Secure your server debian / wordpress

gistfile1.txt

Creating strong passwords i would recommend using a browser extensions as password generator.


-Configuring Auto-Update:

apt install unattended-upgrades
systemctl enable unattended-upgrades
systemctl status unattended-upgrades

nano /etc/apt/apt.conf.d/50unattended-upgrades 

Unattended-Upgrade::Package-Blacklist  
"apache2";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Verbose "true";

nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-list"1";
APT::Periodic::Unattended-Upgrade"1";
APT::Periodic::AutocleanIntercal"7";

systemctl restart unattended-upgrades
unattended-upgrade --dry-run --debug


-Firewall:

Install UFW:
apt install ufw
Allow only your ip to connect to ssh port: 
 ufw deny ssh/tcp
ufw allow from 15.15.15.0/24  to any port 22

ufw limit 22/tcp

ufw allow 80/tcp
ufw allow 443/tcp
ufw default deny incoming
ufw default deny  outgoing

systemctl enable ufw.service
systemctl start ufw.service
ufw status
ufw enable

- nano nano /etc/ssh/sshd_config

MaxAuthTries 2
MaxSessions 2
PermitRootLogin no



- nano /etc/sysctl.conf 

Uncomment >>
enable spoof
block ping ICMP  
add net.ipv4.icmp_echo_ignore_all = 1
not a router
martian packet

/sbin/sysctl -p


Fail2ban – Bruteforce:

apt-get install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban.service 

nano /etc/fail2ban/filter.d/http-get-dos.conf
 
# Fail2Ban configuration file 
 [Definition]
# Option: failregex 
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. 
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. 
 failregex = ^<HOST> -.*"(GET|POST).* 
 # Option: ignoreregex 
 ignoreregex =

nano /etc/fail2ban/jail.local 

##Block the failed login attempts on the SSH server.
[sshd]
enable = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
findtime = 300000
bantime = 300000
ignoreip = xxx.xxx.xxx.xxx

##Block the remote host that is trying to request suspicious URLs.
 [apache-overflows]
 enabled = true
 port = http,https
 filter = apache-overflows
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

##Stop DOS attack from remote host. 
[http-get-dos]
 enabled = true
 port = http,https
 filter = http-get-dos
 logpath = /var/log/apache2/access.log
 maxretry = 50
 findtime = 400
 bantime = 200000
 ignoreip = xxx.xxx.xxx.xxx
 action = iptables[name=HTTP, port=http, protocol=tcp]

##Block the remote host that is trying to search for scripts on the website to $
 [apache-noscript]
 enabled = true
 port = http,https
 filter = apache-noscript
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

fail2ban-client status sshd / http-get-dos /apache-overflows /apache-badbots /apache-noscript


IpTables: N/D


-Apache:

-Install Mod-evasive:

apt install libapache2-mod-evasive
https://phoenixnap.com/kb/apache-mod-evasive


-Install Mod-Security:

apt install libapache2-mod-security2
apt install modsecurity-crs 
https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache

Not very friendly with Wordpress I would recommend check log errors and start from there:

tail /var/log/apache2/error.log 


-Apache/wordpress security:


nano /etc/apache2/apache2.conf

<Directory /var/www/dstaffieri>
        AllowOverride All
        Options -Indexes
        ServerSignature Off
</Directory>


-Setting up Apache authentications:

apt install apache2-utils 
htpasswd -c /etc/apache2/.htpasswd "user"
cd wp-admin/
nano .htaccess
AuthName "Admin Login"
AuthUserFile /et/apache2/.htpasswd
AuthType basic
Require valid-user
chmod 0444 .htaccess
systemctl restart apache2


Wordpress:

-Disable file editing
nano /var/www/html/..wp-config.php
/** Disable file editing
define('DISALLOW_FILE_EDIT',true)
permission
chmod 0444 wp-config.php
chmod 0444 .htaccess 

-Disable directory listening
nano .htaccess 
Options -Indexes
systemctl restart apache2
apt install modsecurity-crs 

-Disable Php uploads
cd ../wp-content/uploads/
nano .htaccess
<Files *.php>
deny from all
</php>
chmod 0444 .htaccess

apt install auditd


Antivirus:

-Install ClamAV
apt install clamav clamav-daemon
systemctl stop clamav-freshclam
systemctl start clamav-daemon.service 
freshclam 
systemctl start clamav-freshclam.service
clamscan -i -r -v /
clamscan -i -r -v  --remove /

-Automatic scanning:
crontab -e
SHELL=/bin/bash
HOME=/
0 01 * * 1 date >> /var/log/clamav_log
0 01 * * 1 clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/rsync_log
crontab -l

-Install Rkhunter
apt install rkhunter
rkhunter --check
-Auto-scanning
nano /etc/default/rkhunter 
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"


-Install Lynis
apt install lynis
lynis audit system
lynis --pentest
grep Suggestion /var/log/lynis.log 
Review the result and make the change 

-Install aide
apt-get install aide -y
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
aide -c /etc/aide/aide.conf --check


-Automated Backup

-Website Backup

rsync -av  /var/www/html/ /backups/website/$(date +\%Y\%m\%d)
crontab -e
00 01 * * 1 rsync -avz  /var/www/html/ /backups/website/$(date +\%Y\%m\%d) >> /var/log/cronjob1.log 2>&1




-MySQL Security

mysql_secure_installation
/etc/mysql/my.conf  
[mysqld]
skip-grant-tables
bind-address = 127.0.0.1
local-infile=0
chmod 644 /etc/my.cnf


-MySQL Backup

mysqldump -u root -p'xxx' wordpress | gzip -c > /backups/database/$(date +\%Y\%m\%d).sql.gz
crontab -e
00 01 * * * mysqldump -u root -p'93zcsb43' wordpress | gzip -c > /backups/database/wordpress$(date +\%Y\%m\%d).sql.gz >> /var/log/cronjob2.log 2>&1

grep CRON /var/log/syslog

Restore
mysql -u root –p'password' database_name < /path/to/[database_name].sql


-Cloudfare:
Set up your DNS to Prevent RDNS and ddos - free account


-Wordpress
Install Wordfence Plugin and Loginizer Brute Force
Block Ip bruteforce attack 


-Zabbix:
https://bestmonitoringtools.com/how-to-install-zabbix-server-on-debian


-Webmin:
https://upcloud.com/community/tutorials/install-webmin-debian-10


-DDOS usefull commands:

number of connections
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
netstat -an | grep :80 | grep -v 127.0.0.1 | awk '{ print $5 }' | sort | awk -F: '{ print $1, $4 }' | uniq -c | awk ' $1 > 100 { print $1, $2 }' > /tmp/blackname.txt


grep 'sshd' /var/log/auth.log
grep 'http' /var/log/auth.log
grep 'https' /var/log/auth.log

awk '{print $1}' /var/log/apache2/access.log | sort -u

-Block the attacking network
ufw deny from 192.168.1.5 to any
ufw reject from 202.54.5.7 to any 
iptables -A INPUT -s <Source IP> -j DROP