Skip to main content

Posts

How to Harden Vesta Nginx with Let's Encrypt SSL Certificate ?

Nginx 1.17.10 working as a reverse proxy for Vesta Admin Control Panel where it is installed as nginx-vesta. You can check the vesta-nginx version:
# /usr/local/vesta/nginx/sbin/vesta-nginx -v nginx version: nginx/1.12.2 Vesta Nginx Location
# cd /usr/local/vesta/nginx Take Backup vesta-nginx configuration file
# cd /usr/local/vesta/nginx/conf # cp -a nginx.conf nginx.conf-bak 1. Replace the below code 
# vi /usr/local/vesta/nginx/conf/nginx.conf # SSL PCI Compliance ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers EECDH+AES128:RSA+AES128:EECDH+AES256:RSA+AES256:EECDH+3DES:RSA+3DES:!MD5; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on;With
# SSL Settings #ssl_protocols TLSv1.3;# Requires nginx >= 1.13.0 else use TLSv1.2 ssl_protocols TLSv1.2; ssl_prefer_server_ciphers on; ssl_dhparam /etc/nginx/dhparam.pem; # openssl dhparam -out /etc/nginx/dhparam.pem 4096 #ssl_ciphers EECDH+AESGCM:EDH+AESGCM; ssl_ciphers ECDHE-RSA-AES256-GC…

How to Harden Nginx with Let's Encrypt SSL Certificate and get A+ Score from Qualys Lab ?

I have written those article previously for CentOS Web Panel for both Nginx + Varnish + Apache + PHP-FPM & Apache server only.
Source Details:
1. Install Letsencrypt SSL Certificate for your Server Hostname/FQDN, 100% Working
2. Install Let'sEncrypt for Admin Panel & User Panel Again, 100% Working
My Certificate Score after SSL hardening:

There are some changes needed for both article that i mentioned above. I will do it later for CentOS Web Panel. Now I have started to like VestaCP which is very lightweight control panel and It has many templates based on nginx for many CMS. I am using Nginx+PHP-FPM on Ubuntu 16.04 L.T.S . I have added 4096 bits Let's Encrypt SSL for VestaCP Admin Panel which is working perfectly and no warning getting from any browser.
Article : How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

Using a SSL certificate that doesn't mean you are secure. You have to harden(secure) your SSL configuration. My default SSL…

How to Configure 4096 bits Let's Encrypt SSL for VestaCP Control (Admin) Panel?

VestaCP uses self-sign certificates for VestaCP control panel for login url and you will get warning from your browser. We will generate 4096 bits Let's Encrypt SSL VestaCP Control Panel.
It's very easy process to generate the SSL certificate for VestaCP Control Panel.
We will link the SSL certificate for Server FQDN that will use for login to VestaCP Control Panel.
# mv /usr/local/vesta/ssl/certificate.crt /usr/local/vesta/ssl/certificate.crt.old # mv /usr/local/vesta/ssl/certificate.key /usr/local/vesta/ssl/certificate.key.old # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.pem /usr/local/vesta/ssl/certificate.crt # ln -s /home/admin/conf/web/ssl.mail.datahead.biz.key /usr/local/vesta/ssl/certificate.key # reboot

Part 1: VestaCP Basic Configuration after Fresh Installation

We need to change some basic configuration after VestaCP successfully installation. There are four default Packages in vestacp as follow : default, gainsboro, palegreen, slategrey .
1. Change the Name Servers on each packages as per your needs where my name server are ns1.datahead.biz & ns2.datahead.biz
2. Create a package as per your needs
3. Change admin password and set SSH Access to nologin

4. Delete alias for Server FQDN
5. Configure DNS for Server FQDN
6. Delete Default database and user from PhpMyAdmin
7. Configure Authoritative DNS from your domain panel

How to Update & Upgrade APT on Ubuntu 16.04 LTS?

You should first run update, then upgrade. Neither of them automatically runs the other. apt update updates the list of available packages and their versions, but it does not install or upgrade any packages. apt upgrade actually installs newer versions of the packages you have. After updating the lists, the package manager knows about available updates for the software you have installed. This is why you first want to update. Additionally, you can use apt update && apt upgrade to do both steps after each other. # apt update && apt upgrade

CWP : How to Enable PORTFLOOD Protection using CSF firewall?

There is no practical way to actually prevent Dos / DDoS attacks, because your server is connected to the internet. When you are connected to the internet, even with a simple local PC computer you are exposed to remote attacks. The only thing you can do is to mittigate its effects.

When you are under ddos and trying to mitigate the attack, the server will not respond normally, it will get slower than usual, it can often appear down temporary while the attack is decreasing. On large-volume attacks your provider can even null-route the server IP address to avoid from overload their entire network.
Can CSF firewall help me to stop only small / medium attacks? Why not large attacks? Beacuse of the way DDOS works. For very large and distributed attacks, you must use a dedicated firewall, or an specialized antiddos shield that works on network level inside the datacenter where you are hosted, or you can use 3rd party anti-ddos services like Cloudflare, Incapsula or Level3 AntiDDOS services.

CWP : How Configure DDOS Prevention Settings in CSF firewall ?

Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks are common threats that every publicly accessible web server faces. The purpose of such attacks, in simplest terms, is to flood a server with connections, overloading it and preventing from accepting legitimate traffic.
Step #1: SYNflood Protection A SYNflood attack is a DoS attack exploiting the TCP (Transmission Control Protocol) connection process itself. In basic terms, a TCP connection is established using a three-way handshake:
The client (incoming connection) sends a synchronization packet (SYN) to the server.The server responds with a synchronization acknowledgement (SYN/ACK) to the client.The client then responds with an acknowledgement (ACK) back to the server. A SYNflood attack manipulates that three-way handshake by initiating multiple synchronization requests and then refusing to respond with any final acknowledgements. On a Linux server, you can quickly check for SYN packets by running this command o…