Hi guys, I am newbie to web security and I recently bought a vps for my forum and trying to secure it as much as possible.
- I'm using Nginx server as frontend, apache as backend on Debian 8.
- I'm keeping up to date web servers and distro
- Not using so many 3rd party tools.
- Using cloudflare to harden security:
1) Bought a SSL certifiacate and using it with Cloud Flare's Full strict Security
2) Set security level to High on CloudFlare
3) I'm trying to hide my real ip. So I deleted default A record on DNS page and redirected all of my subdomains to CloudFlare. Deleted MX records(not using mail system at all) You can't get my ip with pinging direct-connect.domain.com etc. But DNS lookups history leaks my ip. Since I'm fully on CloudFlare I will change my ip and as default change mail server ip to prevent leaking real ip by DNS lookups history.
4) I'm using DNSSEC which protects against forged DNS answers
5) I set up the HTTP Strict Transport Security (HSTS)
Even though I hide my IP behind CloudFlare there stil are some ways to get real ip. So I still had to secure my vps in case of the IP leakage.
- I don't want to redirect to http to https since it's vulnerable to lots of attacks. I've added some commands to .htaccess rewrite url path and write a special plugin for my config to create real https url's
- I installed modsecurity for both apache and nginx
- I'll add ipignore list for my vps when I get static IP from my IPS. So only me and cloudflare IP's may have connection to my vps. But there have to be some way to spoof ip, since CloudFlare IP's are public.
- I ran nikto and I got lots of vulnerability. I fixed almost all of them:
X-XSS protection header,
phpmyadmin path etc.
Here how nikto test result looks like now:
I also ran with -C all so nothing to worry about it.
- Added fail2ban to prevent ssh bruteforce
- I'm not using anything to secure FTP but generally I'm trying to use SFTP.
- I didn't do anything about ports but will filter some of the and close the unnecassary ones.
- Using CSRF protection which is implemented using a randomly-generated token.
- I added a sanitization for sensitive data
That's all I've done so far. The subject name is "Could you hack my server" but I'm not claiming that I'm unhackable, No! Evrything is hackable with required skills and effort. But I'm just curious that how would "you" hack my server with given information. What shuold I do to harden my secuirty?
I forgot to say, I have two-factor auth for literally everything, Cloudflare login to Gmail. And every night before sleeping. I check logins for my accounts, logs etc.
Also I have LogDog installed on my phone. And I'm not using anything beside Linux for myself.