Securing A Web Server

Hello Everyone,

Good day!

Can you please share your best practices in securing a Rocky web server?

I am considering the following

  1. Process for regular server updates and patch management
  2. Securing SSH
  3. Implementation of firewalld and fail2ban
  4. Offsite backup
  5. Maybe DDOS Deflate?
  6. CloudFlare
  7. Utilization of server monitoring

Thank you in advance!

Hi,

  1. If it’s accessible via the internet, update it regularly.
  2. SSH should be secure enough with the default configuration. Some additional things to do are disable password authentication and use SSH keys instead. Even better, use firewalld to close port 22 and only allow your IP addresses to connect to the server. If the port isn’t open for anyone else, nobody can attempt to abuse it.
  3. FirewallD is installed by default. There are plenty of howto’s on the internet on how to configure this. Same for fail2ban.
  4. Yes, backups are important and definitely don’t store them on the same server.
  5. DDOS Deflate? Can’t say I have heard of that. DDOS yes, Deflate yes as a module for Apache but not together.
  6. Cloudflare is OK providing your content is just standard HTML/CSS/JS. Do not attempt to serve downloads via Cloudflare, else they can ban/block you for overloading their network. They don’t see downloads as normal website content - use a CDN for that and ensure it’s not redirected via Cloudflare. Cloudflare will help to protect your origin server, when the DNS entries are proxied via Cloudflare.
  7. Yes, monitoring is a good idea. There are plenty of solutions out there which can be fonud with Google.
1 Like

Hello @iwalker thanks a lot for the feedback. Yes, its going to be publicly available through the internet and will mostly host WordPress websites.