Secure Your Server From Any Hacker

Whoever told you that is an idiot. The .htaccess file ONLY affects web browsing. Adding that code to your .htaccess would effectively turn off your WEB SITE to everyone except your home and work IP addresses.

Call your hosting provider.

Seriously. Don't even try to do this yourself. It's very easy to hose it up and make your server completely unreachable by anyone... and then, surprise! You can't fix it.

Ok, I hope I have the right information this time. Just spoke to the guys at my server company and they said you need to ask your hosting company to:

"Setup ip tables to block ssh and ftp access except for my ip address"

This should effectively block all ssh and ftp access except from the ip addresses you decide to nominate.

Only a couple of minutes worth of work but well worth it in the long run.

This is really easy. Get your server provider to install CSF. I cant post links yet, so just google csf and they are the first result.

This is the tool I use to prevent hackers from entering my servers on a daily basis.
Not only will it block the hacking attempts but will notify you of the failed login attempts and the ip address they came from

OK, I feel the need to be the voice of reason in this thread.

Just as we tell everyone to "consult a real lawyer" or "consult a real accountant" the same goes for server security. Consult a professional.

The first approach suggested in this thread (using .htaccess) will turn your website off to anyone except your IP address.

The second approach will only work if you have a fixed IP address (and believe me when I say that most "fixed" IPs really aren't fixed at all.) If you wake up one morning to find your ISP has had a power outage then you're probably on a new IP and suddenly can't access your server.

For the love of dog please don't ad hoc apply any of these "security" measures from a marketing forum.

Andy

Instead of limiting SSH to certain IP addresses - just change the port number. You could change the SSH port number to make it look like an online game server.

When your home addresses changes, then your not going to be able to access the server. With some DSL providers - your ip address changes every 24 hours or so. I have seen one provider that disconnects your service every 4 hours, just to make sure people do not have an idle connection. With that provider, there is a chance you could get a new ip address every 4 hours. Do you really feel like changing the SSH allowed ip addresses every 24 hours?

Blocking access to SSH is only really needed if you do not have Brute Force protection installed - which locks the account after X number of failed log ins. To me, brute force protection is more important then denying access to SSH.

There is a lot more to securing a server then just ftp or ssh - what about the exploits to the web server (apache), exploits to the database server, exploits to the content management system your using, exploits to the add-ons your using, Zero Day Exploits - if you do not know what a Zero Day Exploit is, go look it up.

What about having a key logger installed on your home computer? So that when you log into your server, your username and password are recorded, and then sent to the hacker.

There is a lot more to securing a web server then just denying access to the ssh port.

To say that blocking ssh access will secure your server, is like burying your head in the sand. Because your ignoring much more important issues.

SSH does not need to be diabled. Simple make sure it is using protocol 2 and move the port to something like 21000

FTP needs to not be setup for anonymous uploads. Use strong unique passwords on it.

The biggest issues involve writeable folders or 777's
Make sure you only have a folder set as 777 if it has to have writeable capabilities. Make sure this folder has a blank index file in it to discourage directory browsing.

Make sure your dedicated server provider has noexec set for the /tmp folders

If you have a VPS or manage one run this on the hypervisor
mount --bind /vz/tmpVEs/$VEID $VE_ROOT/tmp
mount --bind /vz/tmpVEs/$VEID $VE_ROOT/var/tmp

If you have Wordpress installed make sure it is up to date weekly. Wordpress is where 98% of hosting attacks seem to come in these days.

Hope this helps, We do security audits for clients for this stuff all the time.

I block all IP's except mine from all ports except 80. The way I do this is using a firewall. Not software that goes on your server but a half u sized firewall. It does the job nicely. A couple years ago, before I was aware of I could be the next hacked server, someone hacked my server to try to hack into NASA. It was more like port scanning, so I was told by the feds. It wasnt a nice feeling to have my server confiscated by the government.

There is no such thing as a secure server

Seriously.

ixwebhost admins recommended me to put ip limit to ftp access... so only people from selected ip range can even access the ftp, no matter whether they know my real password or not. That's kida cool, but doesn't protect you from most of attacks.

OK, FIRST of all, FORGET about SSH! Most hackers will not even TRY to touch it! You CAN, if you want, create a private cert for YOUR systems, and disable its ability to use any others. That would be like disabling ******ALL****** IPs from "telnet" access. But YOU would need the CERT to access.

Once you have ssh enabled, AND WORKING, you can disable TELNET! Likewise, you can enable SFTP and disable FTP!

Will that get rid of breakin attempts or successes? NOPE! HEY, bigger fish than YOU have been fried. UNIX has a couple gaping holes(HEY, M/S has a LOT more!), and HTTP/S has holes, etc....

As for your IP idea? DON'T BOTHER! IP addresses are generally NOT owned, they are leased. AND, if you don't have a FIXED IP address on YOUR side, that lease may be up in MINUTES! BTW Limiting your system to port 80 access works ONLY if you have a non limited VPN or direct access, and even THEN ONLY if you accept only NORMAL non secure HTTP traffic.

Steve

BTW FTP annonymous can be used for a lot of things. TELNET to a user that isn't properly limited can ALSO! That is one reason why many hosts use special shells that limit to directories under the home directory.

The way MOST people, that don't guess passwords, get in is to use an advertised exploit. That is one reason to update ALL software constantly.

Steve