Description & Precautions
Security is not a light subject, Do not test any of these things on a currently otherwise working server, you can break the server and cause yourself to be unable to reconnect to solve the problem, or worse.
Use a local system, a virtual container manager such as Vagrant or Docker or similar, or a live VPS for development and testing purposes only. Do not employ any of these tactics until you’ve read, understood and tried them yourself sufficiently in a proper testing environment.
Filesystem Security
- chmod – Linux User / Group Permissions manipulation command
- chown – Linux User / Group Ownership manipulation command
- Sudo – Super User ‘do’
- SSH – Secure Shell
- SeLinux – Security Enhanced Linux
- AIDE – Advanced Intrusion Detection Environment
- OSSEC – Operating System Security
man chmod on any linux or unix-based system.
man chown on any linux or unix-based system.
Issue commands on the system with elevated user privileges.
A way to connect securely to remote or local systems via command line / terminal / console or sftp, contains both a client and server component.
Advanced user Mandatory Access Control, which define and enforce type, role and security context access and execution policies for system resources.
Intrusion detection software, must be installed and configured on a clean freshly installed system, preferably never connected to the Internet.
Intrusion detection software, must be installed and configured on a clean freshly installed system, preferably never connected to the Internet.
Webserver Security
- SSL/TLS Cetificates with strong encryption
- Securing Apache httpd – Common sense tips for more completely securing your Apache httpd configuration.
- PHP-FPM – DocumentRoot chrooting, PHP directive segregation, CGI PHP processing, and much more.
- suhosin – PHP code vulnerability protection.
All modern websites should be using SSL/TLS certificates regardless of content or purpose. SSL/TLS certificates provide a means of encrypted communication streams between your website and visitors and prevents many forms of attack against both users and your server. Basic SSL/TLS certificates are low cost or often free now through many different Certificate Authorities such as StartSSL and the Let’s Encrypt Project sponsored by Google, Automattic, Mozilla Foundation and many others.
Networking Security
- iptables/ip6tables (Netfilter) – The most commonly recognised firewall software.
- Firewalld – A new firewall introduced by Fedora and Red Hat that uses ‘zones and services’ instead of ‘chains and rules’ (iptables/netfilter).
- Fail2Ban – Adds ban entries to the firewall chain based on pre-configured default or custom rules.
- Denyhosts – Adds ban entries to /etc/hosts.deny, different than Fail2Ban.
- mod_evasive – Evasive maneuvers module for Apache httpd to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, etc.
- mod_security – an Apache httpd module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets. This is an aggressive module which requires time and study to understand and deploy correctly.
Database Security
- Securing your databases: https://mariadb.com/kb/en/mariadb/securing-mariadb/
- Test and refine your setup: mysql-tuning-primer-script (right click and “save as..”)
- Slow Query Log
- Max Connections
- Worker Threads
- Memory Usage
- Key Buffer
- Query Cache
- Sort Buffer
- Joins
- Temp Tables
- Table (Open & Definition) Cache
- Table Scans (read_buffer)
- Table Locking
- Innodb Status
- We are generally focused on MariaDB for practical purposes, however, many of these same tactics will work with MySQL as well but might require some tweaking of syntax. Here’s a few things you can add into your main config to prevent some common problems.
Currently the script handles recommendations for the following:
/etc/my.cnf.d/server.cnf/
1 2 3 4 5 6 7 8 9 10 11 | [mariadb] # Disabling symbolic-links is recommended to prevent assorted security risks # symbolic-links=0 # Disable LOAD DATA LOCAL INFILE, prevent remote injections # local-infile=0 # If the database server will be used only by locally installed applications, we can freely disable listening on port 3306 # # This will limit possibilities of attacking the database server by direct TCP/IP connections from other hosts. # # Local communication will be still possible through the mysql.sock unix socket. # skip-networking |
WordPress data validation and sanitization
Also, if you’re writing plugins or themes it’s always a top priority to think about data validation and santization.
- WordPress Codex – Data validation and sanitization
- DevotePress – Data validation and sanitization examples
WordPress Security
Block access to sensitive areas (wp-admin, themes, plugins, login forms) of your WordPress install with plugins, get notifications of attempts and actions taken and weekly reports about outdated plugins, themes or core installation.
WordPress Security Plugins
- WordFence
- The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware. Read about WordFence’s security tips here.
- iThemes Security
- Protect your WordPress site by hiding vital areas of your site, protecting access to important files, preventing brute-force login attempts, detecting
- IP Geo Block
- It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.