This is an old revision of the document!
You can check the security level of your web server with several web tools. For example https://www.ssllabs.com/ssltest. The report gives some actions to do to increase the security level.
This must be done in Apache configuration file in /etc/apache2/apache2.conf/. Add this line at the end of the file:
SSLProtocol All -SSLv2 -SSLv3
The first thing to do on a Linux server is to install a firewall with strict default rules. I use https://help.ubuntu.com/community/UFW (Uncomplicated FireWall) which is the default on Ubuntu:
sudo apt-get install ufw
UFW relies on iptables to manage easily network rules.
After installed, ufw is not yet enable. This is a good thing because it is better to add you IP on the white liste first, otherwise you could be locked outside your remote server. You also have to allow SSH port to access the server remotely.
# Allow your IP(xxx.xxx.xxx.xxx) sudo ufw allow from xxx.xxx.xxx.xxx # Allow SSH sudo ufw allow 22 # Allow also HTTP and HTTPS if you have a web server sudo ufw allow 80 sudo ufw allow 443
fail2ban and apf firewall are 2 server tools that automatically ban attackers ip. It is necessary, when installed together, to configure fail2ban to work with apf. Otherwise, there will be a conflict in iptables rules. See http://askubuntu.com/questions/124994/how-to-set-fail2ban-with-apf for details.
This is a simple script that automatically ban ip when the number of connections exceed what is configured. See https://antiddos.eu/en/news/item/20.
Note: if you have an error “$CONF not found” when running the script, you mau change the first line of the script from:
Same thing in the cron job.
There is also an issue with cron service name. Raplace in the file all occurrences of
service crond restart
service cron restart
The idea is to limite new connections per minutes to avoid DDOS. This id done on ports 80 (HTTP) and 443 (HTTPS).
sudo iptables -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT
iptables -A INPUT -s XXX.XXX.XXX.XXX -j DROP
To get the list of blocked IP:
iptables -L INPUT -v -n
Be sure your newly added rule is before ACCEPT all rules, otherwise it won't work. You can specify where to insert the new rule if necessary using the rule number:
iptables -A INPUT 3 -s XXX.XXX.XXX.XXX -j DROP
Use iptables-persistent package under ubuntu.
sudo apt-get install iptables-persistent
If you want to manually save rules:
sudo service iptables-persistent save
If your server has a SSH server running, it is obvious that people will try to ssh login with brute-force attacks. You can use sshguard to prevent this kind of attacks. sshguard will add new IPTables rules to ban IP address doing attacks. To install it, just:
sudo apt-get install sshguard
Note: ssh protection is also done by fail2ban. I don't know which is the best one, but it is probably not necessary to have both together.
First generate a pair of keys on the client:
Then copy the public key on the server. The command ssh-copy-id does all the job for you:
After that, you should be able to login via ssh without the need of the password.
Share this page: