Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Advice on any extra security features/redundancies
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Advice on any extra security features/redundancies

I have set up my OLS Server through RunCloud with Vultr. I have tried to implement as many security features as possible but I wanted advice if they were 'sufficient' (I know you can never say never) and also whether there were any redundancies that I'm not aware of.

Server + RunCloud:

  • Maldet and ClamAV installed - Maldet on cron and ClamAV I will manually run once a month
  • Vultr Firewall - only ports opened for SSH, RunCloud and Cloudflare
  • SSH key access only (passwordless login)
  • Root access blocked
  • Fail2ban
  • 2FA
  • IP whitelisting for online login
  • WAF through RunCloud
  • SSL certificate

WordPress:

  • WordFence installed
  • Cloudflare - all traffic is routed through Cloudflare (also helping DDOS protection)

Backup:

  • S3 daily backup via RunCloud of database and files

I will manually regularly carry out Ubuntu updates through the terminal

I think that's everything but I'm sure I've missed something!

TIA

Comments

  • Looks good. Is 2FA enabled in Wordfence for your login page? If so, outside of having a shitty password, I'd say you're good to go.

  • sreekanth850sreekanth850 Member
    edited August 2023

    @rockinaway said:
    I have set up my OLS Server through RunCloud with Vultr. I have tried to implement as many security features as possible but I wanted advice if they were 'sufficient' (I know you can never say never) and also whether there were any redundancies that I'm not aware of.

    Server + RunCloud:

    • Maldet and ClamAV installed - Maldet on cron and ClamAV I will manually run once a month
    • Vultr Firewall - only ports opened for SSH, RunCloud and Cloudflare
    • SSH key access only (passwordless login)
    • Root access blocked
    • Fail2ban
    • 2FA
    • IP whitelisting for online login
    • WAF through RunCloud
    • SSL certificate

    WordPress:

    • WordFence installed
    • Cloudflare - all traffic is routed through Cloudflare (also helping DDOS protection)

    Backup:

    • S3 daily backup via RunCloud of database and files

    I will manually regularly carry out Ubuntu updates through the terminal

    I think that's everything but I'm sure I've missed something!

    TIA

    If you use Ubuntu.

    1. Secure Shared Memory
    2. Avoid Using FTP, Telnet, And Rlogin / Rsh Services (If you use runcloud and they have file manager, you don't need ftp.
    3. Make Sure No Non-Root Accounts Have UID Set To 0

    Source: Link

    Thanked by 1rockinaway
  • @Don_Keedic said:
    Looks good. Is 2FA enabled in Wordfence for your login page? If so, outside of having a shitty password, I'd say you're good to go.

    I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!

    @sreekanth850 said:
    If you use Ubuntu.

    1. Secure Shared Memory
    2. Avoid Using FTP, Telnet, And Rlogin / Rsh Services (If you use runcloud and they have file manager, you don't need ftp.
    3. Make Sure No Non-Root Accounts Have UID Set To 0

    Source: Link

    These are very useful thanks - I will add these too!

  • @rockinaway said:

    @Don_Keedic said:
    Looks good. Is 2FA enabled in Wordfence for your login page? If so, outside of having a shitty password, I'd say you're good to go.

    I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!

    @sreekanth850 said:
    If you use Ubuntu.

    1. Secure Shared Memory
    2. Avoid Using FTP, Telnet, And Rlogin / Rsh Services (If you use runcloud and they have file manager, you don't need ftp.
    3. Make Sure No Non-Root Accounts Have UID Set To 0

    Source: Link

    These are very useful thanks - I will add these too!

    Forgot to mention about disabling forgot password in wordpress. You can google it to find the cide snippet.

  • @rockinaway said:
    I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!

    If you're looking to make certain and you have the storage capacity to make it happen, absolutely. Just make sure that it's geographically distant from your current backup location so in case something does happen in that region, you're less likely to be affected at the secondary location.

    You sound super enthusiastic about all this, so if you're looking to do everything you possibly can to make it safe/secure, take a look at enabled file versioning with your server (not runcloud) backup. That way in case your base system get's compromised by ransomware, your backups won't be tainted and you'd be able to restore from an otherwise unrestorable situation.

