99.999% secure installation?


#1

I want to build a totally secure webserver and WordPress installation (or as near as possible) using an EasyEngine install. The additional modules and services I am planning to use are …

Install and configure Firewall - ufw
Secure shared memory - fstab 
SSH - Key based login, disable root login and change port 
Apache SSL - Disable SSL v3 support
Protect su by limiting access only to admin group 
Harden network with sysctl settings 
Disable Open DNS Recursion and Remove Version Info  - Bind9 DNS 
Prevent IP Spoofing
Harden PHP for security 
Restrict Apache Information Leakage
Install and configure Apache application firewall - ModSecurity
Protect from DDOS (Denial of Service) attacks with ModEvasive
Scan logs and ban suspicious hosts - DenyHosts and Fail2Ban
Intrusion Detection - PSAD
Check for RootKits - RKHunter and CHKRootKit
Scan open Ports - Nmap
Analyse system LOG files - LogWatch
SELinux - Apparmor
Audit your system security - Tiger and Tripwire

Did I miss something? Is this overkill?

Please let me know your ideas.


#2

For the security your setup seems good, but are you planning to use Apache with Nginx as reverse Proxy ? Because EE only use Nginx.


#3

Yes, sorry if that wasn’t clear, but that was the original plan. I had originally thought that EasyEngine did that as a selectable option, but then found it doesn’t, but that ServerPilot does it as their default option. What I am trying to figure out now is which of those additional O/S modules are applicable to the EasyEngine NginX install of WordPress with LetsEncrypt.


#4

You can remove everything about Apache, but for the other security settings it’s good. For the Nginx security, all the settings are already properly set with EE.


#5

OK, thanks. That’s helpful.


#6