New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Advice on any extra security features/redundancies
rockinaway
Member
in Help
I have set up my OLS Server through RunCloud with Vultr. I have tried to implement as many security features as possible but I wanted advice if they were 'sufficient' (I know you can never say never) and also whether there were any redundancies that I'm not aware of.
Server + RunCloud:
- Maldet and ClamAV installed - Maldet on cron and ClamAV I will manually run once a month
- Vultr Firewall - only ports opened for SSH, RunCloud and Cloudflare
- SSH key access only (passwordless login)
- Root access blocked
- Fail2ban
- 2FA
- IP whitelisting for online login
- WAF through RunCloud
- SSL certificate
WordPress:
- WordFence installed
- Cloudflare - all traffic is routed through Cloudflare (also helping DDOS protection)
Backup:
- S3 daily backup via RunCloud of database and files
I will manually regularly carry out Ubuntu updates through the terminal
I think that's everything but I'm sure I've missed something!
TIA
Comments
Looks good. Is 2FA enabled in Wordfence for your login page? If so, outside of having a shitty password, I'd say you're good to go.
If you use Ubuntu.
Source: Link
I don't yet but I will add that too! Would you set up server backups as well as the RunCloud one? Reassuring to hear from other people that setup is good since it's my first time setting up a server!
These are very useful thanks - I will add these too!
Forgot to mention about disabling forgot password in wordpress. You can google it to find the cide snippet.
If you're looking to make certain and you have the storage capacity to make it happen, absolutely. Just make sure that it's geographically distant from your current backup location so in case something does happen in that region, you're less likely to be affected at the secondary location.
You sound super enthusiastic about all this, so if you're looking to do everything you possibly can to make it safe/secure, take a look at enabled file versioning with your server (not runcloud) backup. That way in case your base system get's compromised by ransomware, your backups won't be tainted and you'd be able to restore from an otherwise unrestorable situation.
you can also limit ssh logins to ethier a specific user / group and or an ip address
I think the better option is to allow SSH only within VPN. Actually, you won't have much profit in terms of security, but amount of logs will be minimal.
No, the damage will be caused, but impact will be minimal. However, if hacker will target assets or perform actions that are typical for exploited software, AppArmor/SELinux won't help. Also, it won't protect you from most applicationlayer attacks like SSRF, XSS, SQL injections, etc.
Vultr offer it for a small fee/month which is fine if it's providing peace of mind.
I'm enthusiastic indeed - just wanting to make sure I am doing what I can to protect my server and site. I know I will never be able to cover everything possible but if I can cover 99% and have backups then fingers crossed!
All getting even more complicated than things were! Haha! How much extra are these things adding? Like I said above, I know I will never get everything. I'm just checking I have a good foundation and this is what the average person would do in what I have included above
I think your checklist is already solid. The only recommendation I can give you is setup of WAF (ModSecurity with OWASP CRS), but it is optional.
Two of my WordPress sites were hacked twice by "Japanese SEO hack". After that I did the following and now everything is OK.
www-data
but later I created two new users (one for each site)Scan files outside your WordPress installation
andScan images, binary, and other files as if they were executable
. This is a great plugin and it helped me a lot. Saved a lot of time!!nginx
configif you want something a little heavier but has more features then you should have a look at crowdsec but fail2ban is just as good but much lighter. you could also use something like lynis where you can scan your server from the inside to see anything you could improve on security wise like file permissions, ssh configs... etc....
These are essential, can't believe I didn't think about these. Good call.
Here's how to configure part #1 easily - https://www.vultr.com/docs/use-php-fpm-pools-to-secure-multiple-web-sites/
Make sure and follow the instructions VERBATIM or you'll end up with errors that make you want to pull your hair out trying to figure out. If DNS isn't the issue, inevitably, it's permissions.
The reassurance is great! I did actually set up the ModSecurity WAF, however I am having soooo many issues with WordPress plugins and functionality that it's not seeming worth it when I have WordFence as well.
Thanks! So I only have one website on it under one account. That account has SSH access only. I have WordFence but I will make sure those options are ticked I don't have Nginx - I'm running on an OLS server so is there an alternative that you would suggest?
OLS is what I was planning to use next because I have read that it is very fast. But I don't know anything about it.
If you want to learn and explore, sure
However, I wouldn’t say that it’s anything special
A well-tuned Nginx web server will perform very closely to a well-tuned OLS web server
Probably just a tad better or a tad worse depending on stuff
"The morer the betterer" is a great approach to sakkurity! Sensibly choosing a more adequate OS and at least halfway adequate software is only for whimps. Ubuntu is a great choice but try to find more Wordpress sakkurity plugins. After all, PHP is like the wide golden route to sakkurity!
If you want to go more insane,
set up an SSH honeypot
on port 22.
Hide your SSHD somewhere else,
configure portsentry and port knocking for your SSHD
If you enjoy playing with bots, consider using SSH tarpit endlessh
Which other WordPress plugins would you suggest?
Lots of other very helpful tips! Think I will work my way through implementing as many as I can.
I wanted to keep htaccess due to some of the plugins I use hence going with OLS, but yes read plenty on Nginx being great as an alternative.
you can also use htaccess with nginx
>
Just off to put my dunce hat on...
Thanks for these gotta go through all of this later I tend to neglect my servers 😅