    Thanked by 1rockinaway
  • you can also limit ssh logins to ethier a specific user / group and or an ip address

    Thanked by 2rockinaway kzs
  • AXYZEAXYZE Member
    edited August 2023
    1. Block incoming SSH connections from any all IPs except yours. If you have dynamic IP you can always change SSH block rule in Vultr Panel or use hopserver.
    2. Verify system integrity - automatically heal infected files even if its 0day. https://linuxhint.com/install-and-use-aide-ubuntu-22-04/
    3. Install AppArmor profile for your apps (Nginx etc.) or create your own - even succesful exploits wont do damage, because processes will be caged.
    Thanked by 1vpsGOD
  • tentortentor Member, Host Rep

    @AXYZE said:
    1. Block incoming SSH connections from any all IPs except yours. If you have dynamic IP you can always change SSH block rule in Vultr Panel or use hopserver.

    I think the better option is to allow SSH only within VPN. Actually, you won't have much profit in terms of security, but amount of logs will be minimal.

    @AXYZE said:
    3. Install AppArmor profile for your apps (Nginx etc.) or create your own - even succesful exploits wont do damage, because processes will be caged.

    No, the damage will be caused, but impact will be minimal. However, if hacker will target assets or perform actions that are typical for exploited software, AppArmor/SELinux won't help. Also, it won't protect you from most applicationlayer attacks like SSRF, XSS, SQL injections, etc.

  • @Don_Keedic said:

    @rockinaway said:
    I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!

    If you're looking to make certain and you have the storage capacity to make it happen, absolutely. Just make sure that it's geographically distant from your current backup location so in case something does happen in that region, you're less likely to be affected at the secondary location.

    You sound super enthusiastic about all this, so if you're looking to do everything you possibly can to make it safe/secure, take a look at enabled file versioning with your server (not runcloud) backup. That way in case your base system get's compromised by ransomware, your backups won't be tainted and you'd be able to restore from an otherwise unrestorable situation.

    Vultr offer it for a small fee/month which is fine if it's providing peace of mind.

    I'm enthusiastic indeed - just wanting to make sure I am doing what I can to protect my server and site. I know I will never be able to cover everything possible but if I can cover 99% and have backups then fingers crossed!

    @tentor said:

    @AXYZE said:
    1. Block incoming SSH connections from any all IPs except yours. If you have dynamic IP you can always change SSH block rule in Vultr Panel or use hopserver.

    I think the better option is to allow SSH only within VPN. Actually, you won't have much profit in terms of security, but amount of logs will be minimal.

    @AXYZE said:
    3. Install AppArmor profile for your apps (Nginx etc.) or create your own - even succesful exploits wont do damage, because processes will be caged.

    No, the damage will be caused, but impact will be minimal. However, if hacker will target assets or perform actions that are typical for exploited software, AppArmor/SELinux won't help. Also, it won't protect you from most applicationlayer attacks like SSRF, XSS, SQL injections, etc.

    All getting even more complicated than things were! Haha! How much extra are these things adding? Like I said above, I know I will never get everything. I'm just checking I have a good foundation and this is what the average person would do in what I have included above :)

  • tentortentor Member, Host Rep

    @rockinaway said:

    @Don_Keedic said:

    @rockinaway said:
    I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!

    If you're looking to make certain and you have the storage capacity to make it happen, absolutely. Just make sure that it's geographically distant from your current backup location so in case something does happen in that region, you're less likely to be affected at the secondary location.

    You sound super enthusiastic about all this, so if you're looking to do everything you possibly can to make it safe/secure, take a look at enabled file versioning with your server (not runcloud) backup. That way in case your base system get's compromised by ransomware, your backups won't be tainted and you'd be able to restore from an otherwise unrestorable situation.

    Vultr offer it for a small fee/month which is fine if it's providing peace of mind.

    I'm enthusiastic indeed - just wanting to make sure I am doing what I can to protect my server and site. I know I will never be able to cover everything possible but if I can cover 99% and have backups then fingers crossed!

    @tentor said:

    @AXYZE said:
    1. Block incoming SSH connections from any all IPs except yours. If you have dynamic IP you can always change SSH block rule in Vultr Panel or use hopserver.

    I think the better option is to allow SSH only within VPN. Actually, you won't have much profit in terms of security, but amount of logs will be minimal.

    @AXYZE said:
    3. Install AppArmor profile for your apps (Nginx etc.) or create your own - even succesful exploits wont do damage, because processes will be caged.

    No, the damage will be caused, but impact will be minimal. However, if hacker will target assets or perform actions that are typical for exploited software, AppArmor/SELinux won't help. Also, it won't protect you from most applicationlayer attacks like SSRF, XSS, SQL injections, etc.

