I'm looking to make a "bare minimum" checklist for securing a public facing Unix web server. Assume it's a LAMP stack (or similar). This list should be what minimums you would implement. Obviously requirements would go up for high traffic sites (DDoS protection, high availability, etc), but I'm not concerned with that. Just looking for a list of bare minimums for hosting a single web server that is running Apache or NGINX and has a basic on-server MySQL or MariaDB database and a simple PHP application. Assume it's running on AWS, DigitalOcean, etc. Some ideas include:
- Blacklisting/whitelisting IP ranges by country
- Disable remote login by root
- Enable fail2ban (disables IPs after so many failed login attempts)
- Configure firewall to only allow relevant ports inbound (e.g. ssh, sftp, https)
- Only allow HTTPS and then test validity of certificate and server configuration using Qualys SSL Labs testing tool (https://www.ssllabs.com/ssltest/)
- Enable multi-factor authentication everywhere that is public facing such as your Amazon/Digital Ocean/etc. account, your credentials to the server, etc.
- Change the root password to minimum 16 characters, alphanumeric with special characters.
- What else?