Set up your Drupal 8 server in 15 minutes

Points To Remember before you start

  • Run sudo apt-get update every time you login
  • Install all packages with sudo if you are not a root user
  • This document was created September, 2019, but is updated by Simple Information staff regularly. 
  • If you get stuck, please follow the reference documents and the below IN A JAM section

How to change the SSH port

The default SSH port is 22. This port is scanned continuously by hackers so you’ll want to change it. We suggest using a number between 3,000 and 65,000. For this example, we’ll use port 18678

* SSH is how you are connected to the server so be careful not to lock your self out of the server!

Login to your server in a terminal window. xxx.xxx.xxx.xxx the server's IP address

ssh root@xxx.xxx.xxx.xxx

Once logged in, do nothing: SET THIS TERMINAL ASIDE

Login again using a different terminal

Edit the sshd config file

sudo nano /etc/ssh/sshd_config

Locate the line: Port 22 and uncomment the line

Change the port no. 22 to 18678 (We'll use this port number for this example. You may choose another)

Restart SSH

Sudo service sshd restart

*If your current terminal gets disconnected, use the one you set aside.

From now on you'll need to login using the new port number.

 

ssh -p 18678 root@xxx.xxx.xxx.xxx

 

How to create a sudo user

In this section we will discuss how to create a sudo user, just run the below commands

[note:- change rob with your username]

sudo adduser rob

Set and confirm the new user’s password at the prompt. Use a password of upper case letters, lower case letters, numbers, and is at least 15 characters long.

Set password prompts:
Enter new UNIX password
Retype new UNIX password:
passwd: password updated successfully
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Type Y and press enter

Use the usermod command to add the user to the sudo group

sudo usermod -aG sudo rob

Now open the etc/sudoers file, 

sudo nano /etc/sudoers

Add following lines under the User privilege specification

rob ALL=(ALL:ALL) ALL

Now save the file, hooray you are now a sudo user!

How to disable the root login

The Root user is the most powerful user in linux so hackers are aiming for it. Let's disable it. 

sudo nano /etc/sshd/sshd_config

Locate the line “PermitRootLogin yes”

Change it to “PermitRootLogin no”

save the file. Now your root login is disabled.

restart ssh server

sudo service sshd restart

Limit the number of login/session attempts

In this section we will show you how to limit logins/sessions for a user

Open the sshd_config file

sudo nano /etc/sshd/sshd_config

Uncomment #MaxAuthTries and #MaxSessions and set the number of tries with an integer number. We suggest 5. 

save the file

sudo service sshd restart

This helps us stop multiple sessions for a user and block hackers from trying multiple login attempts

How to configure ufw firewall

By default, Debian and Ubuntu distributions come with a firewall configuration tool called UFW (Uncomplicated Firewall), is a popular and easy-to-use command line tool for configuring and managing a firewall on Ubuntu and Debian distributions

To check ufw status

sudo ufw status verbose

** BE CAREFUL do not to lock yourself out **

UFW is off by default which means all ports are open. However, once you enable it, it will close all ports except the ports that you allow so it's important to add your new SSH port BEFORE you enable UFW

To allow any port number (now is the time to allow your new SSH port: 18678)

sudo ufw allow 22

To deny any port number

sudo ufw deny 22

To allow Port Ranges

sudo ufw allow 5000:5003

To allow Specific IP address

sudo ufw allow from 192.168.56.1

To allow Specific IP Addresses on a Specific Port

sudo ufw allow from 192.168.56.1 to any port 22

To enable firewall

sudo ufw enable

Please follow the reference docs for more details

References:

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

Level 2: High Security: Do you see something suspicious? You might want to step security up a level.

How to install DDoS deflate

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

Installation

As root user ( sudo su) execute the following commands:

Install the unzip package

sudo apt-get install unzip
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip
unzip ddos.zip
cd ddos-deflate-master
./install.sh

Uninstallation

As root user execute the following commands: from your home directory

cd ddos-deflate-master
./uninstall.sh

References:

https://github.com/jgmdev/ddos-deflate/

How to configure mod-evasive Apache module

Mod_evasive is an Apache module that can be used to protect against various kinds of attacks on the Apache web server including DDoS, DoS and brute force.

To install this module

sudo apt-get update
sudo apt-get install libapache2-mod-evasive

Once mod_evasive is installed, you can verify it with the following command:

apachectl -M | grep evasive

If everything is ok, you should see the following output:

evasive20_module (shared)

Configure mod_evasive

sudo nano /etc/apache2/mods-enabled/evasive.conf

 Add the below text to the file (use your own email)

             
                DOSHashTableSize 3097 
                DOSPageCount 2 
                DOSSiteCount 50 
                DOSPageInterval 1 
                DOSSiteInterval 1 
                DOSBlockingPeriod 10 
                DOSEmailNotify email@yourdomain.com 
                DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" 
                DOSLogDir "/var/log/mod_evasive" 
            

Make a directory to store logs

sudo mkdir /var/log/mod_evasive

change the ownership of the directory

sudo chown -R www-data:www-data /var/log/mod_evasive
sudo service apache2 restart

References:

https://blog.rapid7.com/2017/04/09/how-to-configure-modevasive-with-apache-on-ubuntu-linux/

How to configure the Mod_security Apache module

By default, mod_security is available in the Ubuntu repository. You can simply install it with the following command:

sudo apt-get install libapache2-modsecurity
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo nano /etc/modsecurity/modsecurity.conf

Change the below line:

SecRuleEngine on

Now restart the apache

Sudo service apache2 restart

References:

https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/

JAM

  • Oh no, I'm locked out of my server! In this case check with your hosting provider who should provide a virtual terminal

Did we miss something or not get something right? Contact Us

Our team is happy to answer your sales questions. Fill out the form and we’ll be in touch as soon as possible.

+1-800-712-8823

2901 E Baltimore St, Baltimore, MD 21224