    All getting even more complicated than things were! Haha! How much extra are these things adding? Like I said above, I know I will never get everything. I'm just checking I have a good foundation and this is what the average person would do in what I have included above :)

    I think your checklist is already solid. The only recommendation I can give you is setup of WAF (ModSecurity with OWASP CRS), but it is optional.

    Thanked by 1rockinaway
  • aliletalilet Member
    edited August 2023

    Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.

    1. Ran sites under different user accounts. Previously both were running under www-data but later I created two new users (one for each site)
    2. Installed WordFence and scanned for all files including images and those outside WordPress installing by selecting following options Scan files outside your WordPress installation and Scan images, binary, and other files as if they were executable. This is a great plugin and it helped me a lot. Saved a lot of time!!
    3. Added the following code in nginx config

    location ~* (/wp-content/..php$|/wp-includes/..php$|/xmlrpc.php$|/(?:uploads|files)/.*.php$|/.ht|^/.user.ini) {
    deny all;
    access_log off;
    log_not_found off;
    }

  • if you want something a little heavier but has more features then you should have a look at crowdsec but fail2ban is just as good but much lighter. you could also use something like lynis where you can scan your server from the inside to see anything you could improve on security wise like file permissions, ssh configs... etc....

    Thanked by 1rockinaway
  • @alilet said:
    Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.

    1. Ran sites under different user accounts. Previously both were running under www-data but later I created two new users (one for each site)
    2. Installed WordFence and scanned for all files including images and those outside WordPress installing by selecting following options Scan files outside your WordPress installation and Scan images, binary, and other files as if they were executable. This is a great plugin and it helped me a lot. Saved a lot of time!!
    3. Added the following code in nginx config

    location ~* (/wp-content/..php$|/wp-includes/..php$|/xmlrpc.php$|/(?:uploads|files)/.*.php$|/.ht|^/.user.ini) {
    deny all;
    access_log off;
    log_not_found off;
    }

    These are essential, can't believe I didn't think about these. Good call.

    Here's how to configure part #1 easily - https://www.vultr.com/docs/use-php-fpm-pools-to-secure-multiple-web-sites/

    Make sure and follow the instructions VERBATIM or you'll end up with errors that make you want to pull your hair out trying to figure out. If DNS isn't the issue, inevitably, it's permissions.

    Thanked by 1rockinaway
  • @tentor said:

    I think your checklist is already solid. The only recommendation I can give you is setup of WAF (ModSecurity with OWASP CRS), but it is optional.

    The reassurance is great! I did actually set up the ModSecurity WAF, however I am having soooo many issues with WordPress plugins and functionality that it's not seeming worth it when I have WordFence as well.

    @alilet said:
    Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.

    1. Ran sites under different user accounts. Previously both were running under www-data but later I created two new users (one for each site)
    2. Installed WordFence and scanned for all files including images and those outside WordPress installing by selecting following options Scan files outside your WordPress installation and Scan images, binary, and other files as if they were executable. This is a great plugin and it helped me a lot. Saved a lot of time!!
    3. Added the following code in nginx config

    location ~* (/wp-content/..php$|/wp-includes/..php$|/xmlrpc.php$|/(?:uploads|files)/.*.php$|/.ht|^/.user.ini) {
    deny all;
    access_log off;
    log_not_found off;
    }

    Thanks! So I only have one website on it under one account. That account has SSH access only. I have WordFence but I will make sure those options are ticked :) I don't have Nginx - I'm running on an OLS server so is there an alternative that you would suggest?

  • @rockinaway said:

    @tentor said:

    I think your checklist is already solid. The only recommendation I can give you is setup of WAF (ModSecurity with OWASP CRS), but it is optional.

    The reassurance is great! I did actually set up the ModSecurity WAF, however I am having soooo many issues with WordPress plugins and functionality that it's not seeming worth it when I have WordFence as well.

    @alilet said:
    Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.

    1. Ran sites under different user accounts. Previously both were running under www-data but later I created two new users (one for each site)
    2. Installed WordFence and scanned for all files including images and those outside WordPress installing by selecting following options Scan files outside your WordPress installation and Scan images, binary, and other files as if they were executable. This is a great plugin and it helped me a lot. Saved a lot of time!!
    3. Added the following code in nginx config

    location ~* (/wp-content/..php$|/wp-includes/..php$|/xmlrpc.php$|/(?:uploads|files)/.*.php$|/.ht|^/.user.ini) {
    deny all;
    access_log off;
    log_not_found off;
    }

    Thanks! So I only have one website on it under one account. That account has SSH access only. I have WordFence but I will make sure those options are ticked :) I don't have Nginx - I'm running on an OLS server so is there an alternative that you would suggest?

