Because of this, we’ve really had to focus on OS level security to protect the application (OS is surprisingly Ubuntu 16).
Good Linux Security Software:
- ModSecurity V3...tough to figure out but so worth it. An incredible L7 Firewall. Immediately provides benefits
- UFW...utterly saves you from IPTABLES. Also has some neat brute force protection (ufw limit ssh).
- ModEvasive...Apache Module which is great for preventing automated vuln scanners like Burp Suite
- ClamAV...antivirus, who knows how effective but is popular
- RKHunter...rootkit hunter, hard to tune but can be worth it
It also spews a bunch of chains all over iptables, making it harder to understand when you actually need to use it directly for something more advanced like mangling.
> block everything, allow this handful of ports
This is trivial.
ufw default deny incoming
ufw allow 22
I'm not a network guy but I was tasked with setting up some servers at a co-lo, including a box to act as the router. FireHOL was a godsend for helping me to setup the rules.
I haven't tried FireQOS yet, but I really want to play with it.