gadoi/gist:017b05e1ed46331cab11070569f43ac9

## gistfile1.txt
Creating strong passwords i would recommend using a browser extensions as password generator.


-Configuring Auto-Update:

apt install unattended-upgrades
systemctl enable unattended-upgrades
systemctl status unattended-upgrades

nano /etc/apt/apt.conf.d/50unattended-upgrades

Unattended-Upgrade::Package-Blacklist
"apache2";
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
Unattended-Upgrade::Remove-Unused-Dependencies "true";
Unattended-Upgrade::Automatic-Reboot "false";
Unattended-Upgrade::Verbose "true";

nano /etc/apt/apt.conf.d/20auto-upgrades
APT::Periodic::Update-Package-list"1";
APT::Periodic::Unattended-Upgrade"1";
APT::Periodic::AutocleanIntercal"7";

systemctl restart unattended-upgrades
unattended-upgrade --dry-run --debug


-Firewall:

Install UFW:
apt install ufw
Allow only your ip to connect to ssh port:
 ufw deny ssh/tcp
ufw allow from 15.15.15.0/24  to any port 22

ufw limit 22/tcp

ufw allow 80/tcp
ufw allow 443/tcp
ufw default deny incoming
ufw default deny  outgoing

systemctl enable ufw.service
systemctl start ufw.service
ufw status
ufw enable

- nano nano /etc/ssh/sshd_config

MaxAuthTries 2
MaxSessions 2
PermitRootLogin no


- nano /etc/sysctl.conf

Uncomment >>
enable spoof
block ping ICMP
add net.ipv4.icmp_echo_ignore_all = 1
not a router
martian packet

/sbin/sysctl -p


Fail2ban – Bruteforce:

apt-get install fail2ban
systemctl enable fail2ban
systemctl restart fail2ban.service

nano /etc/fail2ban/filter.d/http-get-dos.conf

# Fail2Ban configuration file
 [Definition]
# Option: failregex
 # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
 failregex = ^<HOST> -.*"(GET|POST).*
 # Option: ignoreregex
 ignoreregex =

nano /etc/fail2ban/jail.local

##Block the failed login attempts on the SSH server.
[sshd]
enable = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 2
findtime = 300000
bantime = 300000
ignoreip = xxx.xxx.xxx.xxx

##Block the remote host that is trying to request suspicious URLs.
 [apache-overflows]
 enabled = true
 port = http,https
 filter = apache-overflows
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

##Stop DOS attack from remote host.
[http-get-dos]
 enabled = true
 port = http,https
 filter = http-get-dos
 logpath = /var/log/apache2/access.log
 maxretry = 50
 findtime = 400
 bantime = 200000
 ignoreip = xxx.xxx.xxx.xxx
 action = iptables[name=HTTP, port=http, protocol=tcp]

##Block the remote host that is trying to search for scripts on the website to $
 [apache-noscript]
 enabled = true
 port = http,https
 filter = apache-noscript
 logpath = /var/log/apache2/*error.log
 maxretry = 2
 bantime = 30000
 ignoreip = xxx.xxx.xxx.xxx

fail2ban-client status sshd / http-get-dos /apache-overflows /apache-badbots /apache-noscript


IpTables: N/D


-Apache:

-Install Mod-evasive:

apt install libapache2-mod-evasive
https://phoenixnap.com/kb/apache-mod-evasive


-Install Mod-Security:

apt install libapache2-mod-security2
apt install modsecurity-crs
https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache

Not very friendly with Wordpress I would recommend check log errors and start from there:

tail /var/log/apache2/error.log


-Apache/wordpress security:


nano /etc/apache2/apache2.conf

<Directory /var/www/dstaffieri>
        AllowOverride All
        Options -Indexes
        ServerSignature Off
</Directory>


-Setting up Apache authentications:

apt install apache2-utils
htpasswd -c /etc/apache2/.htpasswd "user"
cd wp-admin/
nano .htaccess
AuthName "Admin Login"
AuthUserFile /et/apache2/.htpasswd
AuthType basic
Require valid-user
chmod 0444 .htaccess
systemctl restart apache2


Wordpress:

