As you probably have known by reading my previous posts, this website is hosted by an Apache server.
Although I only host this single website on my server, I still spent the extra effort to create and configure an additional virtual host on Apache. This article goes through the why's ad how's.
When you first install the Apache server, a site config file is automatically generated at
/etc/apache2/sites-available/000-default.conf. In a lot of online tutorials, people simply edit this file and fill in their domain name, document root directory, etc.
However, I don't think it's a good idea. Instead, I created an additional site config file for this website, and modified the
000-default.conf file to the following:
<VirtualHost *:80> ServerName xxx.xxx.xxx.xxx Redirect 403 / ErrorDocument 403 "Direct IP access not allowed." DocumentRoot /tmp/null UseCanonicalName Off </VirtualHost>
In this way, my server will deny any request made directly to my public IP address. Being used together with a CDN as Web proxy, these two methods combined provide two-way security.
First, if an attacker learns about this website by its domain name, there is no way for them to figure out the IP address of the actual hosting server, because the DNS record points to the CDN server's IP address. Hence, there is no way they could scan the ports on this server and try to find
other vulnerabilities to exploit.
Second, if an attacker randomly scans through a wide range of IP addresses and comes across this server, even though they know that port 80 is open, there is no way for them to figure out what content is actually being served, and hence they could not even try to launch their attacks on the hosted website.
Of course, these two methods alone won't guarantee 100% safety of your server, and there are numerous tools that provide additional layers of security.
However, the most basic and simple things, such as turning of password access for SSH, as well what's being introduced in this article, must not be neglected either.