Set up your Drupal 9/10 server in 15 minutes

The default SSH port is 22. This port is scanned continuously by hackers so you’ll want to change it quickly. We suggest using a number between 3,000 and 65,000 for a new port. For this example, we’ll use port 18678

* SSH is how you are connected to the server so be careful not to lock your self out of the server!

* You're logged in as root so you won't need to use the command sudo yet. 

Login to your server in a terminal window. xxx.xxx.xxx.xxx the server's IP address

ssh [email protected]

Once logged in, do nothing: SET THIS TERMINAL ASIDE

Login again using a different terminal

Edit the sshd config file

nano /etc/ssh/sshd_config

Locate the line: Port 22 and uncomment the line

Change the port no. 22 to 18678 (We'll use this port number for this example. You may choose another). Save the new configuration. (^X  -> Yes)

Restart SSH

service sshd restart

*If your current terminal gets disconnected, use the one you set aside.

From now on you'll need to login using the new port number. Log out of the second terminal window and then log back in using the new port number: 

ssh -p 18678 [email protected]

*To double check, try to login without specifying the port (default 22), you should get the message: 
port 22: Connection refused

In this section we will discuss how to create a sudo user, just run the below commands

[note:- change rob with your username]

sudo adduser rob

Set and confirm the new user’s password at the prompt. Use a password of upper case letters, lower case letters, numbers, and is at least 15 characters long.

Set password prompts:
Enter new UNIX password
Retype new UNIX password:
passwd: password updated successfully
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
Type Y and press enter

Use the usermod command to add the user to the sudo group

sudo usermod -aG sudo rob

Now open the etc/sudoers file, 

sudo nano /etc/sudoers

Add following lines under the User privilege specification

rob ALL=(ALL:ALL) ALL

Now save the file, hooray you are now a sudo user!

In this section we will show you how to limit logins/sessions for a user

Open the sshd_config file

sudo nano /etc/sshd/sshd_config

Uncomment #MaxAuthTries and #MaxSessions and set the number of tries with an integer number. We suggest 5. 

save the file

sudo service sshd restart

This helps us stop multiple sessions for a user and block hackers from trying multiple login attempts

By default, Debian and Ubuntu distributions come with a firewall configuration tool called UFW (Uncomplicated Firewall), is a popular and easy-to-use command line tool for configuring and managing a firewall on Ubuntu and Debian distributions

To check ufw status

sudo ufw status verbose

** BE CAREFUL do not to lock yourself out **

UFW is off by default which means all ports are open. However, once you enable it, it will close all ports except the ports that you allow so it's important to add your new SSH port BEFORE you enable UFW

To allow any port number (now is the time to allow your new SSH port: 18678)

sudo ufw allow 22

To deny any port number

sudo ufw deny 22

To allow Port Ranges

sudo ufw allow 5000:5003

To allow Specific IP address

sudo ufw allow from 192.168.56.1

To allow Specific IP Addresses on a Specific Port

sudo ufw allow from 192.168.56.1 to any port 22

To enable firewall

sudo ufw enable

Please follow the reference docs for more details

References:

https://www.digitalocean.com/community/tutorials/how-to-setup-a-firewall-with-ufw-on-an-ubuntu-and-debian-cloud-server

(D)DoS Deflate is a lightweight bash shell script designed to assist in the process of blocking a denial of service attack. It utilizes the command below to create a list of IP addresses connected to the server, along with their total number of connections. It is one of the simplest and easiest to install solutions at the software level.

Installation

As root user ( sudo su) execute the following commands:

Install the unzip package

sudo apt-get install unzip

wget https://github.com/jgmdev/ddos-deflate/archive/master.zip -O ddos.zip
unzip ddos.zip
cd ddos-deflate-master
./install.sh

Uninstallation

As root user execute the following commands: from your home directory

cd ddos-deflate-master

./uninstall.sh

References:

https://github.com/jgmdev/ddos-deflate/

Mod_evasive is an Apache module that can be used to protect against various kinds of attacks on the Apache web server including DDoS, DoS and brute force.

To install this module

sudo apt-get update

sudo apt-get install libapache2-mod-evasive

Once mod_evasive is installed, you can verify it with the following command:

apachectl -M | grep evasive

If everything is ok, you should see the following output:

evasive20_module (shared)

Configure mod_evasive

sudo nano /etc/apache2/mods-enabled/evasive.conf

 Add the below text to the file (use your own email)

DOSHashTableSize 3097 
DOSPageCount 2 
DOSSiteCount 50 
DOSPageInterval 1 
DOSSiteInterval 1 
DOSBlockingPeriod 10 
DOSEmailNotify [email protected] 
DOSSystemCommand "su - someuser -c '/sbin/... %s ...'" 
DOSLogDir "/var/log/mod_evasive" 

Make a directory to store logs

sudo mkdir /var/log/mod_evasive

change the ownership of the directory

sudo chown -R www-data:www-data /var/log/mod_evasive

sudo service apache2 restart

References:

https://blog.rapid7.com/2017/04/09/how-to-configure-modevasive-with-apache-on-ubuntu-linux/

By default, mod_security is available in the Ubuntu repository. You can simply install it with the following command:

sudo apt-get install libapache2-modsecurity

sudo mv /etc/modsecurity/modsecurity.conf-recommended /etc/modsecurity/modsecurity.conf

sudo nano /etc/modsecurity/modsecurity.conf

Change the below line:

SecRuleEngine on

Now restart the apache

Sudo service apache2 restart

References:

https://blog.rapid7.com/2017/04/09/how-to-configure-modsecurity-with-apache-on-ubuntu-linux/