    OLS is what I was planning to use next because I have read that it is very fast. But I don't know anything about it.

  • emghemgh Member

    @alilet said:

    @rockinaway said:

    @tentor said:

    I think your checklist is already solid. The only recommendation I can give you is setup of WAF (ModSecurity with OWASP CRS), but it is optional.

    The reassurance is great! I did actually set up the ModSecurity WAF, however I am having soooo many issues with WordPress plugins and functionality that it's not seeming worth it when I have WordFence as well.

    @alilet said:
    Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.

    1. Ran sites under different user accounts. Previously both were running under www-data but later I created two new users (one for each site)
    2. Installed WordFence and scanned for all files including images and those outside WordPress installing by selecting following options Scan files outside your WordPress installation and Scan images, binary, and other files as if they were executable. This is a great plugin and it helped me a lot. Saved a lot of time!!
    3. Added the following code in nginx config

    location ~* (/wp-content/..php$|/wp-includes/..php$|/xmlrpc.php$|/(?:uploads|files)/.*.php$|/.ht|^/.user.ini) {
    deny all;
    access_log off;
    log_not_found off;
    }

    Thanks! So I only have one website on it under one account. That account has SSH access only. I have WordFence but I will make sure those options are ticked :) I don't have Nginx - I'm running on an OLS server so is there an alternative that you would suggest?

    OLS is what I was planning to use next because I have read that it is very fast. But I don't know anything about it.

    If you want to learn and explore, sure

    However, I wouldn’t say that it’s anything special

    A well-tuned Nginx web server will perform very closely to a well-tuned OLS web server

    Probably just a tad better or a tad worse depending on stuff

    Thanked by 1alilet
  • jsgjsg Member, Resident Benchmarker
    edited August 2023

    "The morer the betterer" is a great approach to sakkurity! Sensibly choosing a more adequate OS and at least halfway adequate software is only for whimps. Ubuntu is a great choice but try to find more Wordpress sakkurity plugins. After all, PHP is like the wide golden route to sakkurity!

  • If you want to go more insane,
    set up an SSH honeypot
    on port 22.
    Hide your SSHD somewhere else,
    configure portsentry and port knocking for your SSHD

  • If you enjoy playing with bots, consider using SSH tarpit endlessh

  • @jsg said:
    "The morer the betterer" is a great approach to sakkurity! Sensibly choosing a more adequate OS and at least halfway adequate software is only for whimps. Ubuntu is a great choice but try to find more Wordpress sakkurity plugins. After all, PHP is like the wide golden route to sakkurity!

    Which other WordPress plugins would you suggest?

    Lots of other very helpful tips! Think I will work my way through implementing as many as I can.

    @emgh said:

    A well-tuned Nginx web server will perform very closely to a well-tuned OLS web server

    Probably just a tad better or a tad worse depending on stuff

    I wanted to keep htaccess due to some of the plugins I use hence going with OLS, but yes read plenty on Nginx being great as an alternative.

  • @rockinaway said:

    @jsg said:
    "The morer the betterer" is a great approach to sakkurity! Sensibly choosing a more adequate OS and at least halfway adequate software is only for whimps. Ubuntu is a great choice but try to find more Wordpress sakkurity plugins. After all, PHP is like the wide golden route to sakkurity!

    Which other WordPress plugins would you suggest?

    Lots of other very helpful tips! Think I will work my way through implementing as many as I can.

    @emgh said:

    A well-tuned Nginx web server will perform very closely to a well-tuned OLS web server

    Probably just a tad better or a tad worse depending on stuff

    I wanted to keep htaccess due to some of the plugins I use hence going with OLS, but yes read plenty on Nginx being great as an alternative.

    you can also use htaccess with nginx ;)

  • @babywhale said:

    >

    you can also use htaccess with nginx ;)

    Just off to put my dunce hat on...

    Thanked by 1tentor
  • Thanks for these gotta go through all of this later I tend to neglect my servers 😅

    Thanked by 1rockinaway
Sign In or Register to comment.