CentOS yum install https://repo.percona.com/yum/percona-release-latest.noarch.rpm -y percona-release setup ps80 yum install -y percona-server-server cat > /root/.my.cnf  << EOF [client] user=root EOF echo password=`grep password /var/log/mysqld.log|cut -d "@" -f 2-|cut -d " " -f2- ` >> /root/.my.cnf mysql_secure_installation -p Debian wget https://repo.percona.com/apt/percona-release_latest.$(lsb_release -sc)_all.deb dpkg -i percona-release_latest.$(lsb_release -sc)_all.deb percona-release setup ps80 apt-get install percona-server-server -y echo -> Add twice...

this is a nice check+recommend-script for your apache configuration download current version of apache2buddy.pl via github documentation of the author

see wikipedia article ModSecurity, sometimes called Modsec, is an open-source web application firewall (WAF). Originally designed as a module for the Apache HTTP Server, it has evolved to provide an array of Hypertext Transfer Protocol request and response filtering capabilities along with other security features across a number of different platforms including Apache HTTP Server,...

see https://securityheaders.com/?q=blog.fresel.at&hide=on&followRedirects=on Strict-Transport-Security max-age=15768000; preloadX-Frame-Options DENYX-XSS-Protection 1; mode=blockX-Content-Type-Options nosniffContent-Security-Policy default-src https: 'self' blog.fresel.at public-api.wordpress.com s0.wp.com s01.wp.com s2.wp.com; script-src 'self' 'unsafe-eval' c0.wp.com c01.wp.com s0.wp.com s1.wp.com s2.wp.com stats.wp.com blog.fresel.at 'unsafe-inline'; img-src * 'self' data:; style-src 'self' 'unsafe-inline' c0.wp.com c1.wp.com s0.wp.com s1.wp.com s2.wp.com fonts.googleapis.com; font-src 'self' 'unsafe-inline' data: fonts.gstatic.com c0.wp.com c1.wp.com s0.wp.com s1.wp.comReferrer-Policy same-originFeature-Policy microphone 'none'; payment 'none';...

install module echo "define('WP_FAIL2BAN_AUTH_LOG', LOG_AUTH);" >> /var/www/html/wordpress/wp-config.php cp /var/www/html/wordpress/wp-content/plugins/wp-fail2ban/filters.d/wordpress-* /etc/fail2ban/filter.d/ /etc/fail2ban/jail.d/wordpress.conf[wordpress-hard]enabled = true filter = wordpress-hard logpath = /var/log/messages maxretry = 1 port = http,https bantime = 90 [wordpress-soft] enabled = true filter = wordpress-soft logpath = /var/log/messages maxretry = 3 port = http,https bantime = 90EOF fail2ban-client reload

Roundup: Use either TLS 1.2 or 1.3. In either case use PFS (Perfect Forward Secrecy). Mindeststandard des BSI nach § 8 Abs. 1 Satz 1 BSIG zur Verwendung von Transport Layer Security (TLS) Version 2.0Datum 09.04.2019Dieser Mindeststandard beinhaltet Mindestsicherheitsanforderungen zur Verwendung von TLS in der Bundesverwaltung. Er macht Vorgaben für die Sicherstellung von Vertraulichkeit, Authentizität...

https://www.ssllabs.com/ssltest/analyze.html?d=blog.fresel.at&hideResults=on

AppleTherefore, we are deprecating support for TLS 1.0 and 1.1. Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020.https://webkit.org/blog/8462/deprecation-of-legacy-tls-1-0-and-1-1-versions/ GoogleTLS 1.0 and 1.1 will be disabled altogether in Chrome 81. This will affect users on early release channels starting January 2020. https://security.googleblog.com/2018/10/modernizing-transport-security.html MicrosoftToday, we’re announcing our...

yum install httpd mod_ssl python-certbot-apache -yfirewall-cmd --add-service=http --permanentfirewall-cmd --add-service=https --permanentsystemctl restart firewalldsystemctl enable httpd/etc/letsencrypt/cli.ini #Use a 4096 bit RSA key instead of 2048 rsa-key-size = 4096 email = letsencrypt@DOMAIN domains = blog.DOMAIN must-staple = True staple-ocsp = True agree-tos = True debug = TrueEOFcertbot certonly --apache --config /etc/letsencrypt/cli.ini /etc/letsencrypt/options-ssl-apache.conf SSLEngine on SSLHonorCipherOrder     on...

usermod -p ! root yum clean all yum install https://dl.fedoraproject.org/pub/epel/epel-release-latest-7.noarch.rpm -y yum install fail2ban -y systemctl enable firewalld systemctl restart firewalld echo "[sshd]" > /etc/fail2ban/jail.d/sshd.local  echo "enabled = true" >> /etc/fail2ban/jail.d/sshd.local  echo "port = ssh" >> /etc/fail2ban/jail.d/sshd.local  echo "logpath = %(sshd_log)s" >> /etc/fail2ban/jail.d/sshd.local  echo "maxretry = 1" >> /etc/fail2ban/jail.d/sshd.local  echo "bantime = 90" >> /etc/fail2ban/jail.d/sshd.local ...

<ifModule mod_gzip.c> mod_gzip_on Yes mod_gzip_dechunk Yes mod_gzip_item_include file .(html?|txt|css|js|php|pl)$ mod_gzip_item_include handler ^cgi-script$ mod_gzip_item_include mime ^text/.* mod_gzip_item_include mime ^application/x-javascript.* mod_gzip_item_include mime ^application/font* mod_gzip_item_exclude mime ^image/.* mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.* </ifModule> <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType...