HOSTING A WEBSITE AND HARDENING ITS SECURITY

Nov 2023 - Jan 2024

1MB

HOSTING A WEBSITE AND HARDENING ITS SECURITY.pdf

pdf

In 2022, as part of a university project, I undertook a comprehensive task of hosting a website and implementing robust security measures to protect it. This DIY project was executed using a Raspberry Pi, highlighting practical steps and best practices in website security.

Project Overview

The primary goal of this project was to host a basic WordPress website on a local network and apply various security hardening techniques to safeguard it. Below are the key components and steps involved in the project:

1. Setting Up the Server:

   • Installed WordPress on a Raspberry Pi.

   • Configured a VPN server using OpenVPN to secure remote access.

   • Set up firewall rules with UFW to control incoming and outgoing traffic.

2. Securing the Website:

   • Implemented TLS/SSL for secure communications.

   • Applied various WordPress security plugins such as WP Hardening, Wordfence Security, and two-factor authentication.

   • Hardened the wp-config.php file by restricting file permissions and disabling PHP file execution in critical directories.

3. Creating Secure Tunnels:

   • Used Packetriot to create a secure tunnel for encrypted data transmission.

4. Securing phpMyAdmin:

   • Changed the default directory alias for phpMyAdmin to obscure its access point.

   • Implemented Apache authentication and IP-based access restrictions.

   • Customized PHP configurations to enhance security.

5. SSH Security:

   • Disabled root login and password authentication over SSH, requiring key-based authentication for secure access.

6. Apache2 Hardening:

   • Modified Apache2 configuration to hide version details and directory listings.

7. Brute Force Protection:

   • Installed and configured Fail2Ban to protect the server from brute force attacks by monitoring failed login attempts and blocking suspicious IPs.

Key Learnings and Best Practices

• Strong Authentication: Enforced strong password policies and multi-factor authentication for user accounts.

• Secure Communications: Enabled HTTPS with SSL/TLS to encrypt data in transit.

• Regular Backups: Performed regular backups of website data and files, ensuring secure storage and periodic restoration assessments.

• Input Validation: Implemented input validation to prevent vulnerabilities such as SQL injection and XSS.

• User Permissions: Limited user privileges and regularly reviewed and updated permissions.

• Security Headers: Utilized security headers to enhance browser security.

Future Work

My ongoing efforts in security engineering involve exploring additional measures such as:

• Implementing a firewall like PFsense or OpenBSD.

• Setting up Intrusion Detection Systems (IDS) such as Snort or Suricata.

• Integrating OpenLDAP for centralized authentication, potentially connecting to Windows Active Directory.

Security is an evolving field, and continuous learning and adaptation are crucial for maintaining robust defenses against emerging cyber threats.