1. Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2016
    Lakewood, WA
    Rep Power

    Securing an Internet facing application server

    OS: CentOS v.7
    Web Server: Apache
    Scripting: Python, PHP, Perl

    All packages up-to-date, OS patches up-to-date.

    In addition to fairly tight FirewallD rules for an Internet facing web server (IP restricted access to SSH and DB, no telnet or other un-used services running / installed, only HTTPS allowed, unused ports blocked) and Fail2Ban, what other configuration security should I be looking at? I'm using exclusively open source products, this is part of the specification for the project.

    What else can I do?
    Last edited by Arty Zifferelli; July 30th, 2017 at 09:31 PM.
  2. #2
  3. Wiser? Not exactly.
    Devshed God 2nd Plane (6000 - 6499 posts)

    Join Date
    May 2001
    Bonita Springs, FL
    Rep Power
    I generally configure SSH so that it can only be accessed using public key authentication and not using a password. Limiting by IP isn't practical for me so instead I limit to devices/people via keys and as a bonus it enables easy access by not needing a password at every connection.

    I also generally do not permit remote connections to the database directly, instead they have to be made via a SSH tunnel. Mysql Workbench has built-in support for this which is nice, but it's easy enough to tunnel with any SSH client.

    I'll also generally move SSH off to an alternate port just to cut down on automated scans. Doesn't really improve security much but cuts down on the log noise quite a bit.

    Just keep up with patches and you should be good. I check logs periodically for anything unusual as well.
    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud

IMN logo majestic logo threadwatch logo seochat tools logo