Webserver protection on Debian
Last year my webserver got hacked, time to investigate in server protection.
Here are the steps I did:
- Don’t run SSH on the standard 22 port.
Open /etc/ssh/sshd_config
Change this line: Port 22 - Activeer SSH login met private key (Google it, lot’s of good tutorials already).
- Open your custom SSH port in firewall only for your own IP adres (if you have a fixed one).
- Create a custom root user and remove the original root user.
- Disable FTP, use FTP over SSH instead.
- Use a different MySQL user for each database.
- Use a empty not registered subdomain as primary virtualhost in /etc/apache2/sites-enabled/sites.conf:
Add these lines for that virtualhost:
<Directory /var/www/badvisitors.hostname.net>
order deny,allow
Deny from All
AllowOverride None
</Directory>
More for this in Fail2ban step. - Install Fail2ban to automatically block bad visitors.
For extra security you can add this rules: https://github.com/miniwark/miniwark-howtos/wiki/Fail2Ban-setup-for-Apache
I even created 2 more rules:
apache-403.conf=
[Definition]
failregex = [[]client <HOST>[]] client denied by server configuration: .*
ignoreregex =apache-404.conf=
[Definition]
failregex = [[]client <HOST>[]] File does not exist: .*
ignoreregex =In jail.conf it looks like this:
[apache-403]
enabled = true
port = http,https
filter = apache-403
logpath = /var/log/*error*.log
maxretry = 1
bantime = 2678400[apache-404]
enabled = true
port = http,https
filter = apache-404
logpath = /var/log/*error*.log
maxretry = 10
Lot’s of the bad bots and script kiddies try to enter your server based on IP adres instead of hostname. Because the first virtualhost directs to a subdomain that isn’t registered in DNS nobody should go there.
The directory for that subdomain is protected by the Deny for all rule. So, al visitors there create a 403 Forbidden error wich is picked-up by the apache-403 jail and blocks those adresses for 1 week.
If you have comments or additions, feel free to comment…