SEO Web Developing

Hardening LAMP Stack


Ubuntu 22.04, Apache 2.4, MySQL 8 and PHP8 on a GCP VM.

Ubuntu 22.04

Enabling Ubuntu auto update

sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades

Change Default SSH Port

You can change the default SSH port from 22 to something else in sshd_config then restart your sshd service – make sure keep your current SSH connection open until your new port is verified to avoid locked out of your VM. We also need to added the new ssh port to ufw then remove the default 22 from your ufw allow list. For GCP, you need to update the SSH port for using IAP for TCP forwarding.

gcloud compute firewall-rules create allow-ssh-ingress-from-iap \
  --direction=INGRESS \
  --action=allow \
  --rules=tcp:your_new_ssh_port \

After changing the default SSH port, you need to access your SSH connection by Open in browser window on custom port.


Disallow Ping Requests

This can be configured in ufw config

sudo pico /etc/ufw/before.rules
-A ufw-before-input -p icmp --icmp-type echo-request -j ALLOW
-A ufw-before-input -p icmp --icmp-type echo-request -j DROP
Then reload ufw
sudo ufw reload

Disable Apache Signature and ServerTokens

Noticed that in Apache 2.4 these two are defined in security.conf, so change both settings to below and restart Apache2.

ServerTokens Prod
ServerSignature Off
sudo service apache2 restart

You can check in Chrome Console Network tab to ensure the changes take effect.

Disable Directory Browser Listing

Here is what Directory Browser Listing look like for a WordPress site:

The easiest way to disable Directory browser listing is by changing your site config file from

<Directory /var/www/live/eharvest/public_html/>
    Options Indexes FollowSymLinks
    AllowOverride All
    Require all granted


<Directory /var/www/live/eharvest/public_html/>
    Options FollowSymLinks
    AllowOverride All
    Require all granted

The you’ll see the file listing is prohibited as below:

Run Apache with a non-privileged user

By default your Apache2 installation folder could be running by root. Change it to a non-privileged user such as apache.

# Create apache group and user
groupadd apache
useradd –g apache apache
sudo chown -R apache:apache /etc/apache2

# Add below in apache2.conf file
User apache 
Group apache
sudo service apache2 restart

Disable phpMyAdmin

sudo a2disconf phpmyadmin.conf
sudo a2enconf phpmyadmin.conf
Then reload Apache2

Install Fail2Ban

Fail2Ban is a popular open-source intrusion prevention software that provides several advantages for system administrators and website owners, including:

  1. Protection against brute force attacks: Fail2Ban can detect and block repeated failed login attempts, preventing attackers from guessing passwords or gaining access to sensitive areas of your system or website.
  2. Reduced risk of unauthorized access: By automatically blocking IP addresses that exhibit suspicious activity, Fail2Ban can significantly reduce the risk of unauthorized access to your system or website.
  3. Customizable security rules: Fail2Ban allows you to create custom security rules based on your specific needs, providing greater flexibility in detecting and blocking potential threats.
  4. Enhanced system performance: By reducing the number of failed login attempts and blocking suspicious IP addresses, Fail2Ban can help to reduce system load and improve performance.
  5. Real-time monitoring and notification: Fail2Ban provides real-time monitoring and notification of security events, allowing you to quickly respond to potential threats and take appropriate action.

Overall, Fail2Ban can significantly enhance the security of your system or website by providing a powerful and customizable tool for detecting and blocking potential threats.

sudo apt-get install fail2ban
sudo systemctl start fail2ban
sudo systemctl enable fail2ban

By Ethan

To many, a business is a lifetime commitment. It's easy to start one yet difficult to make it successful. Attitude, skills, experiences and dedication help hone the craft along the way, but it's often the great vision and resilience to remain focused wins the game. Read more about me here