Server Hardening
We all own devices that can access the internet, we browse all day, we
download files, and click on links to visit sites. How do we know that
there isn't a connection being made to your device or server without
authorisation?
This is where we learn to protect our devices beyond just downloading
an antivirus software to do the work. If we learn to configure our
devices in such a manner that is restrictive, we begin to reduce the
attack surface and strengthen our security.
Firewall Configuration
Setting up your firewall on any platform is relatively easy, but
it's the functions that a cybersecurity specialist will mostly focus
on. The reason for this is that firewalls are programs that have
many features, and by default, all they do is keep a log of incoming
and outgoing traffic to a server or device.
However, they need to be instructed on what to block and what not to
block as online threats become more advanced. As we enter into an
era of using artificial intelligence for decision-making processes,
we can begin to visualise how well a firewall program will perform
using this type of technology, coinciding with modern anti-virus
software.
Though this is a huge advantage to security analysts, we still need
to configure our devices in such a manner that helps identify
threats before they occur and even after an incident. We need to be
able to identify
where a threat comes from, how it happened and what to do next
time.
This basic principle allows security analysts to modify a firewall
to anticipate attacks and prevent them, while also keeping a record
of all incoming and outgoing traffic. I could go on for a long while
explaining all the features, types of firewalls, and configuration
methods, but what would be useful is if I show you some examples of
what it can do or types of configurations.
/* Example Code */
# Clear old rules
sudo iptables -F
# Block everything by default
sudo iptables -P INPUT DROP
sudo iptables -P FORWARD DROP
sudo iptables -P OUTPUT ACCEPT
# Allow local and active connections
sudo iptables -A INPUT -i lo -j ACCEPT
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
# Allow SSH (remote access)
sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow web traffic
sudo iptables -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
# Save the configuration
sudo iptables-save | sudo tee /etc/iptables/rules.v4
1. Open the Firewall
Click the Start Menu, type “Windows Defender Firewall”, and open it.
In the left panel, click “Turn Windows Defender Firewall on or off.”
Make sure it’s ON for both Private and Public networks.
Go back to the main window and click “Advanced settings.”
In the pop-up, click “Windows Defender Firewall Properties.”
Under each tab (Domain, Private, Public), set Inbound connections to Block and Outbound connections to Allow.
In the left panel, click “Inbound Rules.”
On the right, choose “New Rule.”
Select Port, then Next, choose TCP, and type 80, 443 (for websites).
Click Next → Allow the connection → Finish.
Repeat for port 22 if you use SSH (for remote access).
Still in “Advanced settings,” click “Monitoring → Firewall”.
Open Properties → Logging tab.
Turn on “Log dropped packets.”
This helps you see what the firewall is blocking.
Mac OS
1. Open Firewall Settings
Click the Apple menu → System Settings → Network → Firewall.
2. Turn It On
Switch the Firewall toggle to ON.
3. Enable Stealth Mode
Click “Options…” (or “Options & Details”).
Turn on “Stealth Mode.”
(This hides your computer from unknown network requests.)
4. Allow Only Needed Apps
In the same window, review the list of apps.
Remove or deny access to apps you don’t need network access for.
Make sure only your web server, browser, or other necessary tools are allowed.
5. Advanced Users (Optional)
If you want more control, you can use pf (Packet Filter), macOS’s advanced firewall — but for most users, the built-in firewall is enough and much safer to manage.
These are some basic configurations and you may want to consult a cybersecurity professional to help you navigate around some commands and instructions.
Apache Hardening
Running a web server is straightforward, but keeping it secure is
where the real challenge lies. Apache configuration is key to
securing and maintaining your web server. Fine-tuning and adjusting
its settings allows you to restrict network behaviour and protect
your server from various types of attacks.
Hardening Apache is a smart decision, and it’s not overly
complicated to implement. A security analyst can guide you on what
to look out for and how to safeguard your server effectively.
It’s important to note that while Apache plays a critical role in
server security, it is not responsible for input sanitisation. For
example, consider SQL Injection attacks, where a user might attempt
to log in using commands like 'OR 1=1--'. These attacks
target the application itself, not the server. However, Apache can
help mitigate such attacks to some extent when paired with modules
like mod_security, which can filter and block malicious
requests before they reach your application.
As with all areas of cybersecurity, the topic is vast and goes far
beyond input sanitisation. While some basic checks can be performed
at the HTML or application level, hardening Apache allows you to
focus on securing the server itself, reducing the risk of exploits
and providing a safer environment for your web applications.
Remember, Apache’s primary role is to deliver your website across a
network, and its security features are meant to protect the server
and its communication—not replace proper application-level
defences.
1. Keep Apache Updated Always run the latest version to fix security issues:
sudo apt update && sudo apt upgrade
2. Hide Server Info Stop Apache from showing its version and OS details: Edit security.conf and add:
ServerSignature Off
ServerTokens Prod
3. Use HTTPS (SSL/TLS) Encrypt traffic with a free Let’s Encrypt certificate:
sudo apt install certbot python3-certbot-apache
sudo certbot --apache
4. Disable Directory Listing Prevent visitors from browsing your folders: Add this to your site config:
Options -Indexes
5. Add Basic Security Headers Protect against common web attacks:
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
✅ Result: Your Apache server is encrypted, hides sensitive info, and resists common attacks — all with just a few simple commands.
