I have been researching about the security threats to a web server. It makes me want to secure my own on my Raspbian OS system. What are the list of things that are recommended or optional to install or configure on the server.
I currently have:
ClamAV
Fail2ban
Apache httpd
Also, provide me a way that I can configure these packages to make it as secure as possible including SSH as I will be working on it remotely.
1 . Upgrade everything
apt update && apt upgrade -y
2 . Secure ssh
grep -P ^Pass /etc/ssh/sshd_config
PasswordAuthentication no
3 . Configure iptables (or ufw, etc) to permit only ssh and https
apt install -y iptables-persistent
iptables --flush
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 255 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
iptables-save > /etc/iptables/rules.v4
ip6tables --flush
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A INPUT -p ipv6-icmp -j ACCEPT
ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -j REJECT
ip6tables -A FORWARD -j REJECT
ip6tables-save > /etc/iptables/rules.v6
4 . Either prevent apache fom running scripts (PHP, etc) or make sure your code is good.
5 . Use off site air gapped backups, layered security, intrusion detection systems, full disk enctiption, computers isolated by task.
6 . Use static analysis
6 . Educate yourself...
