Description & Precautions

Security is not a light subject, Do not test any of these things on a currently otherwise working server, you can break the server and cause yourself to be unable to reconnect to solve the problem, or worse.

Use a local system, a virtual container manager such as Vagrant or Docker or similar, or a live VPS for development and testing purposes only. Do not employ any of these tactics until you’ve read, understood and tried them yourself sufficiently in a proper testing environment.

Filesystem Security

  • chmodLinux User / Group Permissions manipulation command
  • man chmod on any linux or unix-based system.

  • chownLinux User / Group Ownership manipulation command
  • man chown on any linux or unix-based system.

  • SudoSuper User ‘do’
  • Issue commands on the system with elevated user privileges.

  • SSHSecure Shell
  • A way to connect securely to remote or local systems via command line / terminal / console or sftp, contains both a client and server component.

  • SeLinuxSecurity Enhanced Linux
  • Advanced user Mandatory Access Control, which define and enforce type, role and security context access and execution policies for system resources.

  • AIDEAdvanced Intrusion Detection Environment
  • Intrusion detection software, must be installed and configured on a clean freshly installed system, preferably never connected to the Internet.

  • OSSECOperating System Security
  • Intrusion detection software, must be installed and configured on a clean freshly installed system, preferably never connected to the Internet.

Webserver Security

  • SSL/TLS Cetificates with strong encryption
  • All modern websites should be using SSL/TLS certificates regardless of content or purpose. SSL/TLS certificates provide a means of encrypted communication streams between your website and visitors and prevents many forms of attack against both users and your server. Basic SSL/TLS certificates are low cost or often free now through many different Certificate Authorities such as StartSSL and the Let’s Encrypt Project sponsored by Google, Automattic, Mozilla Foundation and many others.

  • Securing Apache httpd – Common sense tips for more completely securing your Apache httpd configuration.
  • PHP-FPM – DocumentRoot chrooting, PHP directive segregation, CGI PHP processing, and much more.
  • suhosin – PHP code vulnerability protection.

Networking Security

  • iptables/ip6tables (Netfilter) – The most commonly recognised firewall software.
  • Firewalld – A new firewall introduced by Fedora and Red Hat that uses ‘zones and services’ instead of ‘chains and rules’ (iptables/netfilter).
  • Fail2Ban – Adds ban entries to the firewall chain based on pre-configured default or custom rules.
  • Denyhosts – Adds ban entries to /etc/hosts.deny, different than Fail2Ban.
  • mod_evasive – Evasive maneuvers module for Apache httpd to provide evasive action in the event of an HTTP DoS or DDoS attack or brute force attack. It is also designed to be a detection tool, and can be easily configured to talk to ipchains, firewalls, routers, etc.
  • mod_security – an Apache httpd module that helps to protect your website from various attacks. It is used to block commonly known exploits by use of regular expressions and rule sets. This is an aggressive module which requires time and study to understand and deploy correctly.

Database Security

  • Securing your databases: https://mariadb.com/kb/en/mariadb/securing-mariadb/
  • Test and refine your setup: mysql-tuning-primer-script (right click and “save as..”)
  • Currently the script handles recommendations for the following:

    • Slow Query Log
    • Max Connections
    • Worker Threads
    • Memory Usage
    • Key Buffer
    • Query Cache
    • Sort Buffer
    • Joins
    • Temp Tables
    • Table (Open & Definition) Cache
    • Table Scans (read_buffer)
    • Table Locking
    • Innodb Status
  • We are generally focused on MariaDB for practical purposes, however, many of these same tactics will work with MySQL as well but might require some tweaking of syntax. Here’s a few things you can add into your main config to prevent some common problems.

/etc/my.cnf.d/server.cnf/

WordPress data validation and sanitization

Also, if you’re writing plugins or themes it’s always a top priority to think about data validation and santization.

WordPress Security

Block access to sensitive areas (wp-admin, themes, plugins, login forms) of your WordPress install with plugins, get notifications of attempts and actions taken and weekly reports about outdated plugins, themes or core installation.

WordPress Security Plugins

WordFence
The Wordfence WordPress security plugin provides free enterprise-class WordPress security, protecting your website from hacks and malware. Read about WordFence’s security tips here.
iThemes Security
Protect your WordPress site by hiding vital areas of your site, protecting access to important files, preventing brute-force login attempts, detecting
IP Geo Block
It blocks any spams, login attempts and malicious access to the admin area posted from outside your nation, and also prevents zero-day exploit.
Last Modified: 18 Feb, 2016 at 10:43:41