Quote:
Originally Posted by jsbali
What is the purpose of the box (before you answer count services first)?
The box would just be used as a dedicated webserver.
|
OK. The first thing to question would be distro choice. RHEL and RHEL-alikes like CentOS are more geared towards stable production environment use with a longer support cycle compared to FC. Next, since this sole purpose is "webserver", there's a lot you can strip post-install or chosing custom install. Less SW means a smaller footprint wrt vulns and less maintenance which in turn means more stability and (hopefully) less downtime.
Quote:
Originally Posted by jsbali
Will the network location of the box be secured and isolated during the build phase?
Not really
|
You could restrict access (firewall) to your management IP (ranges) during the install/configuration/test phases.
Quote:
Originally Posted by jsbali
2. Update firewall rules to close all outgoing communication from the webserver except related/established. Only allow TCP connection (reject everything except communication on ports 80/443). I'm not sure about what else i'll be doing with the firewall rules. These are a few things that I have in my mind of a very high level.
|
Filtering should be both inbound and outbound, minimally discard private ranges (bogons) and could contain limiting rules if you make the webserver face the network directly. Adding logging rules helps troubleshooting and auditing.
Quote:
Originally Posted by jsbali
5. Use some decent Intrusion Detection System and keep checking its log on time to time basis so that I'm aware of any unwanted intrusion that occured even after making my webserver secure through aforementioned steps.
|
It really depends on the context the webserver is placed in and you have to remember successfully securing a box depends on applying multiple layers of protection and adjusting when necessary (no "fire and forget"). O.S.-wise you have access to SELinux which can improve O.S. and service level security by for instance denying the Apache user access to D/L tools like wget. Service-wise you have for instance
mod_security (O'Reilly link) and wrt network a (reverse) proxy also is an option to help restrict access. Next to those deploying an IDS is always a good choice. Don't forget the system-side of things and do load a filesystem integrity checker (Aide, Samhain). I'm sure I haven't touched all of it, so do check out the
LQ FAQ: Security references if you can.
HTH