Jump to content

Harden Linux Web Server

roadracer

By roadracer
in Apache HTTP Server

 Share

Recommended Posts

trq Prolific Member

trq

Posted
Posted

For starters I would be installing from a minimal base, Ubuntu (by default) is rather bloated.

 

From there, there are allot of guides you could follow. The basic steps however are to make sure there is no software installed that doesn't need to be (espeically any daemons / servers), the software you do have is installed and configured properly and that file permissions are setup appropriately.

 

If you google 'hardening linux' or 'securing linux' you'll find a bunch of helpfull guides.

Link to comment
Share on other sites
neogranas Newbie

neogranas

Posted
Posted

I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP.

Link to comment
Share on other sites
corbin Regular Member

corbin

Posted
Posted

I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP.

 

 

I got my self banned from a server once...  It was very awkward, ya know, since it was hosting a web site of mine.  lol.  Luckily my ISP does IPs based on MACs and my router (like most) can change MAC addresses.

Link to comment
Share on other sites
roadracer Newbie

roadracer

Posted
  • Author
Posted

I use a Red Hat based system, but you may look if fail2ban is available through apt. It works from iptables to find anyone trying to log into your system and failing within parameters. Mine looks for anyone trying to get in through SSH or FTP but fails on the login 3 times within a minute. If that happens, it bans their IP for 6 months. You can set the amount of failures within whatever time and how long you want to ban. You can also set it to allow your IP no matter how many times you fail the login, which prevents you from banning your own IP.

 

I will check it out.  Perhaps fail2ban would be a good thing to have on the web server in case I don't get my new routing/firewall rules just right.  I could also just as easily run my webs on CentOS or stripped down Fedora and not Ubuntu.

 

I am thinking about using the Debian-based pfSense distro on a dedicated server as a firewall with multiple NICs and VLANS for my different LAN and DMZ subnets.  I think this will be more secure than my current multiple router with DMZ setup--even for the present Windows servers.

 

The more one learns, the more choices must be made...

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.