you can be sure of, if you hold value in your data others will, and they may want to steal it for their own gain.
This series aims to spotlight approaches and tactics regarding data protection, and while there can be no guarantee these methods will prevent your server being hacked, they will address many of the common methods threat actors use to gain access to your data.
Lock Down
The best option for data protection is to remove as many routes to it as possible. On a server, data can be accessed in multiple ways utilising different protocols and services. While this may appear to make a daunting task, thankfully it is easy to achieve.
Most servers have a protocol on them which will allow you “root” level access to the server, for the purposes of management and configuration. On Linux this is generally SSH and on Windows Server it is RDP. The each listen on a specific port, and when a connection request comes in they will request authentication details before providing access to the server.
Brute-force attacks will constantly guess login credentials, which could be 100s of times a second in some cases. These attacks can pose two threats; firstly, the attempt could be successful, and access granted. Second, the attempt can consume resources on your server, which degrades overall performance and results in slow page loading. There is also a threat from past employees or contractors, who may possess login credentials that will allow them access to your data. While these may not have malicious intent if they themselves are compromised and the stored logins are stolen from them you become an easy target.
What can you do? The simplest approach, and by means not the only, is to lock down management ports to specific IP addresses. This approach will immediately prevent access from unknown/unfriendly sources, immediately stopping brute-force attacks and other threat actors from reaching your server. These rules are great at protecting services such as SSH, RDP, and FTP, which are the main protocols used to access the files on a system in general use cases.
However, there is a limitation with this approach, which makes it impractical for all situations. You must connect to the internet from a static IP address, otherwise when a dynamic IP address changes any rules established to allow access, you will be locked out – at least until our engineers have been able to login locally and reset the rules. If you don’t have a static IP address but would like to put in rules to prevent access you could look at getting a leased line or using a VPN service.
There is still a risk that the threat-actor originates from an allowed IP address if they have managed to compromise a system within that network. If you adopt some best practices, provided by NCSC, you will reduce the likelihood of this happening.
How To
Plesk (Linux Server)
- Once logged into Plesk, go to “Tools & Settings” > “Firewall” (Under the “Security” section)
- In the list of rules find “SSH (secure shell) server” and click to edit
- Select “Allow from selected sources, deny from others”
- In the sources field enter in the IP address you will use to connect to SSH from – if you need to add more select “Add one more”
- Click “Save”
- Click “Apply Changes”
You can then repeat the above for different services, such as FTP, MySQL, etc.
cPanel/WHM (Linux Server)
cPanel does not provide an included firewall management tool, however, as it is running Linux you are able to manage the “hosts.allow” and “hosts.deny” files from the GUI.
- Login to cPanel/WHM
- Navigate to “Security Center” > “Host Access Control”
- In the field below “Daemon” enter in “sshd”
- In the “Access List” field enter in the IP address you will use to SSH from – if you need to add more repeat the steps on a separate line.
- In the “Action” field enter in “allow”
- In the “Comment” field enter in relevant information, such as who added the rule, why, and when, for example “JT – New staff member – 20/11/2024”
- Click “Save Host Access List”
You can repeat this for other servers (daemons), identify the daemon you want to restrict and add it the same way as above -common daemon names can be found here.
ConfigServer Security and Firewall is a plugin available for cPanel/WHM which allows users to directly interact with the Linux firewall. Check the official documentation for details on how to use CSF to lockdown ports.
IMPORTANT
You must make sure that the very bottom entry on the list will DENY all SSH access that does not match the added rules above. Enter it as:
- Dameon: sshd
- Access List: ALL
- Action: deny
- Comment: “Deny ALL unknown SSH access”
CWCS
Here at CWCS, we can also provide a Dedicated Cisco Firewall for your Servers, which will assist with IP and Port Management, as well as Intrusion Prevention. Our team of industry experts are on hand to further explain how we can best support your and your business with data protection.
Find out more: https://www.cwcs.co.uk/managed-firewall-services/
