How To Harden Debian Server
Its not enough to harden just Debain. Its necessary to harden the rest of Apache-MySQL-PHP as well.
Harden MYSQL
sudo mysql_secure_installation
answer Yes to all questions (but no need to change password)
Disabling SSH root login and settings
sudo vi /etc/ssh/sshd_config
change
PermitRootLogin yes
to
PermitRootLogin no
LoginGraceTime 120
to
LoginGraceTime 30
add line
AllowUsers username username username
Consider disabling ChallengeResponse logins in SSH
Restart Apache (any one of these)
sudo service ssh restart
sudo /etc/init.d/ssh restart
sudo apachectl restart
Limiting access to su
sudo chown root:admin /bin/su
sudo chmod 04750 /bin/su
Limiting access to apt-get and aptitude
Remember you’ll have to change this back to 700 everytime you update the system
sudo chmod 000 /usr/bin/apt-get
sudo chmod 000 /usr/bin/aptitude
Install Fail2ban
Install Fail2ban
Fail2ban Wiki
Add rules to iptables
Handy iptables rule for handling w00tw00t attacks that Fail2ban is not best to handle
iptables -I INPUT -p tcp --dport 80 -m string --to 70 --algo bm --string 'GET /w00tw00t.at.ISC.SANS.' -j DROP
http://pierre.linux.edu/2010/06/using-iptables-to-reject-w00tw00t-at-isc-sans-dfind-scanners/
iptables How To & Tips & Tricks
Prevent Apache from displaying index /var/www
add this line
sudo vi /var/www/.htaccess
Options -Indexes
Set permissions and protect .htaccess from tampering
sudo chown username:www-data /var/www/.htaccess
sudo chmod 444 /var/www/.htaccess
Now don’t forget to Harden WordPress
Disable Timestamp
Adversaries can remotely access the current uptime of your machine and the host’s clock-down to millisecond precision. To avoid this information being passed, it is recommended that you disable TCP timestamps on your systems. The less information attackers can get, the higher the security.
sudo vi /etc/sysctl.conf
add line
net.ipv4.tcp_timestamps = 0
sudo sysctl -p