If you have a web server then every day you are under attack from various automated attacks on your ssh, ftp, and web ports. These are a few of the things I do to try and curb their enthusiasm:
- Turn off unsecured ftp and telnet – these have no business in the modern world.
- Change your ssh port from the standard 22.
- Use long (16 character) and different passwords. It is easy to think you have a great password and use it everywhere, but if it does get discovered you will regret using the same one everywhere. It is a pain maintaining a list of different passwords but it is a practice I follow these days.
- Make sure you are using the standard Linux firewall iptables and augment it with apf.
- Optionally, use a brute force detection system like bfd. I say optionally, because I find once you remove ftp and change your ssh port bfd is less useful.
If you follow these basic steps you’ll cut out 90+% of the attacks. However, I have found that once you move your ssh port most of the action is on your http port 80 and this is where you need to focus. I have a simple script that looks for known patterns that show up in the web access logs. What are known patterns? Well it depends on your system and applications but things like phpMyAdmin are a great place to start. In fact phpMyAdmin, is a useful program but I restrict its use to just my IP address, it is too powerful to let other people even see it.
If you see a client trying to run a program they should not, such as phpMyAdmin, just block their IP address via apf or iptables. When it comes to server security I find it is best to act first and ask questions later. If there really is a reason why someone in China needs to access phpMyAdmin, then you can add an exception to your script. Another common pattern is /etc/passwd. If you just study your web logs for a few minutes each day you quickly see things that don’t fit with your applications. My script runs every five minutes and removes 5-20 IP addresses per day.