Can firewall offer advantages for web server?
 

I intend to set up a web site on a dedicated web server in colocation (containing nothing else except the server OS).

Is it sufficient to make all files read only and use Apache mod_security or can a firewall offer extra necessary protection?

Thank you for your help.

A firewall can most certainly offer you valuable protection. For example, in many cases a firewall will keep your box from being used to attack other boxes when it gets cracked. It's good that you're thinking about security measures before deploying them (it's important to know whether a security measure will in fact reduce the risk you're interested in). That said, a firewall is an extremely basic tool (as in, it provides functionality considered essential by most system/network administrators) and therefore it's probably more difficult to come up with reasons NOT to have one.

Still, whether it's necessary for you is impossible for us to know at this point, since we have no idea what your requirements are or what your risk assessment looks like. Security measures can't be determined to be necessary out of the blue. Have you gone through unSpawn's Security references thread? I suggest you do, even if only to get an idea of the types of security tools (and the vulnerabilities they try to mitigate) which are out there.

FWIW, I'll say this much: If I was forced to host a Web site on a server in which the only security measures were file permissions and mod_security I'd be more than a bit concerned.

You certainly should enable it.
block everything except 22 (ssh) and port 80 and 443 for http and https.

Then set up login with rsa keys and disable login with password and to root. Put yourself in the wheel group.

That would be a good basis :)

I wouldn't add yourself to wheel group. No need to give yourself that group in case your acct gets cracked. Instead, login as yourself then 'su -' to do root stuff. Would require a cracker to guess both your passwd and root's to get in.

I never said to go login as root directly.
You first log in as normal user then do su.

What does this has to do with the wheel group?
In some os you need to be part of the wheel group to use su.
There is no difference when your account gets cracked. You still need the su password.

Well, if you need wheel group to use su, guess its ok. I haven't usually needed it to su.
No point in adding privs if you don't need them.

Defense in depth is always a good thing. A local host-based firewall is a good complement to other local security measures and the network firewall if one exists. Keep your network environment in mind. Are your servers on a large subnet with other unrelated servers? Do other admin groups have access to your subnet? Do you trust everything on your subnet?