Secure VPS in Ubuntu 20.04
SSH
ssh [email protected] -i C:\Users\Madindo\.ssh\my_vps_root
<aside>
💡
i can make config file like in linux for the config ssh in windows
</aside>



User
adduser madindo
deluser madindo {--remove-home} {--backup}
ssh madindo@ip -i C:\Users\madin\.ssh\id_rsa
# to create ssh
ssh-keygen
# can assign user to /home/madindo/.ssh/authorized_keys
# assign user to sudo
adduser madindo sudo
# previous command but sudo
# if i made
apt-update
sudo !! # this become sudo apt-update
Connecting to github
ssh -T [email protected] # need sudo
Preventing the use of password and root to login to vps
sudo nano /etc/ssh/sshd_config
PermitRootLogin yes # change yes to no
PasswordAuthentication no # change it to no
ChallengeResponseAuthentication no # change to no
#restart ssh
sudo systemctl reload ssh.service
sudo root -
Setting up UFW firewall
ufw --help
sudo ufw status # check current firewall
sudo ufw app list # list available application
sudo ufw allow OpenSSH # allow OpenSSH
sudo ufw enable # don't forget to allow OpenSSH
sudo ufw status verbose # to see more
Fail2Ban (protecting ssh)
sudo apt install fail2ban
nano fail2ban.conf
sudo nano jail.local # local conf
[DEFAULT]
bantime = 3h
maxretry = 3
[sshd]
enabled = true
sudo systemctl restart fail2ban.service
sudo fail2ban-client status # check status
sudo fail2ban-client status sshd # check status sshd
sudo fail2ban-client set sshd unbanip 170.15.12.32 # to unban
Nginx
sudo apt install nginx # install
sudo systemctl status nginx.service # check status
sudo ufw app list # list of firewall
sudo ufw allow "Nginx Full" # adding Nginx full to our firewall
Mysql
sudo apt install mysql-server
sudo mysql_secure_installation
# Validate password - y
# choose strength
# remove anonymous users - y
# disallow root login remotely - y
# remove test db - y
# reload priviledge table - y
mysql --version # to check version
mysql -u root -p # enter - error need to fix authentication
sudo mysql -u root -p # enter - will work
CREATE USER supersecuredomain_com@localhost IDENTIFIED BY 'Pasword123'
CREATE DATABASE supesecuredomain_com;
GRANT ALL PRIVILEGES ON supersecuredomain_com.* TO supersecuredomain_com@localhost;
SSH Tunnel
ssh user@IP -L 3333:localhost:3306 -N
ssh my_vps_juanmegon -L 3333:localhost:3306 -N
Preventing access .htaccess and .git files
# /etc/nginx/sites-available/default
location ~ /\.ht {
deny all;
}
location ~ /\.git {
deny all;
}
Hiding nginx signature
# /etc/nginx/nginx.conf
server_tokens off;
Avoiding different types of web attack
# /etc/nginx/fastcgi-php.conf
sudo nano snippets/security-headers.conf
# avoid iframe from different origins
add_header X-Frame-Options SAMEORIGIN;
# avoid MIME type sniff
add_header X-Content-Type-Options nosniff;
# avoid xss attacks
add_header X-XSS-Protection "1; mode=block";
# referrer policy, only full path on same origin
add_header Referrer-Policy "strict-origin-when-cross-origin";
# include the snippets
# /etc/nginx/sites-available/*
include snippets/security-headers.conf
# check in securityheaders.com
Enabling compression in nginx with Gzip
# nginx.conf
gzip_vary on;
#gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss text/javascript;
Mitigating Dos and Ddos attack on nginx
#Define limit connection zone called conn_limit_per_id with memory size 15m based on the unique IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:15m;
#Define limit request to 40/sec in zone called req_limit_per_ip memory size 15m based on IP
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:15m rate=40r/s;
#Using the zone called conn_limit_per_ip with max 40 connections per IP
limit_conn conn_limit_per_ip 40;
#Using the zone req_limit_per_ip with an exceed queue of size 40 without delay for the 40 additional
limit_req zone=req_limit_per_ip burst=40 nodelay;
#Do not wait for the client body or headers more than 5s (avoid slowloris attack)
client_body_timeout 5s;
client_header_timeout 5s;
send_timeout 5;
#Establishing body and headers max size to avoid overloading the server I/O
client_body_buffer_size 256k;
client_header_buffer_size 2k;
client_max_body_size 3m;
large_client_headers_buffers 2 2k;
# apply to nginx.conf
include snippets/dos-protection.conf;
Preventing nginx site from being “hijacked”
#site-available/domain
server {
listen 80 default_server;
listen [::]:80 default_server;
return 301 <http://www.domain.com>;
}
LetsEncrypt
# certbot.eff.org
# using snap
sudo snap install --classic certbot
certbot --help
sudo certbot --nginx --hsts --staple-ocsp --must-staple -d supersecuredomain.com -d www.supersecuredomain.com
# add your email
sudo certbot certificates
sudo certbot renew
sudo systemctl list-timers
sudo certbot revoke --cert-name=test.supersecuredomain.com
Nginx https
# to add http2
server{
listen 443 ssl http2;
}
# find tool http2 to check
PHP-FPM
sudo apt install php-fpm
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php-fpm
#location of php
cd /etc/php/7.4
/fpm/php.ini
cgi.fix_pathinfo=1 # change to 0 if there's main.php we don't want to to call that
sudo systemctl reload php7.4-fpm.service
/var/log/php7.4-fpm.log
# installing extensions
sudo apt update
sudo apt install php-mysql php-sqlite3 php-curl php-gd php-mbstring php-xml php-xmlrpc php-zip
# installing composer
php -r "copy('<https://getcomposer.org/installer>', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'c8b085408188070d5f52bcfe4ecfbee5f727afa458b2573b8eaaf77b3419b0bf2768dc67c86944da1544f06fa544fd47') { echo 'Installer verified'.PHP_EOL; } else { echo 'Installer corrupt'.PHP_EOL; unlink('composer-setup.php'); exit(1); }"
php composer-setup.php
php -r "unlink('composer-setup.php');"
# move to global
sudo mv composer.phar /usr/local/bin/composer
Wordpress
curl -O <https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar>
sudo chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp