If you want to setup a fresh secure Webserver then use this list
- dont ever upload data, files, images on the Webserver who are classified as “secret”
- setup daily full backup with Cron
- view daily the system logs, auth, www, errors …
- setup a local firewall with less opened ports 80,25 ..
- setup daily automatic updates by cron
- reduce the count of users who can login
- use no logical usernames
- force long passwords by rules min 15 digits
- setup a daily load monitor by “uptime” to log
- setup a realtime network monitor by “iftop”
- use “nmap” as local portscan to test settings
- remove unneeded software packages and services, less is more..
- change monthly passwords forced by rules
- upload only via encrypted SFTP and use Login Keys
- copy hourly your Logs on /var/log to a other external place (scp/rsync) by cron
- use ECC-RAM to have save RAM usage againts RAM attacks
- use 2 HDD’s as Raid 1 and setup mail of root to post failures to your box
- mount the Webserver root file system readonly, that no one can modify /etc
- dont use Java, PHP, Tomcat, or other Adminpanels if you really need them!
I hope this rules help you to protect your Server..