Davide Staffieri

Systems Engineer , SysAdmin, programming, technician & ideas.

Email Me

© 2020-2026 All rights reserved.

How to secure your server (Debian/Linux) and WordPress

02 Feb 2021 #linux #security

Basic steps to secure your server from DDoS and brute-force attacks.

Creating strong passwords: I would recommend using a browser extension as a password generator.

Configuring auto-updates

apt install unattended-upgrades
systemctl enable unattended-upgrades
systemctl status unattended-upgrades

nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Package-Blacklist  
"apache2";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Verbose "true";

nano /etc/apt/apt.conf.d/20auto-upgrades

APT::Periodic::Update-Package-List "1";
APT::Periodic::Unattended-Upgrade "1";
APT::Periodic::Autoclean-Interval "7";
systemctl restart unattended-upgrades
unattended-upgrade --dry-run --debug

Firewall

# Install UFW
apt install ufw
Allow only your ip to connect to ssh port: 
 ufw deny ssh/tcp
ufw allow from 15.15.15.0/24  to any port 22

ufw limit 22/tcp

ufw allow 80/tcp
ufw allow 443/tcp
ufw default deny incoming
ufw default allow outgoing

systemctl enable ufw.service
systemctl start ufw.service
ufw status
ufw enable

SSH hardening

nano /etc/ssh/sshd_config

MaxAuthTries 2
MaxSessions 2
PermitRootLogin no

Sysctl

nano /etc/sysctl.conf

Uncomment >>
enable spoof
block ping ICMP  
add net.ipv4.icmp_echo_ignore_all = 1
not a router
martian packet

/sbin/sysctl -p

Fail2ban (brute-force protection)

apt-get install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban.service

nano /etc/fail2ban/filter.d/http-get-dos.conf

# Fail2Ban configuration file
 [Definition]
# Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex
 ignoreregex =

nano /etc/fail2ban/jail.local

##Block the failed login attempts on the SSH server.
[sshd]
enable = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
findtime = 300000
bantime = 300000
ignoreip = xxx.xxx.xxx.xxx

##Block the remote host that is trying to request suspicious URLs.
 [apache-overflows]
 enabled = true
 port = http,https
 filter = apache-overflows
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

##Stop DOS attack from remote host. 
[http-get-dos]
 enabled = true
 port = http,https
 filter = http-get-dos
 logpath = /var/log/apache2/access.log
 maxretry = 50
 findtime = 400
 bantime = 200000
 ignoreip = xxx.xxx.xxx.xxx
 action = iptables[name=HTTP, port=http, protocol=tcp]

##Block the remote host that is trying to search for scripts on the website to $
 [apache-noscript]
 enabled = true
 port = http,https
 filter = apache-noscript
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

fail2ban-client status sshd / http-get-dos /apache-overflows /apache-badbots /apache-noscript

IpTables: N/D

Apache

Install mod_evasive

apt install libapache2-mod-evasive https://phoenixnap.com/kb/apache-mod-evasive

Install ModSecurity

apt install libapache2-mod-security2 apt install modsecurity-crs

How to Set up & Configure ModSecurity on Apache

Not very friendly with WordPress; I would recommend checking log errors and starting from there:

tail /var/log/apache2/error.log

Apache/WordPress security

nano /etc/apache2/apache2.conf

<Directory /var/www/dstaffieri>
        AllowOverride All
        Options -Indexes
        ServerSignature Off
</Directory>

Setting up Apache authentication

apt install apache2-utils 
htpasswd -c /etc/apache2/.htpasswd "user"
cd wp-admin/
nano .htaccess
AuthName "Admin Login"
AuthUserFile /etc/apache2/.htpasswd
AuthType basic
Require valid-user
chmod 0444 .htaccess
systemctl restart apache2

WordPress

Disable file editing

nano /var/www/html/your-site/wp-config.php

/** Disable file editing
define('DISALLOW_FILE_EDIT',true)
permission
chmod 0444 wp-config.php
chmod 0444 .htaccess

Disable directory listing

nano .htaccess 
Options -Indexes
systemctl restart apache2
apt install modsecurity-crs

Disable PHP execution in uploads

cd ../wp-content/uploads/
nano .htaccess
<Files *.php>
deny from all
</Files>
chmod 0444 .htaccess

apt install auditd

Antivirus

Install ClamAV

apt install clamav clamav-daemon
systemctl stop clamav-freshclam
systemctl start clamav-daemon.service 
freshclam 
systemctl start clamav-freshclam.service
clamscan -i -r -v /
clamscan -i -r -v  --remove /

Automatic scanning

crontab -e
SHELL=/bin/bash
HOME=/
0 01 * * 1 date >> /var/log/clamav_log
0 01 * * 1 clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/clamav_log
crontab -l

Install rkhunter

apt install rkhunter
rkhunter --check
-Auto-scanning
nano /etc/default/rkhunter 
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"

Install Lynis

apt install lynis
lynis audit system
lynis --pentest
grep Suggestion /var/log/lynis.log 
Review the result and make the change

Install AIDE

apt-get install aide -y
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
aide -c /etc/aide/aide.conf --check

Automated backup

Website backup

rsync -av  /var/www/html/ /backups/website/$(date +\%Y\%m\%d)
crontab -e
00 01 * * 1 rsync -avz  /var/www/html/ /backups/website/$(date +\%Y\%m\%d) >> /var/log/cronjob1.log 2>&1

MySQL Security

mysql_secure_installation

Edit /etc/mysql/mariadb.conf.d/50-server.cnf (or my.cnf):

[mysqld]
skip-grant-tables
bind-address = 127.0.0.1
local-infile=0

chmod 644 /etc/mysql/my.cnf

MySQL backup

mysqldump -u root -p'xxx' wordpress | gzip -c > /backups/database/$(date +\%Y\%m\%d).sql.gz
crontab -e
00 01 * * * mysqldump -u root -p'YOUR_PASSWORD' wordpress | gzip -c > /backups/database/wordpress$(date +\%Y\%m\%d).sql.gz >> /var/log/cronjob2.log 2>&1

grep CRON /var/log/syslog

Restore

mysql -u root –p'password' database_name < /path/to/[database_name].sql

Cloudflare

Set up your DNS to prevent reflection and DDoS — free account available.

WordPress plugins

Install Wordfence and Loginizer (brute-force protection). Block IPs as needed.

DDoS useful commands

number of connections

netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
netstat -an | grep :80 | grep -v 127.0.0.1 | awk '{ print $5 }' | sort | awk -F: '{ print $1, $4 }' | uniq -c | awk ' $1 > 100 { print $1, $2 }' > /tmp/blackname.txt
grep 'sshd' /var/log/auth.log
grep 'http' /var/log/auth.log
grep 'https' /var/log/auth.log


awk '{print $1}' /var/log/apache2/access.log | sort -u

Block the attacking network

ufw deny from 192.168.1.5 to any
ufw reject from 202.54.5.7 to any 
iptables -A INPUT -s <Source IP> -j DROP