-Disable file editing
nano /var/www/html/..wp-config.php
/** Disable file editing
define('DISALLOW_FILE_EDIT',true)
permission
chmod 0444 wp-config.php
chmod 0444 .htaccess

-Disable directory listening
nano .htaccess
Options -Indexes
systemctl restart apache2
apt install modsecurity-crs

-Disable Php uploads
cd ../wp-content/uploads/
nano .htaccess
<Files *.php>
deny from all
</php>
chmod 0444 .htaccess

apt install auditd


Antivirus:

-Install ClamAV
apt install clamav clamav-daemon
systemctl stop clamav-freshclam
systemctl start clamav-daemon.service
freshclam
systemctl start clamav-freshclam.service
clamscan -i -r -v /
clamscan -i -r -v  --remove /

-Automatic scanning:
crontab -e
SHELL=/bin/bash
HOME=/
0 01 * * 1 date >> /var/log/clamav_log
0 01 * * 1 clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/rsync_log
crontab -l

-Install Rkhunter
apt install rkhunter
rkhunter --check
-Auto-scanning
nano /etc/default/rkhunter
CRON_DAILY_RUN="true"
CRON_DB_UPDATE="true"
APT_AUTOGEN="true"


-Install Lynis
apt install lynis
lynis audit system
lynis --pentest
grep Suggestion /var/log/lynis.log
Review the result and make the change

-Install aide
apt-get install aide -y
aideinit
cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
update-aide.conf
cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
aide -c /etc/aide/aide.conf --check


-Automated Backup

-Website Backup

rsync -av  /var/www/html/ /backups/website/$(date +\%Y\%m\%d)
crontab -e
00 01 * * 1 rsync -avz  /var/www/html/ /backups/website/$(date +\%Y\%m\%d) >> /var/log/cronjob1.log 2>&1


-MySQL Security

mysql_secure_installation
/etc/mysql/my.conf
[mysqld]
skip-grant-tables
bind-address = 127.0.0.1
local-infile=0
chmod 644 /etc/my.cnf


-MySQL Backup

mysqldump -u root -p'xxx' wordpress | gzip -c > /backups/database/$(date +\%Y\%m\%d).sql.gz
crontab -e
00 01 * * * mysqldump -u root -p'93zcsb43' wordpress | gzip -c > /backups/database/wordpress$(date +\%Y\%m\%d).sql.gz >> /var/log/cronjob2.log 2>&1

grep CRON /var/log/syslog

Restore
mysql -u root –p'password' database_name < /path/to/[database_name].sql


-Cloudfare:
Set up your DNS to Prevent RDNS and ddos - free account


-Wordpress
Install Wordfence Plugin and Loginizer Brute Force
Block Ip bruteforce attack


-Zabbix:
https://bestmonitoringtools.com/how-to-install-zabbix-server-on-debian


-Webmin:
https://upcloud.com/community/tutorials/install-webmin-debian-10


-DDOS usefull commands:

number of connections
netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n
netstat -alpn | grep :80 | awk '{print $5}' |awk -F: '{print $(NF-1)}' |sort | uniq -c | sort -nr
netstat -an | grep :80 | grep -v 127.0.0.1 | awk '{ print $5 }' | sort | awk -F: '{ print $1, $4 }' | uniq -c | awk ' $1 > 100 { print $1, $2 }' > /tmp/blackname.txt


grep 'sshd' /var/log/auth.log
grep 'http' /var/log/auth.log
grep 'https' /var/log/auth.log

awk '{print $1}' /var/log/apache2/access.log | sort -u

-Block the attacking network
ufw deny from 192.168.1.5 to any
ufw reject from 202.54.5.7 to any
iptables -A INPUT -s <Source IP> -j DROP
	Creating strong passwords i would recommend using a browser extensions as password generator.


