Blog

Cost effective solutions

Productive meetings with fast deliveries

24/7 support with sameday response

Securing Linux Web Servers

Posted by vladimir gorea on Sat 03 November 2018 Updated on Mon 05 April 2021

Intro

What does it take to make a linux server secure? Close all the doors and put on good locks.

Workplan

We will go through all the steps for securing a new Ubuntu server on a virtual machine:

  1. Change ssh port
  2. Disable password login allow only auth key
  3. Enable firewall

Resources about server security

  1. digitalocean article

Securing ssh access

SSH settings are found at /etc/ssh/sshd_config: Restart ssh daemon

PasswordAuthentication no
Port {newport}

Restart ssh service

sudo systemctl restart sshd

Enable firewall

sudo ufw enable
sudo ufw allow {ssh_port}
sudo ufw allow 80

Blocking SPAM requests with fail2ban

Fail2ban scans log files (e.g. /var/log/apache/error_log) and bans IPs that show the malicious signs -- too many password failures, seeking for exploits, etc. Generally Fail2Ban is then used to update firewall rules to reject the IP addresses for a specified amount of time, although any arbitrary other action (e.g. sending an email) could also be configured. Out of the box Fail2Ban comes with filters for various services (apache, courier, ssh, etc). Fail2Ban is able to reduce the rate of incorrect authentications attempts however it cannot eliminate the risk that weak authentication presents. Configure services to use only two factor or public/private authentication mechanisms if you really want to protect services.

Read list:

Concepts

Step1 : install

sudo apt-get update
sudo apt-get install fail2ban

Step2 : create jail file

  1. create /etc/fail2ban/jail.local
  2. Restart systemctl restart fail2ban
[nginx-botsearch]

enabled   = true
port      = http,https
filter    = nginx-botsearch
logpath   = /var/www/logs/nginx-access.log
maxretry  = 3
banaction = iptables-multiport
findtime  = 360
bantime   = 360

Checking filters

Use to check how many entries the selected filter will ban fail2ban-regex {log path} {filter path}

Checking jail status

fail2ban-client status {jail name}

linuxunixsecurity