It is easy to get a server. Anyone can setup a machine in his basement and start publishing websites. Furthermore, most web hosting companies offer leased servers and virtual private servers at affordable prices. All of this means that someone with absolutely no experience can start a server, publish websites, or even host other people’s sites.
Fortunately, there are plenty of forums and online documentation to help newbie system administrators get started. If you happen to be one of them or even if you are not, there several security threats to Internet-connected servers that you should be aware of and know how to prevent and mitigate. These 10 threats are common ones that attackers like to use to either gain access to your server or bring it to its knees.
1. Brute Force Attack
In a brute force attack, the intruder attempts to gain access to a server by guessing a user password (usually the root administrator) through the SSH server, Mail server, or other service running on your system. The attacker will normally use software that will check every possible combination to find the one that works. Brute force detection software will alert you when multiple failed attempts to gain access are in progress and disable access from the offending IP address.
2. Open Relay
A Mail Transfer Agent (MTA) normally uses an SMTP server to send email from your server’s users to people around the world. With an open relay, anyone can use your SMTP server, including spammers. Not only is it bad to give access to people who send spam, it could very well get your server placed on a DNS blacklist that some ISPs will use to block mail from your IP. It is very easy to close an open relay. Just follow the documentation for your MTA.
Attackers use botnets to automatically run and distribute malicious software on “agent” servers. They then use the agent machines to attack or infect others. Because all of this can be done automatically without user intervention, botnets can spread very quickly and be deadly for large networks. They are commonly used in DDoS attacks and spam campaigns.
DoS stands for Denial of Service, and is a technique attackers will use to effectively shut off access to your site. They accomplish this by increasing traffic on your site so much that the victim’s server becomes unresponsive. While some DoS attacks come from single attackers, others are coordinated and are called Distributed Denial of Service (DDoS) attacks. Often times, the users of computers executing a DDoS do not even know their computers are being used as agents.
5. Cross-site Scripting
Cross-site scipting or XSS is a technique that makes use of vulnerabilities in web applications. According to UK dedicated hosting server specialists at 34SP.com, the vulnerability allows the attacker to inject code in a server-side script that they will use to execute malicious client-side scripts or gather sensitive data from the user. You can fix most XSS problems by using scanner software to detect vulnerabilities and then fix whatever you find.
6. SQL Injection
Like XSS, SQL injection requires a vulnerability to be present in the database associated with a web application. The malicious code is inserted into strings that are later passed to the SQL server, parsed, and executed. As with other vulnerability-dependent attacks, you can prevent it by scanning for problem code and fixing it.
Malware can take many forms, but as the name implies, it is malicious software. It can take the form of viruses, bots, spyware, worms, trojans, rootkits, and any other software intended to cause harm. In most cases, malware is installed without the user’s direct consent. It may attack the user’s computer and/or attack other computers through the user’s own system. Having proper firewall and security software protection can usually prevent malware from spreading.
8. Unpatched Software
Most threats to a server can be prevented simply by having up-to-date, properly-patched software. All server operating system vendors and distributions publish security updates. By installing them on your system in a timely manner, you prevent attackers from using your server’s own vulnerabilities against it.
9. Careless Users
The number one, most prevalent threat to a server’s security is user’s carelessness. If you or your users have passwords that are easy to guess, poorly written code, unpatched software, or a lack of security measures like anti-virus software, you are just asking for trouble. By enforcing strong security practices and secure authentication, you can lessen or even eliminate most threats.
Every day, attackers conspire to take down applications and steal data, leaving data centre infrastructure in the crosshairs. Storing an organisation’s most valuable and most visible assets – its web, DNS, database and email servers – data centres have become the number one target of cyber criminals, hacktivists and state-sponsored attackers.
Whether seeking financial gain, competitive intelligence or notoriety, attackers are carrying out their assaults using a range of weapons. The top five most dangerous threats to a data centre are:
1. DDoS attacks
2. Web application attacks
3. DNS infrastructure: attack target and collateral damage
4. SSL-induced security blind spots
5. Brute force and weak authentication
To counter these threats, organizations need a solution that can lock down their data centres. Otherwise they risk a high-profile data breach, downtime or even brand damage.
