Hi everyone, I'm somewhat new to server administration, but I am very interested in it. For the past few months, I've been renting a VPS to start learning how to manage a server (I learn better by doing). I think I have a pretty good grip on things now but wanted to ask you all if there is anything I can do to strengthen security. Here's what I have so far: Keep everything up-to-date (obviously), disabled Root Login, use only SSH keys for login (with all keys password protected), changed SSH Port, setup firewall, setup fail2ban, used mysql secure installation, removed nginx version number header, setup headers to prevent XSS, Clickjacking, and MIME sniffing, and setup SSL for entire site (with Mozilla recommended cipher suite, longer dhparam, etc.). I think that's everything. If anyone has any suggestions to improve my setup, let me know.
You need to have mod-security installed and integrated with nginx. Also install maldet on the server to scan actively for malware contents being uploaded.
Here's an interesting post from WiredTree where they look at some of the things they do to keep their VPS servers safe. Some nice tips. https://www.wiredtree.com/blog/four-ways-wiredtree-keeps-your-servers-safe/
I highly recommend csf firewall. It is the most powerful open source iptables configuration software I have ever used. It blocks bruteforce attacks, can detect SYN Flood attacks, handles blocklists,... I also suggest that you look into nginx-naxsi, it is a WAF for nginx with some powerful rule-sets build in
Thank you for the advice. I actually was already looking into naxsi before writing the original post. I put it aside as I was working on something else at that moment but I'll look into it again. As for csf, I actually have heard of it before. Upon looking into it, it seems like a better system than my current ufw+fail2ban setup, so I'll look into integrating it into my server. Thanks for the advice. As I said above, I am looking into using naxsi, which is an alternative to mod-security. As for a malware scanner, that idea totally slipped my mind. Thanks for pointing it out. I'll definitely look into using one going forward. Thanks for the article. There is some pretty good advice in there.