- Update frequently
- Replace passwords frequently while verifying at least 8 characters long (lower and upper case alphabets, numbers and symbols) and set up Two-Factor Authentication
- Verify that there is a firewall and DDOS protection
- Config the Intrusion Prevention System (enable mod_remoteip if used with reverse proxy)
- Set up hiding of the web server details
- Scan the server files and pass on the logs frequently
- Use the user root only if required
- Disallow SSH root connection, in
/etc/ssh/sshd_configuse the directive:
PermitRootLogin no- Define which logs will be saved and where in the file
/etc/rsyslog.conf.
- Config the intrusion prevention system Fail2ban:
Activate mod_remoteip (in case of reverse proxy)
Create the /etc/fail2ban/jail.local file and use the commands, for example to enable the recidive SSH protection:
[recidive]
enabled = true
[sshd]
enabled = trueConfig multiple log files:
logpath = /var/www/clients/client12/web*/log/access.log
/var/www/clients/client13/web*/log/access.logUnban IP with the command:
fail2ban-client set sshd unbanip $IP- Hide the Apache web server details- add the directives into
/etc/apache2/apache2.conf:
ServerTokens Prod
ServerSignature Off- Hide the PHP details- add the directives into
php.ini:
expose_php = off