	-Configuring Auto-Update:

	apt install unattended-upgrades
	systemctl enable unattended-upgrades
	systemctl status unattended-upgrades

	nano /etc/apt/apt.conf.d/50unattended-upgrades

	Unattended-Upgrade::Package-Blacklist
	"apache2";
	Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
	Unattended-Upgrade::Remove-New-Unused-Dependencies "true";
	Unattended-Upgrade::Remove-Unused-Dependencies "true";
	Unattended-Upgrade::Automatic-Reboot "false";
	Unattended-Upgrade::Verbose "true";

	nano /etc/apt/apt.conf.d/20auto-upgrades
	APT::Periodic::Update-Package-list"1";
	APT::Periodic::Unattended-Upgrade"1";
	APT::Periodic::AutocleanIntercal"7";

	systemctl restart unattended-upgrades
	unattended-upgrade --dry-run --debug


	-Firewall:

	Install UFW:
	apt install ufw
	Allow only your ip to connect to ssh port:
	ufw deny ssh/tcp
	ufw allow from 15.15.15.0/24 to any port 22

	ufw limit 22/tcp

	ufw allow 80/tcp
	ufw allow 443/tcp
	ufw default deny incoming
	ufw default deny outgoing

	systemctl enable ufw.service
	systemctl start ufw.service
	ufw status
	ufw enable

	- nano nano /etc/ssh/sshd_config

	MaxAuthTries 2
	MaxSessions 2
	PermitRootLogin no



	- nano /etc/sysctl.conf

	Uncomment >>
	enable spoof
	block ping ICMP
	add net.ipv4.icmp_echo_ignore_all = 1
	not a router
	martian packet

	/sbin/sysctl -p


	Fail2ban – Bruteforce:

	apt-get install fail2ban
	systemctl enable fail2ban
	systemctl restart fail2ban.service

	nano /etc/fail2ban/filter.d/http-get-dos.conf

	# Fail2Ban configuration file
	[Definition]
	# Option: failregex
	# Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match.
	# You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives.
	failregex = ^<HOST> -."(GET\|POST).
	# Option: ignoreregex
	ignoreregex =

	nano /etc/fail2ban/jail.local

	##Block the failed login attempts on the SSH server.
	[sshd]
	enable = true
	port = ssh
	filter = sshd
	logpath = /var/log/auth.log
	maxretry = 2
	findtime = 300000
	bantime = 300000
	ignoreip = xxx.xxx.xxx.xxx

	##Block the remote host that is trying to request suspicious URLs.
	[apache-overflows]
	enabled = true
	port = http,https
	filter = apache-overflows
	logpath = /var/log/apache2/*error.log
	maxretry = 2
	bantime = 30000
	ignoreip = xxx.xxx.xxx.xxx

	##Stop DOS attack from remote host.
	[http-get-dos]
	enabled = true
	port = http,https
	filter = http-get-dos
	logpath = /var/log/apache2/access.log
	maxretry = 50
	findtime = 400
	bantime = 200000
	ignoreip = xxx.xxx.xxx.xxx
	action = iptables[name=HTTP, port=http, protocol=tcp]

	##Block the remote host that is trying to search for scripts on the website to $
	[apache-noscript]
	enabled = true
	port = http,https
	filter = apache-noscript
	logpath = /var/log/apache2/*error.log
	maxretry = 2
	bantime = 30000
	ignoreip = xxx.xxx.xxx.xxx

	fail2ban-client status sshd / http-get-dos /apache-overflows /apache-badbots /apache-noscript


	IpTables: N/D


	-Apache:

	-Install Mod-evasive:

	apt install libapache2-mod-evasive
	https://phoenixnap.com/kb/apache-mod-evasive


	-Install Mod-Security:

	apt install libapache2-mod-security2
	apt install modsecurity-crs
	https://phoenixnap.com/kb/setup-configure-modsecurity-on-apache

	Not very friendly with Wordpress I would recommend check log errors and start from there:

	tail /var/log/apache2/error.log


	-Apache/wordpress security:


	nano /etc/apache2/apache2.conf

	<Directory /var/www/dstaffieri>
	AllowOverride All
	Options -Indexes
	ServerSignature Off
	</Directory>


	-Setting up Apache authentications:

	apt install apache2-utils
	htpasswd -c /etc/apache2/.htpasswd "user"
	cd wp-admin/
	nano .htaccess
	AuthName "Admin Login"
	AuthUserFile /et/apache2/.htpasswd
	AuthType basic
	Require valid-user
	chmod 0444 .htaccess
	systemctl restart apache2


	Wordpress:

	-Disable file editing
	nano /var/www/html/..wp-config.php
	/** Disable file editing
	define('DISALLOW_FILE_EDIT',true)
	permission
	chmod 0444 wp-config.php
	chmod 0444 .htaccess

