===Mitigation===
'''Password management''' is the core of any security strategy. For the dedicated and VPS hosting options, there are several modes of control that administrator can apply.
<ol>
<li>
Enforce strong password - a strong password should contain Upper and Lower case characters, Numbers and Special Characters and should be long; greater than 20 characters. It is also possible to restrict the use of previously used passwords. On Linux systems the following command can be used to force complex passwords for users:
</li>
password required pam_cracklib.so minlen=12 lcredit=1 ucredit=1 dcredit=2 ocredit=1
For more detail, refer to the guide details [http://www.linux-faqs.info/security/force-strong-passwords Force strong passwords]<li>Use password aging: the <tt>chaging</tt> command on Linux servers allows checking of password age by user and setting of password aging parameters [http:Access_Restrictions#Dedicated//linoxide.com/linux-command/password-expire-chage-command/ link].</li><li>In some cases it may be prudent to enabled account locking for accounts that have been under particularly concerted attacks. On Linux systems, the faillog command can be used to check failures and to set failure limits. For more details VPS_Hosting| see [http://www.cyberciti.biz/tips/rhel-centos-fedora-linux-log-failed-login.html Faillog]. Great care should be taken when enabling user locking as an attacker can simply deny users access to their own services by intentionally locking an account. Generally it is better practice to ban the attacker before the need for account locking is encountered. </li><li>Use Password Management software - a tool such as Keepass, or KeepassX for Linux and Mac, allows users to easily generate, store and mange complex difficult to crack passwords. Refer to this guide for details on [https://securityinabox.org/en/keepass_main Keepass]</li></ol>
'''User Management''' on dedicated or VPS systems allow administrators fine grained control of user login and access permissions.
<ol>
<li>
Root user login should be disabled by default - the <tt>sudo</tt> package should be installed and all superuser actions should be run through it.
</li>
<li>
Secure Shell(SSH) login should be forced, telnet and ftp login access should be disabled by default. To upload files to the server securely user can use Secure FTP(SFTP) clients.
</li>
<li>
Private keys should be used for SSH login access. The following guide gives details on generating and setting up public/private keys for SSH login, [http://support.suso.com/supki/SSH_Tutorial_for_Linux SSH tutorial]. Once SSH keys have been set up for all relevant users, disabling password-based logins should be considered.
</li>
<li>
File permissions should be restricted for critical files. User should only be allowed access to files relevant to their work. Execution as root should be restricted. Discussion of [http://www.linux.com/learn/tutorials/309527-understanding-linux-file-permissions linux file permissions].
</li>
</ol>
'''Software Management'''
<ol>
<li>
System software must always be up to date. Critical patches are released by software vendors and operating system providers on a regular basis. Updates frequently contain fixes for potential vulnerabilities and bugs, if your system is not up to date it may be at risk. A recent example of this is the SSL bug [https://heartbleed.com HeartBleed].
</li>
<li>
Minimising installed software is an important step in reducing potential vulnerabilities. The system should have the bare minimum of packages and software installed to support its purpose.
</li>
</ol>
'''System Management'''
<ol>
<li>
Firewall can be enabled via [http://www.netfilter.org/projects/iptables/ iptables] the guides [http://www.tecmint.com/basic-guide-on-iptables-linux-firewall-tips-commands/ here] and [http://www.cyberciti.biz/faq/category/iptables/ here] describe iptables configuration.
</li>
<li>
To protect the server it is important to audit the open ports on the machine. To check listening ports you can run
<br>
netstat -tulpn
</li>
<li>
Logging and Auditing is a key aspect of server security. All hacking, brute force, DDoS or other attacks should be captured, monitored and analysed.
<br>
This [http://www.cyberciti.biz/faq/linux-log-files-location-and-how-do-i-view-logs-files/ guide] describes the location and purpose of common Linux log files.
<br>
To ensure that information is not lost, overwritten or that the logs do not grow infinitely the tool [http://www.thegeekstuff.com/2010/07/logrotate-examples/ Logrotate] can be used.
<br>
Installing a tool like Logwatch allows you to monitor and respond to suspicious activity. The following [https://www.digitalocean.com/community/articles/how-to-install-and-use-logwatch-log-analyzer-and-reporter-on-a-vps guide] describes installing and configuring Logwatch.
</li>
<li>
[http://selinuxproject.org/page/Main_Page Security Enhanced Linux(SELinux)] is a kernel level security control mechanism, which enforces a set of rules and procedures for the system. SELinux provides fine grained control for access rights and permissions.
<br>
To check if it is enabled run
<br>
<i>
sestatus
</i>
<br>
To enable run
<br>
<i>
setenforce enforcing
</i>
<br>
To adjust the SELinux config is available at
<br>
<i>
/etc/selinux/config
</i>
</li>
<li>
[http://www.fail2ban.org/wiki/index.php/Main_Page Fail2ban] is an excellent tool that can be used both to combat simple DDoS attacks but also to detect and block brute force login attempts.
</li>
</ol>
<ul>
'''Apache hardening'''
As well as considering the physical server and it's operating system users must thinking in terms of application security. Especially for those applications which either contain sensitive data or those that provide access routes to the machine for an attacker.For more details see [[Access_Restrictions#Dedicated/VPS_HOSTING| see]]
Below is a set of guides for Apache webserver hardening.<li>[http://www.tecmint.com/apache-security-tips/ 13 Apache Web Server Security and Hardening Tips]<li>[http://xianshield.org/guides/apache2.0guide.html Apache 2.0 Hardening Guide]</li></ul><ul>'''Database hardeningSystem and Software Management'''
A key approach discussed elsewhere in protecting data, both at rest - on disk - and in use - in memory, is to encrypt these data stores either as part of full disk encryption or as individual restricted encrypted mount points.For more details see [[System_management| see]]'''Webserver Setup'''
Below are further guides for specific hardening techniques for the MySQL database system.<li>For more details [http://www.greensql.com/content/mysql-security-best-practices-hardening-mysql-tips MySQL Security Best Practices]</li><li>[http://rochakchauhan.com/blog/2013/11/19/security-and-hardening-tips-for-mysql/ Security and Hardening Tips for MySQLWebserver_setup| see]</li><li>[http://www.securethelock.com/2014/01/09/12-steps-for-hardening-mysql-from-attackers/ 12 steps for Hardening MySQL from Attackers]</li></ul>
</div>
