I would like to emphasize one thing:
USE SECURE PASSWORDS!
There are countless password generators online so use one to create a password which will include a mixture of upper and lower case letters, numbers, and symbols.
Now let’s get back to the important issues:
However secure your sites may be if they are on a poorly configured server you may as well not even bother.
There are many tutorials on the Internet for configuring servers and 90% of them explains the basics, and this is OK, but if you want extra security you will have to make the effort.
Here are some suggestions that are easy to implement. Each of these steps will enhance server to enhance the security of your server. (the more you can implement, the more secure your server will be. We’ve implemented these steps on Ubuntu, but they apply to most other Linux-based operating systems.
1. Disable Root Login
- Disable Root Login and use other username, e.g. server_admin
- Also, disable “plain password“ and use Key.
2. Change SSH port
- You will find this mentioned on various web sites, but by moving ports to another location you won’t achieve much because people forget there are port scanners. My advice is to create a fake SSH service on port 22 and setup a real service on a port number lower than 1024
- Note all attack attempts and send them to your abuse institution.
3. Block countries which you do not want to visit your server / web site
- For example, clients want to receive traffic from Europe and the USA, but not Asia.
4. Install fail2ban
- Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs – too many password failures, seeking exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc.).
- Fail2Ban is able to reduce the rate of incorrect authentications attempts however, it cannot eliminate the risk that weak authentication presents. Configure services to use only two factors or public/private authentication mechanisms if you really want to protect services.
1 | apt-get install fail2ban |
Default jails are installed automatically, but we need to setup our own:
1 | nano /etc/fail2ban/jail.local |
Paste:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [pureftpd] enabled = true port = ftp filter = pureftpd logpath = /var/log/syslog maxretry = 3 [dovecot-pop3imap] enabled = true filter = dovecot-pop3imap action = iptables-multiport[name=dovecot-pop3imap, port="pop3,pop3s,imap,imaps", protocol=tcp] logpath = /var/log/mail.log maxretry = 5 [postfix-sasl] enabled = true port = smtp filter = postfix-sasl logpath = /var/log/mail.log maxretry = 3 |
Now for every jail configuration:
1 2 3 4 5 6 | nano /etc/fail2ban/filter.d/pureftpd.conf paste: [Definition] failregex = .*pure-ftpd: \(.*@<HOST>\) \[WARNING\] Authentication failed for user.* ignoreregex = |
1 2 3 4 5 6 | nano /etc/fail2ban/filter.d/dovecot-pop3imap.conf paste: [Definition] failregex = (?: pop3-login|imap-login): .*(?:Authentication failure|Aborted login \(auth failed|Aborted login \(tried to use disabled|Disconnected \(auth failed|Aborted login \(\d+ authentication attempts).*rip=(?P<host>\S*),.* ignoreregex = |
Add the missing ignoreregex line in the postfix-sasl file:
1 | echo "ignoreregex =" >> /etc/fail2ban/filter.d/postfix-sasl.conf |
Note: This configuration is based on ISPConfig Ubuntu setup.
If you have different configuration be sure you are using correct log file in logpath.
Open /etc/fail2ban/jail.conf:
1 | nano /etc/fail2ban/jail.conf |
Find action = %(action_)s and replace with:
1 | action = %(action_mwl)s |
Also find destmail and replace root@localhost with your email.
And finally, restart fail2ban:
1 | service fail2ban restart |
Additional links:
SOON
5. Other
Jailroot FTP accounts, Jailkit on SSH, configure MySQL only to local-host (if you can). I would like to add that most attacks come from Botnet and Script kiddies.
