Securing Your Server

[John 3:16]

If you have a VPS or dedicated server, this is a good read and includes a lot of good implementations to secure you from hacks.

https://www.webhostinghero.com/10-tips-secure-cpanel-server/

[David..]

Only cPanel?

[John 3:16]

I am not sure outside of cPanel, I have so many domains and trying to manage them without whm/cpanel would be more then I would want.

[John 3:16]

David what environment and server are you running?

[John 3:16]

I would rather do this via a firewall but in the case you don't have that, then it's possible to secure simply using the .htaccess file, I found this site.

https://www.countryipblocks.net/country_selection.php

I have never used the tool before but I imagine it's pretty useful, I personally block track from any traffic that I find has been blocked by cpanel for over attempting logins in my WHM.  But, that is with a CP.  Hope it helps someone.

[David..]

I am not sure outside of cPanel, I have so many domains and trying to manage them without whm/cpanel would be more then I would want.

​If you really want to secure your server, you'd remove the panels like cPanel, Plesk, etc.

[John 3:16]

haha, that takes all the fun out of it

Plus I am no sysadmin, I have enough to deal with, eventually I will hire a sysadmin and yes get rid of cpanel, effectively cutting the cord.

[xtech]

The guide is quite short and in my view lacks important considerations. An example: securing ssh with fail2ban, for example, to avoid dictionary-based attacks.

[John 3:16]

That is a good one!  I am checking out this article about it now, thanks https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-centos-6

[Makoto]

The guide is quite short and in my view lacks important considerations. An example: securing ssh with fail2ban, for example, to avoid dictionary-based attacks.

The best way to avoid dictionary attacks:

Don't use single dictionary words as passwords! Seriously, NEVER DO THIS. fail2ban is absolutely not the solution to an insecure password. It doesn't matter if you use a dictionary word followed by a few numbers, it's still horrendously insecure and asking for an eventual server compromise.

Even better, disable password authentication on your server entirely and use key based authentication instead, which is virtually impossible to brute force.

Relevant:

[RevengeFNF]

The guide is quite short and in my view lacks important considerations. An example: securing ssh with fail2ban, for example, to avoid dictionary-based attacks.

​fail2ban is a must but never put a Dictionary Word as your password for anything...

[John 3:16]

I read an article sometime back about a 15 word password (letters and numbers) was 98% uncrackable.  The article was by some security guy, but now maybe seeing he was a hacker 

[Hexsplosions]

There is no such thing as an uncrackable password. There's no such thing as "98% uncrackable". The only things that impact how fast your password is cracked are the complexity of your password, the processing power available to crack it and the security policy adopted by the server to mitigate brute force.

Just don't use a password for SSH.

[John 3:16]

The Heff, what do you mean by don't use a password for SSH, how does one SSH?  I turn my on/off as I need it.

[RevengeFNF]

The Heff, what do you mean by don't use a password for SSH, how does one SSH?  I turn my on/off as I need it.

You can enter in ssh with a key instead of a password. 

[Hexsplosions]

@John 3:16 

Have a read of this guide: https://www.linode.com/docs/security/use-public-key-authentication-with-ssh

It's written for Linode but it applies to other hosts too.

Just make sure you test logging in with your key before you disable password authentication.

[John 3:16]

Ah yes, true, totally forgot about that isnce last I switched hosts, think I might switch back to doing that. Thanks.

You can enter in ssh with a key instead of a password. 

​

[John 3:16]

Ah that is a good guide, thanks The Heff!

[xtech]

The best way to avoid dictionary attacks:

Don't use single dictionary words as passwords! Seriously, NEVER DO THIS. fail2ban is absolutely not the solution to an insecure password. It doesn't matter if you use a dictionary word followed by a few numbers, it's still horrendously insecure and asking for an eventual server compromise.

 

Fail2ban, by denying login retries in N time following some failed attempts, makes the ssh virtually impossible to suffer a Dictionary-based attack or other kind of brute-force attack, as the time to guess the password would be hundreds or thousands of years.

 

Therefore i think it is a more effective solution than using another port than the standard one for the ssh. Although them both together with denying root login should reduce ssh hack attempts by a 99%, i believe.

[Makoto]

Fail2ban, by denying login retries in N time following some failed attempts, makes the ssh virtually impossible to suffer a Dictionary-based attack or other kind of brute-force attack, as the time to guess the password would be hundreds or thousands of years.

​Fail2ban does not give you an excuse to use a terrible password, that's all I said. If your server is targetted by a cluster of botnets over an extended period of time, fail2ban is not going to save you because you are using a horribly insecure password. Do not use a dictionary word as a password. There is never a situation in which it is justifiable to use a dictionary word as your SSH password. It is never okay to use a dictionary word as your SSH password. If you use a dictionary word as your SSH password, your server is substantially vulnerable to being eventually compromised. Fail2ban will not save you if you are using an insecure password. It is NEVER okay to use an insecure SSH password, ever.