Secure VPS in Ubuntu 20.04

SSH

ssh [email protected] -i C:\Users\Madindo\.ssh\my_vps_root

<aside>
💡

i can make config file like in linux for the config ssh in windows

</aside>

image.png
image.png
image.png

User

adduser madindo
deluser madindo {--remove-home} {--backup}

ssh madindo@ip -i C:\Users\madin\.ssh\id_rsa

# to create ssh
ssh-keygen

# can assign user to /home/madindo/.ssh/authorized_keys

# assign user to sudo
adduser madindo sudo

# previous command but sudo
# if i made
apt-update
sudo !! # this become sudo apt-update

Connecting to github

ssh -T [email protected] # need sudo

Preventing the use of password and root to login to vps

sudo nano /etc/ssh/sshd_config

PermitRootLogin yes # change yes to no
PasswordAuthentication no # change it to no
ChallengeResponseAuthentication no # change to no

#restart ssh
sudo systemctl reload ssh.service

sudo root -

Setting up UFW firewall

ufw --help
sudo ufw status # check current firewall
sudo ufw app list # list available application
sudo ufw allow OpenSSH # allow OpenSSH
sudo ufw enable # don't forget to allow OpenSSH
sudo ufw status verbose # to see more

Fail2Ban (protecting ssh)

sudo apt install fail2ban
nano fail2ban.conf

sudo nano jail.local # local conf
[DEFAULT]
bantime = 3h
maxretry = 3

[sshd]
enabled = true

sudo systemctl restart fail2ban.service

sudo fail2ban-client status # check status

sudo fail2ban-client status sshd # check status sshd

sudo fail2ban-client set sshd unbanip 170.15.12.32 # to unban

Nginx

sudo apt install nginx # install

sudo systemctl status nginx.service # check status

sudo ufw app list # list of firewall

sudo ufw allow "Nginx Full" # adding Nginx full to our firewall

Mysql

sudo apt install mysql-server

sudo mysql_secure_installation
# Validate password - y
# choose strength
# remove anonymous users - y
# disallow root login remotely - y
# remove test db - y
# reload priviledge table - y

mysql --version # to check version

mysql -u root -p # enter - error need to fix authentication

sudo mysql -u root -p # enter - will work

CREATE USER supersecuredomain_com@localhost IDENTIFIED BY 'Pasword123'
CREATE DATABASE supesecuredomain_com;
GRANT ALL PRIVILEGES ON supersecuredomain_com.* TO supersecuredomain_com@localhost;

SSH Tunnel

ssh user@IP -L 3333:localhost:3306 -N
ssh my_vps_juanmegon -L 3333:localhost:3306 -N

Preventing access .htaccess and .git files

# /etc/nginx/sites-available/default
location ~ /\.ht {
	deny all;
}
location ~ /\.git {
	deny all;
}

Hiding nginx signature

# /etc/nginx/nginx.conf
server_tokens off;

Avoiding different types of web attack

# /etc/nginx/fastcgi-php.conf

sudo nano snippets/security-headers.conf
# avoid iframe from different origins
add_header X-Frame-Options SAMEORIGIN;

# avoid MIME type sniff
add_header X-Content-Type-Options nosniff;

# avoid xss attacks
add_header X-XSS-Protection "1; mode=block";

# referrer policy, only full path on same origin
add_header Referrer-Policy "strict-origin-when-cross-origin";

# include the snippets
# /etc/nginx/sites-available/*
include snippets/security-headers.conf

# check in securityheaders.com

Enabling compression in nginx with Gzip

# nginx.conf
gzip_vary on;
#gzip_proxied any;
gzip_comp_level 6;
gzip_buffers 16 8k;
gzip_http_version 1.1;
gzip_types text/plain text/css application/json application/javascript text/xml application/xml+rss text/javascript;

Mitigating Dos and Ddos attack on nginx

#Define limit connection zone called conn_limit_per_id with memory size 15m based on the unique IP
limit_conn_zone $binary_remote_addr zone=conn_limit_per_ip:15m;

#Define limit request to 40/sec in zone called req_limit_per_ip memory size 15m based on IP
limit_req_zone $binary_remote_addr zone=req_limit_per_ip:15m rate=40r/s;

#Using the zone called conn_limit_per_ip with max 40 connections per IP
limit_conn conn_limit_per_ip 40;

#Using the zone req_limit_per_ip with an exceed queue of size 40 without delay for the 40 additional
limit_req zone=req_limit_per_ip burst=40 nodelay;

#Do not wait for the client body or headers more than 5s (avoid slowloris attack)
client_body_timeout 5s;
client_header_timeout 5s;
send_timeout 5;

#Establishing body and headers max size to avoid overloading the server I/O
client_body_buffer_size 256k;
client_header_buffer_size 2k;
client_max_body_size 3m;
large_client_headers_buffers 2 2k;

# apply to nginx.conf
include snippets/dos-protection.conf;

Preventing nginx site from being “hijacked”

#site-available/domain
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	return 301 <http://www.domain.com>;
}

LetsEncrypt

# certbot.eff.org

# using snap
sudo snap install --classic certbot
certbot --help
sudo certbot --nginx --hsts --staple-ocsp --must-staple -d supersecuredomain.com -d www.supersecuredomain.com
# add your email
sudo certbot certificates
sudo certbot renew

sudo systemctl list-timers

sudo certbot revoke --cert-name=test.supersecuredomain.com

Nginx https

# to add http2
server{
	listen 443 ssl http2;
}

# find tool http2 to check

PHP-FPM

sudo apt install php-fpm
sudo add-apt-repository ppa:ondrej/php
sudo apt update
sudo apt install php-fpm

#location of php
cd /etc/php/7.4

/fpm/php.ini
cgi.fix_pathinfo=1 # change to 0 if there's main.php we don't want to to call that

sudo systemctl reload php7.4-fpm.service

/var/log/php7.4-fpm.log
# installing extensions
sudo apt update
sudo apt install php-mysql php-sqlite3 php-curl php-gd php-mbstring php-xml php-xmlrpc php-zip
# installing composer
php -r "copy('<https://getcomposer.org/installer>', 'composer-setup.php');"
php -r "if (hash_file('sha384', 'composer-setup.php') === 'c8b085408188070d5f52bcfe4ecfbee5f727afa458b2573b8eaaf77b3419b0bf2768dc67c86944da1544f06fa544fd47') { echo 'Installer verified'.PHP_EOL; } else { echo 'Installer corrupt'.PHP_EOL; unlink('composer-setup.php'); exit(1); }"
php composer-setup.php
php -r "unlink('composer-setup.php');"

# move to global
sudo mv composer.phar /usr/local/bin/composer

Wordpress

curl -O <https://raw.githubusercontent.com/wp-cli/builds/gh-pages/phar/wp-cli.phar>
sudo chmod +x wp-cli.phar
sudo mv wp-cli.phar /usr/local/bin/wp

Subscribe to Building software. Writing what I learn.

Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
[email protected]
Subscribe