wiki:server_hardening
Table of Contents
Server hardening
General tips
- Check all open/listening ports on each server and make sure everything looks ok there (no unexpected connections, etc.)
- Get local user accounts on all servers
- If SSH is enabled for remote management, I would disable password auth and switch to private key - if already in place, generate a new key
- Check sudoers on all servers and make sure the proper users/groups are in there
- Check all groups (local/directory server) to make sure no accounts are hanging around from the old admin
- Along with users/groups, disable/remove any test/dummy accounts in case someone is using it as a back way in
- On Linode, check out the access settings to make sure there aren't any rules in there to allow management from anywhere (or non company locations)
- On Linode, make sure only appropriate users have access to the account
WordPress
- Comb through the list of users with access and be sure to remove any former employees/admins
- Check permissions carefully to make sure users have the appropriate access rights
- Disable file editing in the admin using wp-config.php
- Isolate user account for site from others
- Make .htaccess inaccessible to site user (but accessible to www-data)
- Make wp-config.php read-only
- Remove any unused plugins
- Check security reports on existing ones for outstanding or frequent issues
- Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal
- Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables)
- Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all)
- Setup wp-fail2ban plugin, use wordpress-hard profile.
- Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used.
- Globally disable access to any .log or .git files in Apache config
- Consider WordFence or Sucuri plug-in for file integrity checks / monitoring
- Setup daily backups of site
Tested on
See also
References
wiki/server_hardening.txt · Last modified: 2021/06/04 10:49 by antisa