1. DDoS Attacks
Servers are a prime target for distributed denial of service (DDoS) attacks aimed at disrupting and disabling essential Internet services. While web servers have been at the receiving end of DDoS attacks for years, attackers are now exploiting web application vulnerabilities to turn web servers into ‘bots’. They use these captive servers to attack other websites.
By leveraging web, DNS and NTP servers, attackers can amplify the size and the strength of DDoS attacks. While servers will never replace traditional PC-based botnets, their greater compute capacity and bandwidth enable them to carry out destructive attacks – one server could equal the attack power of hundreds of PCs.
With more and more DDoS attacks launched from servers, it’s not surprising that the size of attacks has grown sharply. Between years 2011 and 2013, the average size of DDoS attacks escalated surged from 4.7 to 10 Gbps. Read more Righting wrongs: preventing data breaches before they happen
Worse, there has been the staggering increase in the average packets per second in typical DDoS attacks; attack rates skyrocketed 1,850 percent to 7.8 Mpps between 2011 and 2013. At the current trajectory, DDoS attacks could reach 95 Mpps in 2018 – powerful enough to incapacitate most standard networking equipment.
DDoS for hire services, often called ‘booters’, have mushroomed too. Many advertise their capabilities in YouTube videos and forum posts. While some masquerade as ‘stress testing’ services, many boldly claim to ‘take enemies offline’ or ‘eliminate competitors’. Such services enable virtually any individual or organisation to execute a DDoS attack.
2. Web Application Attacks
Cyber criminals also launch web attacks like SQL injection, cross-site scripting (XSS) and cross-site request forgery (CSRF), trying to break into applications and steal data for profit. Increasingly, attackers target vulnerable web servers and install malicious code in order to transform them into DDoS attack sources.
Read more: A World without Identity and Access Governance
Some 98 percent of all applications currently have or have had vulnerabilities, and the median number of vulnerabilities per application was 20 in 2014, according to a 2015 Trustwave Global Security Report.
Today’s most dangerous application threats, like SQL injection and cross-site scripting, aren’t new but they are still easy to perform and lethally effective. Tools like the Havij SQL injection tool enable hackers to automate their attack processes and quickly exploit vulnerabilities.
The recent wave of web attacks on CMS applications has also revealed a gaping hole in the strategy to lock down applications by writing secure code. Because CMS applications are usually developed by third parties, organizations can’t rely on the protection of secure coding. In 2013, 35 per cent of all breaches were caused by web attacks. More than ever, organizations need a proactive defense to block web attacks and ‘virtually patch’ vulnerabilities.
3. DNS Infrastructure
DNS servers have become a top attack target for two reasons. First, taking DNS servers offline is an easy way for attackers to keep thousands or millions of Internet subscribers from accessing the Internet. If attackers incapacitate an ISP’s DNS servers, they can prevent the ISP’s subscribers from resolving domain names, visiting websites, sending email and using other vital Internet services.
Secondly, attackers can exploit DNS servers to amplify DDoS attacks. In DNS reflection attacks, attackers spoof the IP address of their real attack target. They send queries that instruct the DNS server to recursively query many DNS servers or to send large responses to the victim. As a result, powerful DNS servers drown the victim’s network with DNS traffic. Even when DNS servers are not the ultimate target of the attack, they can still suffer downtime and outages as the result of a DNS reflection attack.
4. SSL-induced blind spots
To prevent the continuous stream of malware and intrusions in their networks, enterprises need to inspect incoming and outgoing traffic for threats. Unfortunately, attackers are increasingly turning to encryption to evade detection.
With more and more applications supporting SSL – over 40 percent of applications can use SSL or change ports – SSL encryption represents an enormous crater that malicious actors can exploit.
While many firewalls, intrusion prevention and threat prevention products can decrypt SSL traffic, they can’t keep pace with growing SSL encryption demands. The transition from 1024- to 2048-bit SSL keys has burdened security devices because 2048-bit certificates require approximately 6.3 times more processing power to decrypt. With SSL certificate key lengths continuing to increase, many security devices are collapsing under increased decryption demands.
For end-to-end security, organisations need to inspect outbound SSL traffic originating from internal users, and inbound SSL traffic originating from external users to corporate-owned application servers to eliminate the blind spot in corporate defenses.
Clearly organisations need a high-powered solution to intercept and decrypt SSL traffic, offloading intensive SSL processing from security devices and servers.
Princess Austen (BSc.)
CS & Strategic Marketing Dept.