Securing an Old Web Server

TL;DR

Old web servers are inherently risky due to lack of security updates. While a complete fix isn’t always possible, you can significantly reduce risk by patching what you can, hardening the configuration, limiting access, and monitoring for threats. This guide provides practical steps.

Steps to Secure an Old Web Server

1. Identify the Operating System and Web Server Software

• Determine the exact version of your OS (e.g., Windows Server 2008 R2, CentOS 6). This is crucial for finding available patches. Use commands like:

  windows: winver

  linux: cat /etc/os-release

• Identify the web server software (e.g., Apache, IIS, Nginx) and its version. Commands vary:
  • Apache: apachectl -v or httpd -v
  • IIS: Open IIS Manager & check ‘About’ under Help.
  • Nginx: nginx -v

Apply Security Patches (If Possible)

• Check the vendor’s website for available security updates. Be realistic – many older OS versions are no longer supported.
• If patches exist, apply them immediately. Follow the vendor’s instructions carefully.
• For Windows Server, use Windows Update. Ensure all critical updates are installed.

  Control Panel > System and Security > Windows Update

• For Linux, use your distribution’s package manager (e.g., yum update for CentOS/RHEL, apt-get update && apt-get upgrade for Debian/Ubuntu).

Harden the Web Server Configuration

• Disable Unnecessary Modules: Remove any web server modules you don’t need. This reduces the attack surface.
  • Apache: Comment out or remove lines in your httpd.conf file using a2dismod module_name
  • IIS: Disable features in IIS Manager.
  • Nginx: Comment out modules in the nginx.conf file.
• Configure Error Pages: Hide detailed error messages that could reveal information about your server.
• Limit Directory Listing: Disable directory listing to prevent attackers from browsing your files.

  Apache: Options -Indexes in httpd.conf

• Set Strong Permissions: Ensure appropriate file and directory permissions are set. Web server processes should have the minimum necessary access.

Implement a Firewall

• Configure a firewall to allow only essential traffic (ports 80 for HTTP, 443 for HTTPS). Block all other incoming connections.
• For Windows Server: Use Windows Defender Firewall.

  Control Panel > System and Security > Windows Defender Firewall

• For Linux: Use iptables or firewalld.

  sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

  sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

Enable HTTPS (SSL/TLS)

• Even with an old server, enabling HTTPS is vital. Use a free certificate from Let’s Encrypt if possible.
• Configure your web server to redirect HTTP traffic to HTTPS.

Limit Access and User Privileges

• Use strong passwords for all user accounts.
• Implement the principle of least privilege: grant users only the permissions they need.
• Disable or remove unnecessary user accounts.

Regularly Monitor Logs

• Monitor web server logs for suspicious activity (e.g., failed login attempts, unusual requests).
• Consider using a log analysis tool to automate this process.

Consider Isolation/Virtualization

• If possible, isolate the old web server in a virtual machine or container. This limits the impact of a potential compromise.

Plan for Replacement

• The best solution is to replace the old server with a modern, supported system as soon as feasible. Old systems will always be vulnerable.