	-Disable directory listening
	nano .htaccess
	Options -Indexes
	systemctl restart apache2
	apt install modsecurity-crs

	-Disable Php uploads
	cd ../wp-content/uploads/
	nano .htaccess
	<Files *.php>
	deny from all
	</php>
	chmod 0444 .htaccess

	apt install auditd


	Antivirus:

	-Install ClamAV
	apt install clamav clamav-daemon
	systemctl stop clamav-freshclam
	systemctl start clamav-daemon.service
	freshclam
	systemctl start clamav-freshclam.service
	clamscan -i -r -v /
	clamscan -i -r -v --remove /

	-Automatic scanning:
	crontab -e
	SHELL=/bin/bash
	HOME=/
	0 01 * * 1 date >> /var/log/clamav_log
	0 01 * * 1 clamscan --exclude-dir=/proc/* --exclude-dir=/sys/* -i -r / >> /var/log/rsync_log
	crontab -l

	-Install Rkhunter
	apt install rkhunter
	rkhunter --check
	-Auto-scanning
	nano /etc/default/rkhunter
	CRON_DAILY_RUN="true"
	CRON_DB_UPDATE="true"
	APT_AUTOGEN="true"


	-Install Lynis
	apt install lynis
	lynis audit system
	lynis --pentest
	grep Suggestion /var/log/lynis.log
	Review the result and make the change

	-Install aide
	apt-get install aide -y
	aideinit
	cp /var/lib/aide/aide.db.new /var/lib/aide/aide.db
	update-aide.conf
	cp /var/lib/aide/aide.conf.autogenerated /etc/aide/aide.conf
	aide -c /etc/aide/aide.conf --check


	-Automated Backup

	-Website Backup

	rsync -av /var/www/html/ /backups/website/$(date +\%Y\%m\%d)
	crontab -e
	00 01 * * 1 rsync -avz /var/www/html/ /backups/website/$(date +\%Y\%m\%d) >> /var/log/cronjob1.log 2>&1




	-MySQL Security

	mysql_secure_installation
	/etc/mysql/my.conf
	[mysqld]
	skip-grant-tables
	bind-address = 127.0.0.1
	local-infile=0
	chmod 644 /etc/my.cnf


	-MySQL Backup

	mysqldump -u root -p'xxx' wordpress \| gzip -c > /backups/database/$(date +\%Y\%m\%d).sql.gz
	crontab -e
	00 01 * * * mysqldump -u root -p'93zcsb43' wordpress \| gzip -c > /backups/database/wordpress$(date +\%Y\%m\%d).sql.gz >> /var/log/cronjob2.log 2>&1

	grep CRON /var/log/syslog

	Restore
	mysql -u root –p'password' database_name < /path/to/[database_name].sql


	-Cloudfare:
	Set up your DNS to Prevent RDNS and ddos - free account


	-Wordpress
	Install Wordfence Plugin and Loginizer Brute Force
	Block Ip bruteforce attack


	-Zabbix:
	https://bestmonitoringtools.com/how-to-install-zabbix-server-on-debian


	-Webmin:
	https://upcloud.com/community/tutorials/install-webmin-debian-10


	-DDOS usefull commands:

	number of connections
	netstat -ntu \| awk '{print $5}' \| cut -d: -f1 \| sort \| uniq -c \| sort -n
	netstat -alpn \| grep :80 \| awk '{print $5}' \|awk -F: '{print $(NF-1)}' \|sort \| uniq -c \| sort -nr
	netstat -an \| grep :80 \| grep -v 127.0.0.1 \| awk '{ print $5 }' \| sort \| awk -F: '{ print $1, $4 }' \| uniq -c \| awk ' $1 > 100 { print $1, $2 }' > /tmp/blackname.txt


	grep 'sshd' /var/log/auth.log
	grep 'http' /var/log/auth.log
	grep 'https' /var/log/auth.log

	awk '{print $1}' /var/log/apache2/access.log \| sort -u

	-Block the attacking network
	ufw deny from 192.168.1.5 to any
	ufw reject from 202.54.5.7 to any
	iptables -A INPUT -s <Source IP> -j DROP