We have gained enormous experience with security hardening since 2003.
After cleaning up hundreds compromissed servers we have find best (in our opinion) way to maximize security of web-server without loosing performance and stability.
Any server in the network is a potential target and victim of attacks of all kinds of type (ddos, bruteforce, etc.). The aim of these attacks may be a temporary removal of a server failure, use the server as an intermediary for the further break-in or to gain access to the internal structure of servers.
In any case, successful attack causes damage to business and reputation – in the best case, the server can be used as an intermediate for subsequent attacks (spam, trojans, fake anti-virus and other malicious software) – in this situation, Google removes the server from the search-ouptut and marks the domain resources as harmful, causing loss of SE-traffic (most antivirus programs use Google’s database to filter the list of undesirable to visit the domain of this loss can not only CE-visitors, but most of the traffic at all). In the worst case, the content on the server can be removed completelly, and this will lead to longer downtime, and large financial losses.
Each of our server is configured on the principle of ‘CIA’ safety triangle and on the basis of a specific task and for a specific load. Thus, we achieve a balance between security and performance/stability.
We fully undertand meaning of CIA treangle, and therefore we definitely know then we must harden security polices, and then we need to enhance server performance/stability.
All our servers has maximum security possible without sacrificing performance, stability and availability of resources hosted on server.
We exactly know how to restrict access to content and how to assign the necessary access rights for users. We use a chroot-environment to run web scripts, which minimizes the possibility of contamination of other domains in the case of burglary of a domain server. Also it allows you to quickly find and fix security hole.
We have developed and implemented a system to verify the integrity of the content (for some mission-critical servers, we use the accounting system versions), so we use different bekapnye solution (Custom, or public type Amazon Storage) for backups.
All of these security measures are vital, but they should not affect the availability of sites (and other resources) on the server, because in this case, the work domain will not bring the necessary financial results the server owner. We know exactly when you need to improve server performance by weakening the security policy without increasing the likelihood of hacking.