|
Greetings, Basically I would advise to follow some simple guidelines (back to basics):
-> Don't run stuff with more permissions than needed (ergo, create a user for the services, lock them down, etc)
-> Make sure you can check the logs to monitor for weird stuff (really, this is important, if you can react quickly you can mitigate many issues before they become serious)
-> Don't run unnecessary services (do a cleanup on the host)
-> As best as possible use repository stuff; much easier to be up-to-date (security patches and so on)
-> Prepare an "emergency lockdown" script. Imagine something you can run that will lock nearly everything and put a nice page for the users, stating "We are performing some super-duper maintenance, blah, blah", don't scare the hell out of them, but allow yourself to carefully check what is happening without worrying with extra leakage. This can allow you to change passwords, block some suspicious IPs, etc (bonus points if you prepare a script to block IPs)
-> Encrypt passwords and salt them. Really. This is a must, respect your customers.
-> Extra bonus for a system that emails you as soon as there is a login in the system.
Just common sense I would say.Oh, and DO change passwords every 90 days, at least. PS: There is a script for MySQL that does some security check-ups. Google for mysql_secure_installation Best regards and best of lucks. |
Everything else miaumiua lists is great. I'd throw in a few random things I think of off the top of my head... mod_security, csf, mount tmp as noexec, LYNIS, phpsuexec, linux maldet.