A long time ago heddha and myself had decided to invest in a server hosted by a company we trust here in Germany. The main purpose was a XMPP Server, Wordpress Blog for travel documentation, Web Server for hosting stuff like this blog and also gathering some experience with the Interweb.
Over the course of the past two years we had implemented quite a bit, e.g. a proftpd, mumble and prosody server to name a few. Sadly we never really had the feeling of really being in control of the security aspects of the different tools. Although reacting after having looked into various apache2 and access log files and noticing crawlers probing like crazy our efforts seemed basic and unpleasing.
Yesterday evening it was time for a change.
Cleaning up of permissions
Over the years there had been quite a few problems with groups and owners being set out our sheer frustration for some server or tool to finally work as anticipated. For future reference - after cleaning up for over 4 hours - One does not simply set everything to chown root.
We had to face facts. Installing Servers and daemons that do stuff is loads of fun. The configuration of the latter should not be taken lightly though. We decided to strip everything down to a bare minimum and deinstalled and purged the lot.
sudo apt-get remove --purge prosody
Not only deletes the entire package but removes all the configuration files, logs and other folders and files associated to the package.
Let's encrypt cerficates
The EFF wrote a cool tool that took care of the entire installation.
sudo apt-get install certbot python-certbot-apache -t jessie-backports
After the installation a quick
installed everything. Certbot github repo has some additional information and in case other different OS or distro is used than in our case debian, the EFF Certbot page is also very helpful. We followed the very detailed and simple to follow instructions on the page and are now happily certified website suppliers.
We had been dreading the last task furiously due to having not thoroughly understood the implementation and structure of wordpress well enough to serve our holiday pictures and experiences without the fear of being hacked viciously. Sadly, updates and plugin installations had never really worked via the frontend. We thought it was due to our inability to supply valid groups and owner permissions within the folder structure of wordpress. Turns out that a one liner in the config solved our problems instantly.
This line solved all problems with plugins and updates requiring some form of ftp access. Now, magically everything works perfectly via the web-frontend supplied by the wordpress package.
As we had deinstalled almost everthing from our server for security reasons the plan is to reinstall our XMPP Server and make sure that no more cleartext transmissions are made. The Letsencrypt certificate was our first step in that direction.
Also our access logs have been showing constant probing of the ssh port. Our idea is to use Keys in order to log onto our servers, reducing the risk of infiltration over that port. We had already disabled logging on as the root user and setting a timeout in the sshd_config. On an important note it is essential that one uses the sshd_config and not the ssh_config. The latter only handles the client side configuration.
Thank you for reading.