There is a ubuntu server, home pc. On it some sites are turning + ftp file of a sphere.

Questions the following, how can you secure the server to the maximum?

  1. Backups are made regularly
  2. Nginx, as the front-end to the Apache.
  3. mysql is, every site with its user is connected to it. Have phpmyadmin
  4. Ssh + ftp (proftpd) posted

Questions:

  1. What actions need to be taken to make everything as safe as possible?
  2. What should be read on the topic?
  3. What are some elementary actions worth taking, where to read about them? (from the category do not sit under the root, complex passwords, different passwords everywhere, etc.)
  4. What console antivirus advise?
  5. What you need to check regularly logs? What and where to read them?
  6. Any books and related articles are welcome.

    4 answers 4

    1. do not use default ports ports (for example, 3306 for mySQL or 22 for ssh)
    2. run an Apache under a specially created user with minimal rights
    3. chroot'it what can give access to the system (for example, Apache)
    4. logs usually lie in / var / log
    5. use iptables, fail2ban, etc.
    6. here are some antiviruses for linux
    • What else can give access to the system? Is nginx worth checking? proftpd? What else should be cut in rights? (well, i.e. create a separate user and launch it from under it) I have this list on the server so far: ssh, nginx, apache, mysql, php, proftpd, fail2ban, iptables - butteff 1
    1. Selinux
    2. Regular chkrootkit
    3. Disable IPv6 (if not using)
    4. Reread sshd_conf ten times (if a lot of people are walking along ssh - read this )

    Close all ports that should not be looked outside by the firewall, for example, I doubt that a remote connection to mysql occurs, by prohibiting this port for external connections. phpmyadmin is still better to hang on https, and ideally close via .htaccess for everyone except the allowed ones. If not, then hang on https required.

    ssh — if not needed for any external connections — shut down with a fire, if needed by a narrow circle of people — open at the authorized addresses or at least give access by key, not password. Also set up iptables for logging all attempts to connect via ssh, if you leave it to look at the gun for everyone. It is also possible through iptables to configure for ssh number of connections from one SP for a certain period of time, which will get rid of brute-forcers.

    Antivirus is probably the most popular clamav. has mods for apache, proftpd and various others, allows you to scan files for viruses on the fly.

    About the articles:
    setting up secure openssh
    anonymous ftp setup

      And how about using amazon? Do not use standard ports, access via ssh can be configured via vpn Do not use passwords, access by keys