I found the following article and it helped me to clean up my CentOS webserves. The steps in this articles speak for itself. All credits to the author, Danila Vershinin.
Updating mod_pagespeed can be a pain in the @ss
Just a quick reminder to self, since simply updating mod_pagespeed doesn’t seem to be able by just running yum update. If you have installed mod_pagespeed building from the source, as I have, you will probably run into the following issue:
"httpd >= 2.2 is needed by mod-pagespeed"
Here is a quick and dirty solution that has worked for me.
1) Remove the old version with this command:
yum remove mod-pagespeed-stable.x86_64
2) Follow these steps to update mod_pagespeed to the latest version:
cd ~ yum install at wget https://dl-ssl.google.com/dl/linux/direct/mod-pagespeed-stable_current_x86_64.rpm rpm -i --nodeps mod-pagespeed-stable_current_x86_64.rpm
Global protection of all wp-login.php files
Here’s another short post about protecting wp-login.php files on your server from Brute Force Attacks, which can drastically increase your server load. Mine was constantly up to 90% making my server completely inaccessible.
.htaccess or not .htaccess
Adding the following code to your .htaccess files is a solution, but if you have tons of sites like me, you don’t want to manually have to upload .htaccess and .htpasswd files. Instead, you want to handle this at once, globally and server-wide. Here’s how I did it:
First of all, you need to find out if your httpd.conf file is an autogenerated file, or if you can manually edit it (without it being regenerated after an update.)
Usually, modifications go into the pre_main_global.conf include file. If this is also the case for you, make sure this is included in your active httpd.conf file.
Edit pre_main_global.conf and add the following code:
<Files ~ "^\.ht"> Require all denied </Files> <Files wp-login.php> AuthUserFile /var/htpass/.htpasswd AuthName "Private access" AuthType Basic require user yourloginname </Files>
Rename “yourloginname” to whatever login name you like.
Create the directory to store your .htpasswd file as follows:
mkdir /var/htpass/
You can generate a .htpasswd file here: http://www.htaccesstools.com/htpasswd-generator/, make sure to use the same login name as chosen before. Any password you want will do, also an empty password if that’s what you want.
Finally, save your .htpasswd file in the previously created directory, in this example we suggested /var/htpass/.
Assuming the pre_main_global.conf gets included as it should, the only thing left is to restart Apache. Use the following command to do so:
service httpd restart
Alternatively, you can restart Apache from DirectAdmin or WHM. Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.
Voila, you are now asked for a User Name and Password each time you access your wp-login.php file to login into WordPress.
Installing Fail2ban on CentOS
Here’s a short tutorial for those of you looking to install Fail2ban on an existing CentOS server or VPS.
First of all, you will have to determine which CentOS version you have, with the following command after starting an SSH session using a terminal window:
cat /etc/centos-release
The response will probably be something like this:
CentOS release 6.8 (Final)
Now that we know the CentOS version is 6, we will have to get the latest EPEL yum repository, using the following command:
rpm -Uvh https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
Next step is to install Fail2ban with the following command:
yum install fail2ban
When prompted Is this ok [y/N]:
please type y
and then hit enter.
This may take a few minutes, so sit back and relax waiting for the installation to finish.
The reasons you might want to protect your server or VPS using Fail2ban is because you are experiencing too many false logins attempts for WordPress, Proftpd, Exim2 or sshd4/sshd5 for example. To do so you will have to create the following local configuration file, using an editor such as nano:
nano /etc/fail2ban/jail.local
(Don’t have Nano? You can install Nano with the following command: yum install nano
.)
Here is how to set-up an sshd jail to catch failed login attempts to SSH:
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 3
findtime = 3600
bantime = 86400
Here is how to set-up an exim jail to catch failed login attempts to Exim:
[exim]
enabled = true
port = smtp,465,submission
filter = exim
logpath = /var/log/exim/mainlog
maxretry = 3
findtime = 86400
bantime = 31536000
Now that we have created these jails, and saved our configuration file (ctrl+x) we have to restart our server or VPS with the following command:
service fail2ban start
If everything went as expected you should get the following response:
Starting fail2ban: [ OK ]
Using Fail2ban to block login attempts to WordPress
If additionally you also would like to protect your server or VPS from failed login attempts to WordPress, you should first create a filter.
Your filters are located here: /etc/fail2ban/filter.d/
Create a new filter named wordpress.conf using Nano as follows: nano /etc/fail2ban/filter.d/wordpress.conf
Copy and paste the following code into the newly created wordpress.conf filter file:
# Fail2Ban filter for wordpress # [INCLUDES] before = common.conf [Definition] _daemon = wordpress failregex = ^%(__prefix_line)sAuthentication failure for .* from <HOST>$ ^%(__prefix_line)sPingback error .* generated from <HOST>$ ignoreregex = # Author: John Doe
Now that you have created the wordpress.conf filter, you will need to add a new rule to your jail.local file which you have previously created:
[wordpress]
enabled = true
filter = wordpress
logpath = /var/log/secure
maxretry = 3
findtime = 86400
bantime = 31536000
action = iptables-multiport[name=wordpress,port="80,443"]
Finally, you will have to restart Fail2ban using the following command: service fail2ban restart
If everything went well, this is what the response should look like:
Stopping fail2ban: [ OK ]
Starting fail2ban: [ OK ]
Congratulations, your server or VPS is now protected against scum trying to make your life miserable!