If you have a smartphone, then for sure you at least sometimes use public Wi-Fi access points. Often, they are not password protected. Yes, and if the administrator of this access point has set a password, it is still desirable to protect your traffic by encryption. Who knows how the owner of the access point can use the open information.
Rubric: Protection and Security
We protect the server from any threats. Description of the settings of services that allow to improve security, etc.
Access to the server via ssh only for a specific group
SSH allows you to restrict access to the server only to users in a certain group. Without being its members, other users will not be able to log in to the server via ssh. This is a convenient opportunity to issue access rights only to those users who really need it.
Basic iptables configuration
One of the priorities after installing the system is to correctly configure iptables to filter traffic. The default policy allows everything that is not prohibited. This is not the most successful method in terms of security, because in this mode the server is exposed to intruders.
You can, for example, scan the ports open on the server. Based on this, it is possible to determine the services used, their version, the name and version of the operating system. Next - the selection of vulnerabilities to them. Or some icmp - messages can give extra information.
How to hide the fact of using nginx on the server
Once I read an article where it was said that you can hide the fact of using nginx on the server. To do this, you need to edit the source code of the ngx_http_header_filter_module module and change the lines
static char ngx_http_server_string [] = "Server: nginx" CRLF; static char ngx_http_server_full_string [] = "Server:" NGINX_VER CRLF;
But in order to rebuild nginx from source, you need to have some knowledge.
However, there is a simpler method that does not require any special actions at all, such as editing source codes and recompiling.
Using nginx http_referer_module to protect the admin site from brute force
While reading the nginx web server documentation, I came across an interesting module called http referer module . It allows you to block access to the site, or its sections, if the request does not have the correct referer header.
This module can be used to protect the admin of any site from brute force. For example, the site works on WordPress, but blocking access by ip will be inappropriate if the site has registered users. They also need to authenticate, and collecting their ip is a meaningless exercise. :)
Simple file change tracking
In the case of a server hacking, a hacker can modify the files in order to leave some backdoor, shell, etc. The modified files could be tracked by the modification date, but this date can be easily forged through the touch utility.
(Further…)
Restricting access to wp-login by ip in nginx
Recently, fail2ban has ceased to protect normally from brute force on wordpress , because ip is unique in every request and blocking every address is meaningless.
Since such nonsense, I decided to restrict access to the wp-login.php file by ip. There is one nuance here: for the location specified in the nginx configuration file, you need to add a script handler when using php-fpm .
As a result, the design looks like this: (more ...)
Spam bots, postfix and fail2ban
On my server, Postfix works as an outgoing mail server, that is, it only sends mail from sites. Naturally, the 25th port is open. But most of the time all the bots are trying to use the server as an open relay. :) Naturally, they do not succeed, for the rules are set. But logs litter.
Install and configure OpenVPN on Debian 8
OpenVPN is a software package that allows you to protect user traffic from “interception” by providing encrypted data transmission from the client’s device to the server with OpenVPN installed. Great for using public wifi access points where information can be intercepted by third parties. Or in the case when your ip is blocked on a certain site and you need to safely bypass this restriction.
Multiple requests to xmlrpc.php in WordPress
Today I looked into the access-log of one site for WordPress and found many requests of this kind:
1.234.83.77 - - [05 / Sep / 2014: 12: 07: 01 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) " 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 01 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) " 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 02 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) " 1.234.83.77 - - [05 / Sep / 2014: 12: 07: 02 +0600] "POST /xmlrpc.php HTTP / 1.1" 200 441 "-" "Mozilla / 4.0 (compatible; MSIE 9.0; Windows NT 6.1; 125LA ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022) "
Judging by the results of Google, there is some kind of exploit related to this file - xmlrpc.php. In one article in English it was said, as I understood, relying on my poor knowledge of the given language :), about the possibility of organizing the password selection. True, so far I have not noticed the consequences, but it is better to take action in advance. :)