99.999% secure installation?


I want to build a totally secure webserver and WordPress installation (or as near as possible) using an EasyEngine install. The additional modules and services I am planning to use are …

Install and configure Firewall - ufw
Secure shared memory - fstab 
SSH - Key based login, disable root login and change port 
Apache SSL - Disable SSL v3 support
Protect su by limiting access only to admin group 
Harden network with sysctl settings 
Disable Open DNS Recursion and Remove Version Info  - Bind9 DNS 
Prevent IP Spoofing
Harden PHP for security 
Restrict Apache Information Leakage
Install and configure Apache application firewall - ModSecurity
Protect from DDOS (Denial of Service) attacks with ModEvasive
Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
Intrusion Detection - PSAD
Check for RootKits - RKHunter and CHKRootKit
Scan open Ports - Nmap
Analyse system LOG files - LogWatch
SELinux - Apparmor
Audit your system security - Tiger and Tripwire

Did I miss something? Is this overkill?

Please let me know your ideas.


For the security your setup seems good, but are you planning to use Apache with Nginx as reverse Proxy ? Because EE only use Nginx.


Yes, sorry if that wasn’t clear, but that was the original plan. I had originally thought that EasyEngine did that as a selectable option, but then found it doesn’t, but that ServerPilot does it as their default option. What I am trying to figure out now is which of those additional O/S modules are applicable to the EasyEngine NginX install of WordPress with LetsEncrypt.


You can remove everything about Apache, but for the other security settings it’s good. For the Nginx security, all the settings are already properly set with EE.


OK, thanks. That’s helpful.