Changing the SSH port
In order to prevent your SSH connection from being found by crackbots, you should change the default port 22. Go to /etc/ssh and open the sshd_config file. Ports are listed in line 5. Now substitute the default by a random value somewhere between 10000 and 65000. Save and reload Apache using /etc/init.d/apache2 reload.
Note: From now on you have to access your server via SSH using ssh -p XXXXX user@IP.
Apache configuration
Append the following lines to your apache2.conf file:
Options None +FollowSymLinks <Directory /> Order Deny,Allow Deny from all AllowOverride None </Directory> <Directory /var/www/> Order Deny,Allow Allow from all AllowOverride all </Directory>
Code explanation: Line 1 turns off all apache options (this prevents directory listing and develops server performance) except FollowSymLinks, which is necessary if you want to use mod_rewrite correctly. The following lines grant access only to your www-folder.
Setting up phpmyadmin
To protect your databases from unwelcome visitors it is advisable to take these two steps:
- Verify that your MySQL users are allowed to access your server only from
localhost. Thus your databases can only be used by applications installed on your own server. When creating a new user you will find the field “Host” to adjust it. - Create an own vhost for your phpmyadmin installation. You can use a subdomain for this purpose. Besides choose a name as unique as possible.
Problem with subdomains
When setting up my first subdomain for phpmyadmin, I found that my server duplicated the parent domain content instead of displaying the subdomain. I could finally resolve this problem by adding these two lines to my apache2.conf:
NameVirtualHost *:80 NameVirtualHost *:443
James · April 14, 2010 at 13:51
Also as far as a basic security measure look into fail2ban, chkrootkit and rkhunter all good at various tasks.
Fail to ban can be defined for any service (most are added passively if seen on the system) to add the ip to a deny/block list. The other two are just tools to lookup common rootkits. Nothing beats monitoring logs from time to time but if your unsure where to find all the logs or don’t have alot of time those are better than nothing
James · April 14, 2010 at 13:47
Another step you can do is setup a custom server alias such as “Admin” that points to a “private” folder somewhere you don’t want pry’n eye’s to ever get to..
You can also use allow/deny to restrict this folder to your own ip or ip-chain. I do this sometimes if im working on my own box/site setup where other users outside my network or only specific friends would be allowed controlled access.