EE Security Checklist

[rahul286]

v4 update

@mbtamuli please review the following list again as some of it may no longer be relevant to v4.

---

Lets use this issue to add all ideas to secure a server running EE.

• [ ] block unwanted port. EE needs I guess only 22. 80, 443, 3306 and 22222. Rest all can be blocked.
• [x] Some guide suggsts running SSH on other port. I am against this because port scanning doesn't take much time. Please correct me if I am wrong here.
• [ ] inotify watches for ~/.ssh/authorized_keys and other files
• [ ] fail2ban to prevent bruteforce (what about DDoS attach where IP-based filtering fails)?
• [ ] 2-factor authentication for shell users (could be made optional)

[MiteshShah]

• [ ] Disable nginx, php, mysql, hhvm, pagespeed, ssh version, So attacker need some extra work to find right exploit
• [ ] Test nginx-naxsi as this help ee users to prevent Xss & Sql Injection.

[rahul286]

Nice. I guess we should hide EE version too then

• [ ] Hide EE version

[irazasyed]

• [ ] Disable Root Login ? For normal usage it's not really needed. Account creator helper with restricted access would be helpful too (To create accounts, So we can use for day to day standard tasks with no root privileges as well as maybe even give access to a sys admin for a particular site instead of full server access).
• [ ] SSH Port Changing - I don't know about scanning but i always do this and it has been very good as it killed the whole automated attacks/attempts of logins. At least most of the standard automated bot attacks would be killed (Maybe they lack scanning or something, Never had problems after change).
• [ ] Limit Remote Access to MySQL Server - I'm able to easily access the MySQL server remotely from any IP (Although this is good for me, Since i use Sequel Pro but in terms of security it would be better to limit it). Maybe it would be a good idea to whitelist specific IP range and or single IP (Wildcard Supported would be good for Dynamic IPs).
• [ ] Helper to change the default 22222 port to something else of our choice. So if they find out we have EE installed, don't try accessing PMA and or other areas.

Whatever is possible, would be good to see them in next versions!

[MiteshShah]

@irazasyed

SSH Port Changing - I don't know about scanning but i always do this and it has been very good as it killed the whole automated attacks/attempts of logins. At least most of the standard automated bot attacks would be killed (Maybe they lack scanning or something, Never had problems after change).

Most of bot come with option to specify different port other then default, so changing port doesn't help.

Instead of changing port make passwordless ssh login so only authorized people can access the server (Who's key already on server). also we can block port 22 and only be accessible from specified ip address that helps us a lot.

Helper to change the default 22222 port to something else of our choice. So if they find out we have EE installed, don't try accessing PMA and or other areas.

Refer: http://docs.rtcamp.com/easyengine/commands/secure/

[irazasyed]

@MiteshShah

Most of bot come with option to specify different port other then default, so changing port doesn't help. Instead of changing port make passwordless ssh login so only authorized people can access the server (Who's key already on server). also we can block port 22 and only be accessible from specified ip address that helps us a lot.

I see. Isn't that already being done with EE? I thought it disables password login and works using just with the SSH keys that are already authorised. As for the access from specified IP address is concerned, that better be a range or wildcard supported, because for people with Dynamic IP it'll be a problem then.

Refer: http://docs.rtcamp.com/easyengine/commands/secure/

Thanks for the link.

[anantshri]

SSH via public key only, keep it at port 22 but fail2ban in place. port 80 and 443 should have some connect limit per IP to avoid DoS. hide all versions and if possible relocation folders. i.e. /var/www not to be used as webroot.

WP Specific

wp-content not as content container, wp-content/plugin not as plugin's location.

[rahul286]

/var/www not to be used as webroot

I do not think security in obscurity is good idea! Once an attackers gets into server, he can easily figure out webroot location anyway.

[anantshri]

security by obscurity on its own is a very bad idea but added in the mix where we have good standard practices in place makes it a layer and hence enhance the overall posture. However it really depends on if you want it or not.

[w33zy]

Please let's not bother with changing of the webroot and WP directories, lets leave that to WP securities plugin. EE should focus on configure the server environment, not the application.

This is how feature-creep starts.

[anantshri]

fair point by @w33zy i agree lets leave this to wp sec plugin's