Pure-FTPd: install valid SSL certificate / solve untrusted localhost certificate problem on CentOS 7

If you installed Pure-FTPD on your CentOS 7 machine and trying to install SSL certificate on it, chances are that you added your pem file to “/etc/ssl/private/”. I installed valid certificate in this directory and still getting untrusted warning for localhost certificate. Later, I found out that this path is wrong and self signed certificate was being used. Right path on CentOS 7 is “/etc/pki/pure-ftpd/”.

Here is how to do it right on Centos.

  • Create pem certificate that contains your key, crt and intermediate all in one file – pure-ftpd.pem
  • Move this certificate to /etc/pki/pure-ftpd/ as this is the right directory on CentOS.
  • In your pure-ftpd.conf, set TLS to 2.
  • Enable PassivePortRange from 30000 – 65000.
  • Restart pure-ftpd.

It should work.

SFTP: Command failed

If you try to connect via SFTP with some FTP/SFTP client and you are getting error “Command failed”, you’re sftp-server path in sshd_conf is wrong.

Open your sshd_config file and edit sftp-server path accordingly to your OS.

Ubuntu:

Subsystem sftp  /usr/lib/openssh/sftp-server

CentOS:

Subsystem sftp /usr/libexec/openssh/sftp-server

Restart your ssh and it should work.

YUM: Error: Network error: Connection reset by peer

If you get this error message when trying to install packages via yum package manager, than just execute command bellow and it should fix your problem.

yum clean expire-cache

Magento – lock administration to specific country

Brute force attacks on Magenta administration are also very common issue, like with WordPress, well maybe a little less :). If you can’t lock your administrations on specific fixed IP addresses, than you can probably lock administration so that is accessible only from your country. Russia and China for example, are countries from which those kind of attacks are very common. So it is good idea to block them.

For this example, I’m doing this on Apache 2.4 with GeoIP module installed. Before you proceed, you should have installed geoip.

To have Magento administration accessible only from Germany (for example), add code bellow to your apache vhost configuration. This geoip was installed on CentOS 7, you should change path to GeoIP.dat accordingly to your installation. You should also change country code to the one that you want access from.

GeoIPEnable On
GeoIPDBFile /usr/share/GeoIP/GeoIP.dat
RewriteEngine on
RewriteCond %{ENV:GEOIP_COUNTRY_CODE} !^DE$
RewriteCond %{REQUEST_URI} ^/(index.php/)?admin/? [NC]
RewriteRule .* - [R=403,L]

WordPress bruteforce protection with NGINX and limit_req / request limitation

WordPress installations are very common targets of brute force attacks. With this attacks, attacker tries countless username and password variations in order to guess login informations. As you can imagine that such abusive behavior on your WordPress can cause collapse of server. Very common are attacks on wp-login.php and xmlrpc.php. There is a simple way to limit allowed number of requests on specific file with limit_req. This module can limit processing rate of requests coming from a single IP address on your web server.

In order to protect your WordPress administration you can do something like this:

# prevent brute force attacks on wp-login.php
 location = /wp-login.php {
        limit_req zone=one burst=5 nodelay;
        include fastcgi_params;
        fastcgi_pass 127.0.0.1:9000;
 }

This will allow 5 request in 5 second “window”. When there’ll be more than 5 request in 5 seconds, Nginx will return 503 error until request rate slows down:

$ curl -I https://www.yourwebsite.com/wp-login.php 
HTTP/1.1 503 Service Temporarily Unavailable
Server: nginx

Of course, you can use limit_req to protect other systems besides WordPress to.

Ultimate NGINX configuration for WordPress

Most of the sites that I created are based on WordPress. WordPress is great platform for your sites if you take a little care for it. different kind of abusive behavior on Wordpress systems is very common. Weak points are in most cases plugins, themes and outdated code in general. Many times people think, that security of their websites is all about hosting provider, firewalls… It’s true to some point. But one of the most fundamental steps to better WordPress security is up to the end-user. Take care of your site, update it regularly, use only good plugins and themes… It’s so important that you take care for regular updates and fixes. Also, try to use as least plugins as possible. If you are using only one theme, delete the ones that you don’t use. If you’ll  use theme downloaded from internet, only use themes from good providers.

NGINX in combination with good configuration and cache system can make your website lightning fast and super responsive. Memcached, Redis, Opcache are also great for optimizing your site. You definitely want to check into them too. W3 Total Cache plugin is great and easy to configure. More about this another time.

Continue Reading

© 2018 geegkytuts.net
Hosted by Hosterdam


About author