Facebook
Twitter
michaeljoseph01
New Pleskian
- Server operating system version
- Ubuntu 20.04.6
- Plesk version and microupdate number
- 18.0.51
I have a single domain on a single cloud VPS server running web and mail service. I have 2 IP addresses on the same WAN adapter. The IP that I want all web traffic to flow through is proxied by cloudflare. The other IP is exposed because I'm running the mail server traffic through it. What would be the best way to block all traffic other than imap or smtp to that one mail server ip address?
Im using cloudflare, the local firewall, mod_security comodo, fail2ban and I just installed immunify360.
Also - I'm actually surprised at just how much malicious traffic I'm seeing considering that my site is a work in progress and has no traffic yet. I'm seeing tons of /.env, xmlrpc, and readme.html/txt requests along with wp-login snooping, including a lot of poking around by a block of IP's that resolve to a group called The Academy of Internet Research llc based out of Hawaii that claims on their website they do whitehat security audits. wtf?
I see that mod_security denies some of these with a 403 like any requests for .env but there's just so many of them in the logs, I see requests from Germany, Iran, China, Russia etc... For now I increased the findtime & bantime windows of the mod_security fail2ban jail, then increased the findtime of the recidive jail and upped the bantime of recidive to 2 weeks in an attempt to shut out the bad actors. Like I said I have no users that need to log in so i'm not too worried about false positives for any of these jails.
What parts of the security stack should I be focusing on?
What are peoples thoughts of the Comodo ruleset vs OWASP?
My thinking right now is that I should probably put more of my attention on cloudflare rules to stop as many bad requests as I can at their edge before the requests even come to my server.
Just a little bit overwhelmed, I'm just getting back into the webmaster game after doing something else for 6 years and don't remember having this much activity on a site that isn't really even linked to yet.
Im using cloudflare, the local firewall, mod_security comodo, fail2ban and I just installed immunify360.
Also - I'm actually surprised at just how much malicious traffic I'm seeing considering that my site is a work in progress and has no traffic yet. I'm seeing tons of /.env, xmlrpc, and readme.html/txt requests along with wp-login snooping, including a lot of poking around by a block of IP's that resolve to a group called The Academy of Internet Research llc based out of Hawaii that claims on their website they do whitehat security audits. wtf?
I see that mod_security denies some of these with a 403 like any requests for .env but there's just so many of them in the logs, I see requests from Germany, Iran, China, Russia etc... For now I increased the findtime & bantime windows of the mod_security fail2ban jail, then increased the findtime of the recidive jail and upped the bantime of recidive to 2 weeks in an attempt to shut out the bad actors. Like I said I have no users that need to log in so i'm not too worried about false positives for any of these jails.
What parts of the security stack should I be focusing on?
What are peoples thoughts of the Comodo ruleset vs OWASP?
My thinking right now is that I should probably put more of my attention on cloudflare rules to stop as many bad requests as I can at their edge before the requests even come to my server.
Just a little bit overwhelmed, I'm just getting back into the webmaster game after doing something else for 6 years and don't remember having this much activity on a site that isn't really even linked to yet.
