antisaWiki

User Tools

Site Tools

Trace: server_hardening
wiki:server_hardening

Table of Contents

, ,

Server hardening

General tips

  • Check all open/listening ports on each server and make sure everything looks ok there (no unexpected connections, etc.)
  • Get local user accounts on all servers
  • If SSH is enabled for remote management, I would disable password auth and switch to private key - if already in place, generate a new key
  • Check sudoers on all servers and make sure the proper users/groups are in there
  • Check all groups (local/directory server) to make sure no accounts are hanging around from the old admin
  • Along with users/groups, disable/remove any test/dummy accounts in case someone is using it as a back way in
  • On Linode, check out the access settings to make sure there aren't any rules in there to allow management from anywhere (or non company locations)
  • On Linode, make sure only appropriate users have access to the account

WordPress

  • Comb through the list of users with access and be sure to remove any former employees/admins
  • Check permissions carefully to make sure users have the appropriate access rights
  • Disable file editing in the admin using wp-config.php
  • Isolate user account for site from others
  • Make .htaccess inaccessible to site user (but accessible to www-data)
  • Make wp-config.php read-only
  • Remove any unused plugins
  • Check security reports on existing ones for outstanding or frequent issues
  • Check when plugins were last updated by author in repository - old / un-maintained plugins candidates for replacement or removal
  • Reduce permissions on DB account for site to SELECT / UPDATE / INSERT / DELETE (you will need to unlock when adding or updating plugins that use custom tables)
  • Setup wp-cli to automatically update plugins nightly (wp-cli plugin update —all)
  • Setup wp-fail2ban plugin, use wordpress-hard profile.
  • Globally disable access to xml-rpc.php in Apache config (403, helps prevent brute force and other quiet attacks) - unless actually used.
  • Globally disable access to any .log or .git files in Apache config
  • Consider WordFence or Sucuri plug-in for file integrity checks / monitoring
  • Setup daily backups of site

Tested on

See also

References

wiki/server_hardening.txt · Last modified: 2021/06/04 10:49 by antisa
Except where otherwise noted, content on this wiki is licensed under the following license: CC0 1.0 Universal
CC0 1.0 Universal Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki