Security Hardening for Laravel Servers

Defense in Depth

Server security requires multiple layers of protection. Even if one layer is breached, others should prevent complete compromise.

SSH Hardening

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes
MaxAuthTries 3
AllowUsers deployuser

# Restart SSH
sudo systemctl restart sshd

Firewall Configuration

# UFW (Ubuntu)
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw allow http
sudo ufw allow https
sudo ufw enable

# Check status
sudo ufw status verbose

Fail2Ban

# /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
filter = sshd
logpath = /var/log/auth.log
maxretry = 3
bantime = 3600

[nginx-http-auth]
enabled = true
filter = nginx-http-auth
port = http,https
logpath = /var/log/nginx/error.log

File Permissions

# Laravel directory permissions
find /var/www/app -type f -exec chmod 644 {} \;
find /var/www/app -type d -exec chmod 755 {} \;

# Storage and cache writable
chmod -R 775 /var/www/app/storage
chmod -R 775 /var/www/app/bootstrap/cache

# Owner
chown -R www-data:www-data /var/www/app

Automatic Security Updates

# Enable unattended upgrades
sudo apt install unattended-upgrades
sudo dpkg-reconfigure -plow unattended-upgrades

Environment Security

# Protect .env file
chmod 600 /var/www/app/.env

# Nginx - block sensitive files
location ~ /\.(env|git) {
    deny all;
    return 404;
}

location ~ composer\.(json|lock)$ {
    deny all;
}

Regular Audits

• Review user accounts monthly
• Check for unauthorized SSH keys
• Monitor failed login attempts
• Keep software updated
• Review firewall rules

Conclusion

Server security is an ongoing process. Harden SSH, configure firewalls, implement intrusion detection, set proper permissions, and audit regularly.