Set up your Drupal 9 server in 15 minutes
Points To Remember before you start
- Run sudo apt-get update every time you login
- Install all packages with sudo if you are not a root user
- This document was created September, 2019, but is updated by Simple Information staff regularly.
- If you get stuck, please follow the reference documents and the below IN A JAM section
How to change the SSH port
The default SSH port is 22. This port is scanned continuously by hackers so you’ll want to change it quickly. We suggest using a number between 3,000 and 65,000 for a new port. For this example, we’ll use port 18678
* SSH is how you are connected to the server so be careful not to lock your self out of the server!
* You're logged in as root so you won't need to use the command sudo yet.
Login to your server in a terminal window. xxx.xxx.xxx.xxx the server's IP address
Once logged in, do nothing: SET THIS TERMINAL ASIDE
Login again using a different terminal
Edit the sshd config file
Locate the line: Port 22 and uncomment the line
Change the port no. 22 to 18678 (We'll use this port number for this example. You may choose another). Save the new configuration. (^X -> Yes)
service sshd restart
*If your current terminal gets disconnected, use the one you set aside.
From now on you'll need to login using the new port number. Log out of the second terminal window and then log back in using the new port number:
ssh -p 18678 email@example.com
*To double check, try to login without specifying the port (default 22), you should get the message:
port 22: Connection refused
How to create a sudo user
In this section we will discuss how to create a sudo user, just run the below commands
[note:- change rob with your username]
sudo adduser rob
Set and confirm the new user’s password at the prompt. Use a password of upper case letters, lower case letters, numbers, and is at least 15 characters long.
Set password prompts: Enter new UNIX password Retype new UNIX password: passwd: password updated successfully Enter the new value, or press ENTER for the default Full Name : Room Number : Work Phone : Home Phone : Other : Is the information correct? [Y/n] Type Y and press enter
Use the usermod command to add the user to the sudo group
sudo usermod -aG sudo rob
Now open the etc/sudoers file,
sudo nano /etc/sudoers
Add following lines under the User privilege specification
rob ALL=(ALL:ALL) ALL
Now save the file, hooray you are now a sudo user!
How to disable the root login
The Root user is the most powerful user in linux so hackers are aiming for it. Let's disable it.
sudo nano /etc/sshd/sshd_config
Locate the line “PermitRootLogin yes”
Change it to “PermitRootLogin no”
save the file. Now your root login is disabled.
restart ssh server
sudo service sshd restart
Limit the number of login/session attempts
In this section we will show you how to limit logins/sessions for a user
Open the sshd_config file
sudo nano /etc/sshd/sshd_config
Uncomment #MaxAuthTries and #MaxSessions and set the number of tries with an integer number. We suggest 5.
save the file
sudo service sshd restart
This helps us stop multiple sessions for a user and block hackers from trying multiple login attempts
How to configure ufw firewall
By default, Debian and Ubuntu distributions come with a firewall configuration tool called UFW (Uncomplicated Firewall), is a popular and easy-to-use command line tool for configuring and managing a firewall on Ubuntu and Debian distributions
To check ufw status
sudo ufw status verbose
** BE CAREFUL do not to lock yourself out **
UFW is off by default which means all ports are open. However, once you enable it, it will close all ports except the ports that you allow so it's important to add your new SSH port BEFORE you enable UFW
To allow any port number (now is the time to allow your new SSH port: 18678)
sudo ufw allow 22
To deny any port number
sudo ufw deny 22
To allow Port Ranges
sudo ufw allow 5000:5003
To allow Specific IP address
sudo ufw allow from 192.168.56.1
To allow Specific IP Addresses on a Specific Port
sudo ufw allow from 192.168.56.1 to any port 22
To enable firewall
sudo ufw enable
Please follow the reference docs for more details
Level 2: High Security: Do you see something suspicious? You might want to step security up a level.
How to install DDoS deflate
(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.
As root user ( sudo su) execute the following commands:
Install the unzip package
sudo apt-get install unzip
wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip unzip ddos.zip cd ddos-deflate-master ./install.sh
As root user execute the following commands: from your home directory
How to configure mod-evasive Apache module
Mod_evasive is an Apache module that can be used to protect against various kinds of attacks on the Apache web server including DDoS, DoS and brute force.
To install this module
sudo apt-get update
sudo apt-get install libapache2-mod-evasive
Once mod_evasive is installed, you can verify it with the following command:
apachectl -M | grep evasive
If everything is ok, you should see the following output:
sudo nano /etc/apache2/mods-enabled/evasive.conf
Add the below text to the file (use your own email)
DOSHashTableSize 3097 DOSPageCount 2 DOSSiteCount 50 DOSPageInterval 1 DOSSiteInterval 1 DOSBlockingPeriod 10 DOSEmailNotify firstname.lastname@example.org DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" DOSLogDir "/var/log/mod_evasive"
Make a directory to store logs
sudo mkdir /var/log/mod_evasive
change the ownership of the directory
sudo chown -R www-data:www-data /var/log/mod_evasive
sudo service apache2 restart
How to configure the Mod_security Apache module
By default, mod_security is available in the Ubuntu repository. You can simply install it with the following command:
sudo apt-get install libapache2-modsecurity
sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf
sudo nano /etc/modsecurity/modsecurity.conf
Change the below line:
Now restart the apache
Sudo service apache2 restart
- Oh no, I'm locked out of my server! In this case check with your hosting provider who should provide a virtual terminal
- Did we miss something or not get something right? Contact Us