1.Enable automatic updates
Given that the LAMP stack is based on Linux and that the entire open-source community is working to enhance it, it is also deemed secure. All security updates and patches are accessible as an automatic unattended install on an Ubuntu VPS as soon as they are released in the Ubuntu repos, so make sure you configure your system to automatically install them if you are concerned about security.If you don’t enable this option on your server and don’t manually install the latest upgrades and patches, you’re placing your server at risk of being hacked.
Install the unattended-upgrades package to enable automatic unattended upgrades.
sudo apt-get install unattended-upgrades
Edit the /etc/apt/apt.conf.d/50unattended-upgrades file to specify which package categories should be upgraded automatically.
2. Configure firewall
Another very important aspect of overall security is having a properly set firewall. ufw is Ubuntu’s default firewall configuration tool, and it’s turned off by default. You can use the following commands to enable ufw:
sudo ufw enable
Allow essential services like OpenSSH and Apache to be accessed:
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
It’s simple to grant access to other services. Simply change the port number in the samples above to the port number of the service you wish to enable access to, and you’re done. Even if the machine is rebooted, the firewall rules will remain active.
3. Disable unused services
If you have active services which you are not using, you can simply disable them. For example, if you have service like Dovecot up and running on your server and you are not using it at all, stop and disable the service using the following commands:
sudo systemctl stop dovecot.service
sudo systemctl disable dovecot.service
4. Install Fail2ban
Fail2ban is a service that scans log files for excessive login failures and blocks the IP address that is displaying malicious behaviour. If you don’t use two-factor or public/private authentication techniques on services like OpenSSH, this service comes in handy. Run the following command to install Fail2ban:
sudo apt-get install fail2ban
Make a copy of the default configuration file so you can make modifications without worrying about system updates overwriting them:
sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
Edit the jail.local file:
sudo nano /etc/fail2ban/jail.local
The [sshd] block should look something like this:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 5
bantime = 600
To make the modifications take effect, save the file and restart Fail2ban:
sudo systemctl restart fail2ban.service
Enable Fail2ban on system boot:
sudo systemctl enable fail2ban.service
5. Hide Apache sensitive information
The default Apache setup exposes a great deal of sensitive data that can be used against the service. It’s critical to keep this information secret, therefore make a configuration file for your new settings:
sudo nano /etc/apache2/conf-available/custom.conf
Copy and paste the following text:
ServerTokens Prod
ServerSignature Off
TraceEnable Off
Options all -Indexes
Header unset ETag
Header always unset X-Powered-By
FileETag None
If it isn’t already enabled, enable the Apache headers module:
sudo a2enmod headers
Enable the following settings:
sudo a2enconf custom.conf
To make the modifications take effect, restart Apache:
sudo systemctl restart apache2.service
6. Install and enable mod_security
Mod security is a web application firewall (WAF) that may be added to Apache as a separate module. It can be used to protect a web server from a variety of threats, including SQL injections, session hijacking, cross-site scripting, and malicious user agents. Run the instructions following to install and enable mod security:
sudo apt-get install libapache2-modsecurity2
sudo a2enmod security2
You should setup the module and enable the OWASP ModSecurity Core Rule Set after it has been installed (CRS).
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
Then, open the /etc/modsecurity/modsecurity.conf file and edit/add the following settings:
SecRuleEngine On
SecResponseBodyAccess Off
SecRequestBodyLimit 8388608
SecRequestBodyNoFilesLimit 131072
SecRequestBodyInMemoryLimit 262144
Save and close the file. Remove the current CRS and download the OWASP CRS by using the following commands:
sudo rm -rf /usr/share/modsecurity-crs
sudo git clone https://github.com/SpiderLabs/owasp-modsecurity-crs.git /usr/share/modsecurity-crs
cd /usr/share/modsecurity-crs
sudo mv crs-setup.conf.example crs-setup.conf
Edit the security2.conf file in /etc/apache2/mods-enabled/security2.conf. It should resemble the following:
<IfModule security2_module>
SecDataDir /var/cache/modsecurity
IncludeOptional /etc/modsecurity/*.conf
IncludeOptional "/usr/share/modsecurity-crs/*.conf"
IncludeOptional "/usr/share/modsecurity-crs/rules/*.conf
</IfModule>
Finally, to make the modifications take effect, restart Apache:
sudo systemctl restart apache2.service
7. Install and enable mod_evasive
Mod evasive is an Apache module that can prevent DoS (Denial of Service), DDoS (Distributed Denial of Service), and brute-force assaults on the web server. Run the following command to install mod evasive on your server:
sudo apt-get install libapache2-mod-evasive
Open the default configuration file /etc/apache2/mods-enabled/evasive.conf and edit the settings to look like those below:
<IfModule mod_evasive20.c>
DOSPageCount 5
DOSSiteCount 50
DOSPageInterval 1
DOSSiteInterval 1
DOSBlockingPeriod 600
DOSLogDir "/var/log/mod_evasive"
</IfModule>
The file should be saved and closed. Make a folder for the log files:
sudo mkdir /var/log/mod_evasive
sudo chown -R www-data: /var/log/mod_evasive
Restart Apache:
sudo systemctl restart apache2.service
- Remove Duplicate Records from MySQL Server - October 12, 2021
- How to Secure Your Apache Server - September 10, 2021
- Linux security - September 9, 2021