Urban Exploration, PHP and others…

Webserver protection on Debian


Last year my webserver got hacked, time to investigate in server protection.
Here are the steps I did:

  1. Don’t run SSH on the standard 22 port.
    Open /etc/ssh/sshd_config
    Change this line: Port 22
  2. Activeer SSH login met private key (Google it, lot’s of good tutorials already).
  3. Open your custom SSH port in firewall only for your own IP adres (if you have a fixed one).
  4. Create a custom root user and remove the original root user.
  5. Disable FTP, use FTP over SSH instead.
  6. Use a different MySQL user for each database.
  7. Use a empty not registered subdomain as primary virtualhost in /etc/apache2/sites-enabled/sites.conf:
    Add these lines for that virtualhost:
    <Directory /var/www/>
    order deny,allow
    Deny from All
    AllowOverride None
    More for this in Fail2ban step.
  8. Install Fail2ban to automatically block bad visitors.
    For extra security you can add this rules:
    I even created 2 more rules:
    failregex = [[]client <HOST>[]] client denied by server configuration: .*
    ignoreregex =apache-404.conf=
    failregex = [[]client <HOST>[]] File does not exist: .*
    ignoreregex =

    In jail.conf it looks like this:

    enabled = true
    port = http,https
    filter = apache-403
    logpath = /var/log/*error*.log
    maxretry = 1
    bantime = 2678400

    enabled = true
    port = http,https
    filter = apache-404
    logpath = /var/log/*error*.log
    maxretry = 10

Lot’s of the bad bots and script kiddies try to enter your server based on IP adres instead of hostname. Because the first virtualhost directs to a subdomain that isn’t registered in DNS nobody should go there.
The directory for that subdomain is protected by the Deny for all rule. So, al visitors there create a 403 Forbidden error wich is picked-up by the apache-403 jail and blocks those adresses for 1 week.

If you have comments or additions, feel free to comment…