If you've been wading through vpsBible's security guides then your server should already be pretty secure. You might even be tempted to skip the Defense in Depth guides.
… Hackers, you can be sure, hope you will.
For those of us with got-root responsibility, maybe on a VPS or dedicated box, the reality is that all we've enabled so far is a zero day waiting to happen.
To give our sites and servers the best chance of surviving an unforeseen attack, we need to implement a multi-faceted protective solution.
Basically, we need to cover the angles.
Layered server security for defense in depth
Welcome to security's deep end. Fortunately, we've got life rafts:
- grsecurity culls exploits, restricts users & hardens the kernel
- OSSEC’s Host-based Intrusion Detection System (HIDS) checks system and file changes, finds rootkits, blocks attacks, and manages log files
- Snort’s Network Intrusion Detection System (NIDS) disables bad packets
- chkrootkit & Rootkit Hunter stalk rootkits, backdoors and other slyware
- mod_evasive stems (Distributed) Denial of Service ((D)DoS) onslaughts
- ModSecurity's Web Application Firewall (WAF) blocks malicious queries
There's still no guarantee but, tell you what, this total solution bankrupts the efforts of all but the most skilled hackers out there.
Here's the run-down of wpCop's advanced server security guides …[showcaseSvrDid]
Final thought on server security
By the time you've understood this section you'll need another whiskey. Good plan.
Quite a head spin, some of this stuff, yes, but at least it was downhill from grsecurity. The reality, though, is that the work isn't just in installing these things, nor even in understanding them. The real work is in honing the configurations and rulesets, so do. That's the key.