Protecting a web server?

Hello everyone,

I'm posting to ask about protecting my linux web server used to host websites. Now I have been asked to take over handling this server which mainly hosts wordpress sites, my problem is it looks like the plugins etc have never been updated and now i'm left to pick up the pieces of this server that's falling apart.

I don't know much about operating a server but this is where I ask for your help.

I have read some articles online done some scanning on the server (which is really slow cause the high cpu usage)

So heres what I can see, I ran top and it seems there are many processes that keep running and using max cpu, /usr/bin/php-cgi -c /var/ww/vhosts/system/domain/etc/php.ini

If someone can point me in the right direction of some useful articles or tips on how to start securing my server that would be great.

There is no "safe" back-up of the server and I don't have the option to just re-format and start again

Thanks in advance,

These are either separate instances of PHP for different (users) sites, or forks of php for one site.

How many actual websites (domains, subdomains) are hosted on the machine? What distribution is the server running?
Do you have access to the wordpress instances? If, what management system is used? ISPconfig? Webmin? something like that?

Does the server use apache2 or ngnix?

Hi, thanks for the response. The server doesn't have too many sites ~500 I have access to all of the wordpress instances. running centOS 6.6, the server is using apache2 .

Management system, plesk.

Sorry in-advance for having little understanding around this subject. But I appreciate all and any help.

Well things to do.. update all the packages, check what ports are actually open, remove everything that mustnot be accessed from users from direct access through the internet (e.g. I have my phpmyadmin and ISPconfig mapped to 8080 and the port is only local avaliable, I access it through a SSH tunnel), move SSH from password to Pub/Priv-key auth; have all the wordpress sites uptudoate; there are plugins for wordpress that check that, and I guess there is also something that does that serverside (maybe?)

For the ammok php processes... usually if you restart apache2 (service apache2 restart) they will die and respawn when needed. (be careful as restarting the apache2 service will terminate all http/https connections) after that usually the resource hogging processes should be gone.

Thanks for the advice, i'll start making these changes/updates now. and i'll get back to let you know if there is any improvements.


For swapping from password to pub/priv key on SSH.

Connect a view sessions with password, than add the public key you want to use, modify the config than start another ssh session using the pub/priv key.. thest that it realy realy works, and if there is no other users that "need" password authentification over SSH (sftp is ssh as well) than deactivate password login over ssh completely.

But check, check and doublecheck ... if you mess ssh up your locked out! ((there are many tutorials on how to do all that, just googles ssh public private key)

this... very much so
was doing a cyber defence competition and forgot this point, and we were screwed

I got you OP

1 Like

Thanks again for the help, I have implemented all the suggestions you have provided so I should be ok now? There is an auto-update feature in plesk for the wordpress sites. I also noticed they're all running on php 5.4.44 which doesn't have opcache, is it worth me upgrading to 5.6 or even 7?

Is it worth getting an "anti-virus" of any sort? or are these just a waste of time if you can properly configure your server?

I also wanted to know is it safe to just yum update I don't have a "test environment" and a "live environment" so I have no way of checking if anything will break.

Thanks again,

Locking down SSH with pub/priv key and preferable dissabling password auth completely is a great step to mitigate all brute force against SSH. - good point

Having wordpress up to date is essential - though one will never be save with it. Its wide spread, it has quite elaborated rights... and thus is a very great target for crackers.

Well upgrading PHP usually is a good idea, I just recently moved to the 5.6 line as owncloud complained about 5.4... which in the aftermath shot my roundcube webmailer down, but was a quick fix in the roundcube config.

I have clamav on my server, but that is 99% only because its a mail server as well and I do content checking on the mail attachments.
AV will always be behind whats out there with mallware.
Usually the system should be resilient against most automatic attacks, and the last linux ransomware that was targeted at linux servers was deployed manually by the attackers where AV not yet had a clue it was out there -> ergo.. fucked;

It is saver than to not do it and run age old versions of the packages... old kernel, old apache2, old libssl, old php... everything... yes of yours it can fuck up but 99% of the time I so far ran into no issues with my debian server so far.

Depending on how much data you have on your system... there is a crude but well working way of "backing" it up.

tar -zcvpf /backups/fullbackup.tar.gz --directory=/ --exclude=proc --exclude=sys --exclude=dev/pts --exclude=backups --exclude=var/backup --exclude=var/backups .

This command generates a tar.gz of the whole server... through and through, except the excluded directorys which A) can not and b) should not be copied ^^

This way, if an update fuckes up anything, anywhere on the system... rolling back from the .tar.gz will revert every single change.

For restoring the .tar.gz is moved into / and than unpacked with: tar -zxvpf /fullbackup.tar.gz

But be aware, the tar.gz will be most likely as big as all data you have on the server...
even when compression is turned on. (For my 25GB of data on my server it works great)
With that .tar.gz one can even create a clone of the server inside a virtual machine which I just recently tried .. so I now have a testing enviroment XD ... but that is worht a whole new post or even thread XD

A view thoughts, do the single sites hosted run on a seperate user/group each? - user seperation is essential; does apache2 drop back to non root user after startup?
Its a huge toppic sadly.. and I am by far not the pro.

Use nmap / zenmap to scan your server and see what ports are realy open.. scan all 64000 ports.. than use iptables (I like the ufw frontend) and close all ports that you do not realy need!
A pure webserver only needs 80, 443 and 22 (or any other port sshd is listening) open.

Thanks for all the well explained information,

All the sites are created through subscriptions on plesk, which shows the sites as running on different users when I use the htop command. I'll check apache2 as soon as I finish what i'm currently doing on the server and then i'll proceed with checking the ports again. So as for my ports I should only have 80, 443, 22 we also use 8443 for plesk. also for imap I'm guessing i'll need to keep enabled 143 and 993.

We're also using roundcube for webmail so hopefully I can resolve that issue if it occurs ^^.

It seems it'll be safe for me to upgrade to php7 as all the sites are wp 4.4+.
We also have magento but under version 2 which seems it only support up-to 5.6 which shouldn't be a problem.

Thanks again,

Dunno how much they charge

Ok, thats the way its most save. Also that tells me that apache2 is dropping its rights, as each instance is running under the user (created through plex)

Of course, you need the associated ports for the services you offer; So if its a mailsever too you also need those ports ^^ I assume you also accept mails from other servers so you'll need port 25 and usually port 587 for your users to submit mail to the server.

My server does Mail and httpS so I have 25,80,143,443,587 open for normal operations. and SSH on some security through obscurity port ^^

Ok, my problem was that with PHP 5.6 they introduces certificate checks.. as my mailserver back when I swapped (before lets encrypt) used selfe signed certs to provide imap and smtp with STARTTLS it would not work unless configured to accept "untrusted" certs.
Which is totally no problem as I configured roundcube to connect to localhost aka so its local only.

Give it a try, best at 1am and if its not working roll back before 6am ^^ sysadmin life.. it starts at midnight and ends at noon XD

Thats to bleeding edge for me cringe XD

Aha, anyway thanks again for your help so far. i'll get on implementing the other suggestions and let you know if I get any problems.

Kind Regards,

1 Like

If you have access to the networking equipment for this server, if you haven't already, I suggest you put the server on its own VLAN or network segment, separate from the main network. This way, if everything else in your security scheme fails, attackers won't have access to other systems on the network.

1 Like