After clearing out the /tmp/log directory, I noticed this large file called
btmp. A quick google search shed some light on the nature of this file; being a log for failed access attempts to my webserver.
There was a total of 1.1Gb of failed login attempts recorded. On inspection many were coming from IP ranges all across the world, especially in Eastern Europe. Most of these being bruteforce attacks.
The recommendation from this StackOverflow question was to install a service like fail2ban or DenyHosts. With these tools creating jails for IP addresses that repeatedly fail to authenticate with the server.
Change SSH Port
Changing the SSH port from the default 22 prevents a lot of automated attacks from being able to connect to the server.
First I had to locate the server's SSH config. The default location on Ubuntu server is:
You can use the
find command to locate it, if its not on that path.
Then edit the file to remove the line with the default port. Make sure to select a port greater than 1024. If in doubt use this site to pick a random port number.
Using the NMAP tool was really helpful to identify any unecessary ports that were open on the server, which could be used as attack vectors.
Using one of the free tools from this list on the OWASP wiki, allows you to check for any vulnerabilities and CVEs.
Warnings and issues need to be remedied, some can be critical, others not so urgent e.g. (incorrect HTTP headers etc.)