76 security tips Web Server

1. Use passwords with at least 8 characters
2. Use complex passwords include numbers, letters, symbols ...
3. Using multiple passwords for different accounts.
4. Checking password strength with the support tool.
5. Do not use common passwords. Example: 123456, toikhongbiet ...
6. Do not use the multiple passwords eg: 1111111111, 1212121212 ...
7. Do not use a password that contains information such as your date of birth, phone number ...
8. Do not store passwords on a laptop, phone or tablet.
9. Use password protection system by a reputable vendor (eg LastPass).
10. Set '2-step verification' as service providers.
11. Use the password level test

1. Using the FTP protocol security
2. Use SSH instead of Telnet
3. Using the Email Security Protocol (POP3S/IMAPS/SMTPS).
4. Enable SSL security (HTTPS).
5. Use VPN when available.
6. Use a firewall on all endpoint devices, including Server and Client.
7. Use residential / office firewall / IPS system.
8. Data encryption on email.
9. Do not use public computers to access sensitive data.

1. Register notice of website updates.
2. Update the latest version website.
3. Using tools such as Nessus security scanner.
4. Use a firewall Web browser.
5. Checking uploaded files is not guaranteed source upload.
6. Custom code security.
7. Using frameworks with good security system.
8. Secure sensitive path 'directory / file'.
9. Limit log entries for IP with "Administrator".
10. Clean textbox.
11. Hide folders sensitive or restricted access.
12. Using Shell commands in code.
13. No information in the HTTP path introduced by people, so maybe it was fake.
14. POT instead use GET to send sensitive data over the link.
15. Confirming data from the server.
16. Do not rely on the relative file path and name.
17. Identify each file access.
18. Limit upload file, the file is allowed for (. Zip,. Jpg,. Png ...)
19. Create safety errors, not to disclose sensitive information.
20. Carefully handle the cookie file, it can be edited.
21. Encrypt the configuration file (config.php).
22. Protect DDOS attacks.
23. Disabling url fopen if possible.
24. Enable Safe mode in Apache system if possible.
25. Disable dangerous PHP functions.
26. Be careful with sensitive files ". Bak. Txt,, sql" in the web directory.
27. Carefully use the default version on the root.
28. Set the default reply email and tracking return.
29. Constantly updated version every home.
30. Always check the system error and log on.

1. Updated versions of the operating system regularly.
2. Control updated regularly.
3. Reduce notification information (eg ServerTokens Change in Apache).
4. No software installation is not used.
5. No backup software or older versions.
6. Restrict access to sensitive accounts.
7. Make sure that the operating system Logs.
8. Make sure that the server has a firewall installed.
9. Delete the default information on the Database.
10. Disabling the SSH root access.
11. Using the SSH key to login.
12. Disable services not used.
13. Always have backup systems system itself.
14. Check the backup system.
15. No development of the system has not been announced.
16. Constantly updated notification system security services.
17. Tracking web traffic check for unusual activity.
18. Regularly scan, security check.
19. Set the default services in Apache, SSH and other services.
20. Using the root account when necessary.
21. Use "sudo" to grant account.
22. Activate the "SELinux".
23. Using the private network through the network.
24. Use the appropriate key.
25. Perform password check.
26. Make strong passwords and change passwords every month.