k

Davide Staffieri

SysAdmin, programming, technician & ideas.

Email Me

© 2020-2024 All rights reserved.

How to secure your server (Debian/Linux) and WordPress

02 Feb 2021 #linux #security

Basic steps to secure your server from DDOS and BruteForce attacks.

Creating strong passwords i would recommend using a browser extensions as password generator.

-Configuring Auto-Update: 

apt install unattended-upgrades
systemctl enable unattended-upgrades
systemctl status unattended-upgrades

nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Package-Blacklist  
"apache2";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Verbose "true";

nano /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-list"1";
APT::Periodic::Unattended-Upgrade"1";
APT::Periodic::AutocleanIntercal"7";
systemctl restart unattended-upgrades
unattended-upgrade --dry-run --debug

-Firewall:

Install UFW:
apt install ufw
Allow only your ip to connect to ssh port: 
 ufw deny ssh/tcp
ufw allow from 15.15.15.0/24  to any port 22

ufw limit 22/tcp

ufw allow 80/tcp
ufw allow 443/tcp
ufw default deny incoming
ufw default deny  outgoing

systemctl enable ufw.service
systemctl start ufw.service
ufw status
ufw enable
MaxAuthTries 2
MaxSessions 2
PermitRootLogin no
Uncomment >>
enable spoof
block ping ICMP  
add net.ipv4.icmp_echo_ignore_all = 1
not a router
martian packet

/sbin/sysctl -p

Fail2ban – Bruteforce:

apt-get install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban.service

nano /etc/fail2ban/filter.d/http-get-dos.conf

# Fail2Ban configuration file
 [Definition]
# Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex
 ignoreregex =

nano /etc/fail2ban/jail.local

##Block the failed login attempts on the SSH server.
[sshd]
enable = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
findtime = 300000
bantime = 300000
ignoreip = xxx.xxx.xxx.xxx

##Block the remote host that is trying to request suspicious URLs.
 [apache-overflows]
 enabled = true
 port = http,https
 filter = apache-overflows
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

##Stop DOS attack from remote host. 
[http-get-dos]
 enabled = true
 port = http,https
 filter = http-get-dos
 logpath = /var/log/apache2/access.log
 maxretry = 50
 findtime = 400
 bantime = 200000
 ignoreip = xxx.xxx.xxx.xxx
 action = iptables[name=HTTP, port=http, protocol=tcp]

##Block the remote host that is trying to search for scripts on the website to $
 [apache-noscript]
 enabled = true
 port = http,https
 filter = apache-noscript
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

fail2ban-client status sshd / http-get-dos /apache-overflows /apache-badbots /apache-noscript

IpTables: N/D

-Apache:

-Install Mod-evasive:

apt install libapache2-mod-evasive https://phoenixnap.com/kb/apache-mod-evasive

-Install Mod-Security:

apt install libapache2-mod-security2 apt install modsecurity-crs

How to Set up & Configure ModSecurity on Apache

Not very friendly with WordPress I would recommend check log errors and start from there:

tail /var/log/apache2/error.log

-Apache/wordpress security:

nano /etc/apache2/apache2.conf

<Directory /var/www/dstaffieri>
        AllowOverride All
        Options -Indexes
        ServerSignature Off
</Directory>

-Setting up Apache authentications:

apt install apache2-utils 
htpasswd -c /etc/apache2/.htpasswd "user"
cd wp-admin/
nano .htaccess
AuthName "Admin Login"
AuthUserFile /et/apache2/.htpasswd
AuthType basic
Require valid-user
chmod 0444 .htaccess
systemctl restart apache2

Wordpress:

-Disable file editing nano /var/www/html/..wp-config.php

/** Disable file editing
define('DISALLOW_FILE_EDIT',true)
permission
chmod 0444 wp-config.php
chmod 0444 .htaccess

-Disable directory listening

nano .htaccess 
Options -Indexes
systemctl restart apache2
apt install modsecurity-crs

-Disable Php uploads

cd ../wp-content/uploads/
nano .htaccess
<Files *.php>
deny from all
</php>
chmod 0444 .htaccess

apt install auditd

Antivirus:

-Install ClamAV
apt install clamav clamav-daemon
systemctl stop clamav-freshclam
systemctl start clamav-daemon.service 
freshclam 
systemctl start clamav-freshclam.service
clamscan -i -r -v /
clamscan -i -r -v  --remove /

-Automatic scanning:

crontab -e
SHELL=/bin/bash
HOME=/
0 01 * * 1 date >> /var/log/clamav_log
0 01 * * 1 clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/rsync_log
crontab -l

-Install Rkhunter

apt install rkhunter
rkhunter --check
-Auto-scanning
nano /etc/default/rkhunter 
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"

-Install Lynis

apt install lynis
lynis audit system
lynis --pentest
grep Suggestion /var/log/lynis.log 
Review the result and make the change

-Install aide

apt-get install aide -y
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
aide -c /etc/aide/aide.conf --check

-Automated Backup

-Website Backup

rsync -av  /var/www/html/ /backups/website/$(date +\%Y\%m\%d)
crontab -e
00 01 * * 1 rsync -avz  /var/www/html/ /backups/website/$(date +\%Y\%m\%d) >> /var/log/cronjob1.log 2>&1

-MySQL Security

mysql_secure_installation
/etc/mysql/my.conf  
[mysqld]
skip-grant-tables
bind-address = 127.0.0.1
local-infile=0
chmod 644 /etc/my.cnf

-MySQL Backup

mysqldump -u root -p'xxx' wordpress | gzip -c > /backups/database/$(date +\%Y\%m\%d).sql.gz
crontab -e
00 01 * * * mysqldump -u root -p'93zcsb43' wordpress | gzip -c > /backups/database/wordpress$(date +\%Y\%m\%d).sql.gz >> /var/log/cronjob2.log 2>&1

grep CRON /var/log/syslog

Restore

mysql -u root p'password' database_name < /path/to/[database_name].sql

-Cloudfare: Set up your DNS to Prevent RDNS and ddos - free account

-Wordpress Install Wordfence Plugin and Loginizer Brute Force Block Ip bruteforce attack

-Zabbix:

-Webmin:

-DDOS usefull commands:

number of connections

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
netstat -an | grep :80 | grep -v 127.0.0.1 | awk '{ print $5 }' | sort | awk -F: '{ print $1, $4 }' | uniq -c | awk ' $1 > 100 { print $1, $2 }' > /tmp/blackname.txt
grep 'sshd' /var/log/auth.log
grep 'http' /var/log/auth.log
grep 'https' /var/log/auth.log


awk '{print $1}' /var/log/apache2/access.log | sort -u

-Block the attacking network

ufw deny from 192.168.1.5 to any
ufw reject from 202.54.5.7 to any 
iptables -A INPUT -s <Source IP> -j DROP