Security setup for EasyEngine


#1

Hi there,

New to EasyEngine but finding it awesome sofar :slight_smile:

What additional security setup is needed after installation on our server – is there any further settings that must be done to further harden our setup of Nginx?

We are running Ubuntu 14.04 as server on Vultr – is there a recommended firewall to use with EasyEngine? Could you offer some advice on which ports etc. to limit access to, specifically with our setup in mind and so that it doesn’t conflict with EasyEngine?

Any help/advice will be greatly appreciated.

Francois Wessels


#2

Hi there!

Check out this info site on which Ports should be opened:

You can use ufw as a firewall. here is some info on it:

It is easy to set up. Simply add ports from above install link to allow ufw list. Also open ports like 443, 80, 993 and 25 etc as tcp. (for mailserver to work) Set SSH port to limit instead of only allow.

Next thing you could do, is change the native SSH port 22 to another secret port. EasyEngine doesn’t rely on 22 as ssh port, so you can simply change it and make it really difficult for attackers to attack your ssh. Make sure to open the new ssh port in your firewall before reloading ssh. Otherwise you will lock yourself out.

If you want to know how to set up a new ssh port (very easy actually), let me know.

Saskia


#3

Hey Saskia,

Thanks for the reply – I actually did not have the correct ports open for EE on the firewall but after I fixed that things are running better :slight_smile:

Is there any suggestions regarding hardening Nginx that is installed when EE installs – don’t know if EE has already done most of that work?

Regards Francois


#4

Additionally to changing your ssh port, you could install and configure fail2ban properly.


#5

On top of all this, I would suggest using a two-factor authentication plugin.

You can set this up for SSH, but that can get a bit tricky, so if you’re not very technical then just stick to your site.

If you use Wordpress I would suggest using the Duo two-factor plugin. Also install a security monitoring plugin like Securi.


#6

My hosting environments are built on the Google Developers Console. It already has a networking module, complete with Firewall Rules and Routes. So, obviously I don’t see a need for an additional firewall, though UFW would likely be my choice if I needed one.

There are several WordPress plugins I’d recommend:

  1. Akismet (https://wordpress.org/plugins/akismet/).
  2. Authy Two-Factor Authentication (https://wordpress.org/plugins/authy-two-factor-authentication/) Yes, there are other options, including some utilizing Google’s now 2PA. I’ve tried many of them, and you just don’t get the features and support you do with Authy. The Authy plugin is dated, but still works great!
  3. Conditional CAPTCHA (https://wordpress.org/plugins/wp-conditional-captcha/) using the reCAPTCHA configuration.
  4. Stop Spammer Registration (https://wordpress.org/plugins/stop-spammer-registrations-plugin/)
  5. WP Password Policy Manager (https://wordpress.org/plugins/wp-password-policy-manager/)

While these plugins provide WordPress with some resemblance of security, I prefer to block what I can, at the server level.

  1. fail2ban - seems to be popular and there is an official EE tutorial here: https://easyengine.io/tutorials/nginx/fail2ban/
  2. Nginx’s Limit Req Module - also with an official EE tutorial here: https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-attack/
  3. A while back, I suggested EE should support OSSEC ( http://ossec.github.io ), but I haven’t seen anything else about it yet.
  4. SSL - this should probably be the first one on the list, and EE now supports Let’s Encrypt (though there may be a minor problem with automatic installation/configuration), which leaves no reason for websites to not deploy SSL. See official EE tutorial here: https://easyengine.io/tutorials/nginx/letsencrypt/
  5. HTTP/2 - has an official EE tutorial here: https://easyengine.io/docs/http2-support/

Additionally, since a server’s logs are a huge source of information, I’d love to see the addition of Graylog ( https://www.graylog.org ), within the EE admin tools. Graylog is at version 1.3.3 and its Monitor/Alert features are very appealing to me. However, until more than myself want it, it will likely not become part of EE, as with OSSEC.


#7