Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Advice on Security
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Advice on Security

LeoKLeoK Member

I have a few small boxes that host a few hobby projects on. I am only a hobbyist so my knowledge of the best security practices is lacking. Any advice? or suggestions on tutorials?


  • Set your root password to 'welcome' and make friends with everyone.

  • LeoKLeoK Member

    I will take that under advisement

  • I'm joking of course, but imho 'security' has more to do with relations than technicalities.

    Thanked by 1yomero
  • jarjar Patron Provider, Top Host, Veteran

    First of all, please listen to no one who replies "Install CSF." This is a default/annoying firewall that has literally nothing to do with how most compromises occur.

    Use keys, disable root SSH login, change default SSH port, keep all packages and applications up to date, block access to anything HTTP side that people don't need access to (for practical example, blocking script execution in an image folder could stop a ton of Joomla exploits, applicable theory for other purposes).

    Those are my recommendations :)

    Thanked by 2deadbeef matthewvz
  • hostnoobhostnoob Member
    edited April 2015

    Installing unattended-upgrades on Debian based OSes will help with keeping packages up to date.

  • LeoKLeoK Member
    edited April 2015

    Thank you for the insight.

    Matt that is definitely some sound advice, I have noticed reading posts on multiple sites most attacks seem to be personally motivated.

    Jar, I have assumed that IPTables would be the preferred firewall? I have a couple horrible habits that you just mentioned. I know better. Thanks for the motivation.

    hostnoob, just installed- thanks

    Is Fail2ban effective?

  • You don't need a firewall if you don't have a topology to protect (and I suspect you don't). One possible exception is indeed Fail2Ban which uses IPTables to ban people that try to brute-force their way in. But if you follow @Jar 's suggestions ("use keys"), you don't even need that.

    Thanked by 1jar
  • BruceBruce Member

    google it. there's loads of great blogs on securing your box

    here's one:

    some things to work on:
    start with using a strong password, until you...
    use keys (disable password authentication)
    disable login as root user

    then consider protecting from bruteforce. csf or fail2ban. but you could just lcok down access to your IP, if you have a fixed IP.

  • LeoKLeoK Member

    Jar said: block access to anything HTTP side that people don't need access to

    Can you elaborate on this a little more?

  • @LeoK said:

    Can you elaborate on this a little more?

    E.g. /wp-admin/ or wp-logon.php

    Basically restrict access to minimize entry points. These examples are for WordPress, but whatever your application is.

  • I use Debian I have changed SSH port to a unusual number (not 2222) and disabled password authentication.

    If you really want to take another step further (what I'm intending to do) you can disable root login and bind to a specific IP address and even allow selected IPs only to login.

  • NomadNomad Member

    dDos Deflate might come in handy.
    I use this fork of dDos Deflate, it's also effective for IPv6 as well. Basically if someone makes an unusual number of requests to your server within X secs/mins they are blocked. Along with fail2ban it should be effective.

    If you have other people on your machines, try limiting their access. Maybe run seperate php pools and never leave something on chmod 777

    Thanked by 1deadbeef
  • jarjar Patron Provider, Top Host, Veteran
    edited April 2015

    @LeoK said:
    Can you elaborate on this a little more?

    Pretty much anything people don't need access to, like let's say configuration.php of random script. They try to execute it, nothing happens, but I'm still going to do this on Apache (because I like Apache):

    < FilesMatch "configuration.php" >
    Deny from all
    < /FilesMatch >

    Or if a directory should only have images, and your script uploads to that directory, let's make sure no one can execute a script in that directory in case they manage to get a file through:

    < Files *.php >
    Deny from all
    < /Files >

    Little things like this can seem pointless but it's a few minutes taken to potentially prevent a negative impact from future discovered exploits in common software.

  • @Bruce said:
    google it. there's loads of great blogs on securing your box

    The primary problem for novice is to tell great blogs from would-be great.

    1. Use Aide/Tripwire to check for possible intrusions
    2. Run rkhunter on periodical basis
    3. Set up backups for configuration/your data, to always have at least day-old copy
  • LeoKLeoK Member

    Speaking of security I am having trouble responding to this thread, Cloudflare keeps locking me out.

Sign In or Register to comment.