Thanks to a hackers and/or bots trying to inject malware into my WordPress installation, I am forced to learn how to administrate my host better. Surprisingly enough, I find myself enjoying learning how to manage and secure a production server; A skill which will definitely help me become a better developer moving forward. So far here’s what I’ve done to deter and hopefully mitigate the hacking attempts on my site.

This guide assumes you are running an Ununtu 14.x up.

Set the proper timezone

This will make log files easier to understand and keep track of SSL certificates

Setup a hostname

You can name this anything you want, I used “livehost”

Now verify the hostname change

Now setup a Fully Qualified Domain Name (FQDN) in your /etc/hosts file

Now you can set an A Record to your domain name pointing to your hostname to access your server.

Disabled remote root login and changed the SSH port

I changed my SSH port to something lower than 1024 but not 22 (learn why here) then set PermitRootLogin to no.

Installed Fail2Ban

installed it with the following command

We’ll copy the default config  and jail settings and modify the copies we made.

SSH is already enabled by default in Ubuntu, so you’ll just need to enable the services you want to watch over. Do note that Fail2Ban won’t start if you enable a filter on a service that’s not installed/running.In this instance I just added a custom filter and changed the destemail setting so I can get notifications. You will need to install sendmail to get this feature working, see below.

I also made a custom wordpress filter in /etc/fail2ban/filter.d/wordpress.conf , you can read more about it here. This basically checks the access log of my site and filters it using regular expressions.

after saving the changes, restart the service.

Installed and Setup IPTables

IPTables is already installed with Ubuntu so I just needed to setup a new configuration file

I used the following configuration which I Googled to allow SSH, HTTP/HTTPS and a few other ports for testing then closed everything else for security Note that the port setting should be the same as with setting in the /etc/fail2ban/jail.local and /etc/ssh/sshd_config values.

Activate the new firewall rules now

Then make sure to run the firewall rules on startup by editing this file

Insert the following script

Save the changes then set the permissions

Install Let’s Encrypt

Let’s encrypt is a free SSL certificate supported by a lot of popular browsers. I use this to encrypt traffic on my sites at no extra cost. Before installing the package make sure you have set your timezone and hostname already. If you’ve done that already you can update everything first.

Once everything has updated, install GIT so we can clone the repository on Gtihub later

Now clone the official GitHub repository to /opt/letsencrypt

Then navigate to /opt/letsencrypt

Now make sure nothing is using port 80. I had trouble with this even after closing Apache which was the only application I though was using port 80. So to keep it simple I just killed all processes using port 80

Now we are ready to create a certificate that will auto renew. Just change the domain name to the domain name you’re creating a certificate for.

If everything worked properly you should see something like this. Take note of the Certificate and key paths, we will need this later when configuring the SSL certificate for Apache.

Now we will set a cron job to automatically renew the certificate and update Let’s Encrypt. Open crontab

Then append the following lines

Now we need configure apache for the SSL certificate. Appenbd this to your sites config file typically found in /etc/apache2/sites-available/ The SSLCertificateFile and SSLCertificateKeyFile paths were echoed after you created your certificate earlier. This will also set TLSv1.2 to be used instead of the default TLSv1

Ensure that the Apache SSL module is enabled, and enable the virtualhost configuration:

Then restart the Apache service

You can visit WhyNoPadlock to troubleshoot any insecure content you may have on your page. If you’re using WordPress you can use Really Simple SSL to force HTTPS to any visitors visitors to your site.

Get alerts when someone uses sudo

For that extra touch to paranoia, I also setup an email notification to let me know if someone uses the sudo command.  I start off by making a new file

pasting in the following content, you’ll need to change the email address to the one you wish to use.

Save the changes then set the file permissions

If you don’t have a mail server setup yet you will need to install one. I used sendmail.

The install script hanged on me and I found that the following commands worked to finished the installation.

When you’re done installing sendmail, configure it:

Reboot server on OOM (Out Of Memory)

This will reboot the server if the system panics, literally.

the append this to the config