We have a couple of servers we can’t move to the cloud for a variety of reasons. In addition, they are running some <i>super</i> legacy applications.<p>Because of this, we’ve really had to focus on OS level security to protect the application (OS is surprisingly Ubuntu 16).<p>Good Linux Security Software:<p>- ModSecurity V3...tough to figure out but so worth it. An incredible L7 Firewall. Immediately provides benefits<p>- UFW...utterly saves you from IPTABLES. Also has some neat brute force protection (ufw limit ssh).<p>- ModEvasive...Apache Module which is great for preventing automated vuln scanners like Burp Suite<p>- ClamAV...antivirus, who knows how effective but is popular<p>- RKHunter...rootkit hunter, hard to tune but can be worth it<p>Biggest benefit we got though was from setting all HTTPS Headers on the web server (there are 7 of them now I think you can set). The latest headers like “Feature-Policy” which can disable Javascript’s access to webcam, microphone, and more have been very useful.
I'm mobile, but has this been updated? I used this in college back in 08 and it was much better than iptables but I don't know if it's kept up with the times.
Nice to see it posted here, I've been a happy user of FireHOL for a decade, if not more. For a while I was worried it was going to be abandoned, I'm really glad it wasn't.<p>I'm not a network guy but I was tasked with setting up some servers at a co-lo, including a box to act as the router. FireHOL was a godsend for helping me to setup the rules.<p>I haven't tried FireQOS yet, but I really want to play with it.
I use their iplists in pfblocker-ng since 3 years. It's incredibly useful, like "let's block all traffic from tor exit nodes appeared online in the last 30 days".