All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
VPS LAMP Security - Is my way right?
Hello everyone,
I'm not an expert sys and every day I try to learn new things specially for the security so this is what I did (Debian 8 minimal):
- No root login
BASIC FIREWALL
iptables -P INPUT DROP
iptables -P FORWARD DROPiptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPTiptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPTiptables -A INPUT -p tcp -m multiport --destination-ports 22,80,443 -j ACCEPT
Proftpd with chroot in the user's home
Apache 2.4 with lets encrypt
Php5
expose_php=Off
log_errors=On
error_log=/var/log/mylog/php_scripts_error.log
file_uploads=Off
allow_url_fopen=Off
allow_url_include=Off
disable_functions = I don't know what put here, what do you suggest? At the moment there are these:
pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,
- Php5-FPM
SetHandler "proxy:unix:/var/run/php5-fpm/mydomain.com.sock|fcgi://localhost/"
Server API FPM/FastCGI
So the file are executed with the user.
Mysql 5.5 with mysql_secure_installation
Fail2ban
Other things? Thanks
Comments
I just can't get excited about FTP, unless you have customers that need it. SFTP is so much better. For one thing, not everything is sent in plain text.
An alternative to fail2ban is CSF...more beginner-friendly. Same idea - active firewall, temp block for password bruting, etc.
I'd change the SSH port just to avoid the noise and attacks - doesn't really increase security but it does.
If you're running mail, I'd either only accept on localhost or put in some serious anti-spam, etc.
BTW, you could also disable password login entirely (only ssh keys).
Another thing I like to do is send an email whenever someone logs in. Obviously, this wouldn't work if it's a big public cpanel box with lots of users, but if you or only a small group are the only legit users, you could do that...e.g.: http://www.tecmint.com/get-root-ssh-login-email-alerts-in-linux/ (Just something I googled as an example.
I know CSF but I wanted to do all without GUI.. Just CLI.
Yes change ssh port doesn't increase security, I read about that.
Mails are a little big problem So at the moment I prefer to use google apps or yandex mail.
Only ssh keys, I will do, thanks.
I did it in past.. Too email sent
CSF Firewall can be used pure command line too. It's what I use for CSF config/setup on my Centmin Mod LEMP stacks https://centminmod.com/csf_firewall.html
Have a look at pureftpd or vsftpd
Have a look at better http servers.
Oh well ... (at least use v.7 if feasible)
Also, sshguard is everything fail2ban isn't.
Tried in past vsftpd, I don't like.. anyway why do you suggest pureftpd? My point regard the security.. There will be ever things better of others things.
Same here.
I prefer to not compile or use other repo.
Thanks I will take a look.
On Linux, fail2ban seems to be the standard choice, but I also prefer sshguard. For one, fail2ban requires python to be running the whole time ...
@Rey
IT security happens to be my professional field. But hey, do whatever you please ...
...and yet you're still advertising IPv4 in your sig?!
Heavily OT but frankly IPv6 is idiocy pure.
For one I posit that 4 Giga-Addresses are plenty enough. Actually I doubt that there are even 4 Giga customers connected. But that's not the point.
Looking at whole /8 of e.g. us-american universities and corporations that is where the IP4 problem is.
Moreover IPv6 has serious problems, incl. with regard to security by being 128 bits wide. utterly unnecessary one might add.
Iff one felt that IP4 wasn't large enough (which, again, is debatable) then the fucking bloody obvious solution would have been 64 bit IPs.
As far as I'm concerned those responsable for the pervert idiocy of IPv6 should be given the choice between being crucified or spending the rest of their days in a looney bin.
Ok then explain your opinion about pureftp instead proftpd.
@Rey
You mean, I should convince you? Won't happen.
I don't see that you were in a position to put up conditions to be met. Just stay with proftpd. I couldn't care less.
@Rey, you might find https://cipherli.st/ helpful.
Great.. You know how the community works. Keep your IT Security with yourself and your friend imaginary.
ProFTPd has had securty issues in the past. vsftpd is fairly basic (and sometimes annoying), but it is generally considered more secure. PureFTPd is generally a good middle ground.
Thnk of this as: ProFTPd is sendmail, vsftpd is Qmail, and PureFTPd is Postfix.
Also, bsdguy may be a bit abrasive, but once you get past his body funk and that wiry hair, he's a big teddy bear.
On my Debian 8 and Ubuntu 16.04 servers I set some basic systemd service security features on mariadb, nginx, and php.
[Service] PrivateTmp=true PrivateDevices=true NoNewPrivileges=true ProtectSystem=full ProtectHome=true
Here's the systemd documentation for different settings you can set for your services.
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
Anyone about disable_functions of php? Don't touch? Remove and add or simply add these other functions? (found googling):
Here's what I have disabled on my personal servers:
shell_exec,exec,system,symlink,passthru,proc_open,popen,pclose,show_source,pcntl_exec,dl,posix_getpwuid,posix_kill,posix_mkfifo,posix_setpgid,posix_setsid,posix_setuid,posix_uname
I run pretty much all Wordpress sites and I haven't had any issues with disabling those functions (although I only use a couple of plugins on each Wordpress install like Yoast, Supercache, etc).
I mean you probably don't need to disable functions but I do it anyways.
Since you're using Apache have you thought about using ModSecurity?