[Bucephalus355]

We have a couple of servers we can’t move to the cloud for a variety of reasons. In addition, they are running some super legacy applications.

Because of this, we’ve really had to focus on OS level security to protect the application (OS is surprisingly Ubuntu 16).

Good Linux Security Software:

- ModSecurity V3...tough to figure out but so worth it. An incredible L7 Firewall. Immediately provides benefits

- UFW...utterly saves you from IPTABLES. Also has some neat brute force protection (ufw limit ssh).

- ModEvasive...Apache Module which is great for preventing automated vuln scanners like Burp Suite

- ClamAV...antivirus, who knows how effective but is popular

- RKHunter...rootkit hunter, hard to tune but can be worth it

Biggest benefit we got though was from setting all HTTPS Headers on the web server (there are 7 of them now I think you can set). The latest headers like “Feature-Policy” which can disable Javascript’s access to webcam, microphone, and more have been very useful.

[Karunamon]

I find that UFW is more of a pain than its worth when it comes to simple rules everybody needs like "block everything, allow this handful of ports", mostly because the syntax is too english-like and so it's easier to get confused how you're supposed to write the rule.

It also spews a bunch of chains all over iptables, making it harder to understand when you actually need to use it directly for something more advanced like mangling.

[chmln]

Yeah, the documentation isn't great. However,

> block everything, allow this handful of ports

This is trivial.

  ufw default deny incoming
  ufw allow 22

[h1d]

I wonder though, is root kit even detectable? Perhaps most are.

[ratiolat]

Which headers are you talking about?

[tombrossman]

Not OP but I have to assume they are referring to Content Security Policy headers: https://content-security-policy.com/