bes1002t/Todo

## Todo
Linux

1. Disable root ssh login in sshd_config
2. Create a new user and don't use a standard user e.g. the 'pi' user on Raspbian.
3. Follow these steps: https://www.cyberciti.biz/tips/linux-security.html
    - for me the following sections were helpful (mostly because of my special software and hardware configuration): #1, #5, #8, #12, #13, #16, #17, #20, #23, #24, #25, #26, #27 already using keepass, #29 already done but plz check major tools whether all information is logged, #30, #32, #33, #36, #37, #39
4. Start nginx and php-fpm as simple user e.g. 'nginx' instead of root. (You could use systemd for that, you can find example service files in my gists)

Nginx
1. Use SSL CSR with 2048 bit and sha512
2. Only make your applications available through HTTPS and ignore HTTP
3. Only allow TLS1.2
4. Only allow strong ssl_ciphers, recommended: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
5. Use Chain Certificate
6. Generate Unique dhparam by using openssl
7. set server_tokens off to prevent the server from version info leakage
8. Prevent Browsers to open application in frames or iframes (https://geekflare.com/add-x-frame-options-nginx/)
9. X-XSS Protection
10. probably use wapitit security audit tool to check for common security issues

Php
1. Follow these steps: https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
    - for me the following sections were helpful: #1, #2, #3, #4, #5, #7 (check this whether it makes sense), #8 (check whether it makes sense and your tools still work after these changes), #10 (check the default values), #11 (check whether it makes sense), #12, #13 (use php-fpm but check whether redirect makes sense), #15, #16, #18, #19 (check whether this makes sense), #20 (check SElinux protection for nginx), #21 (check whether this makes sense),
	Linux

	1. Disable root ssh login in sshd_config
	2. Create a new user and don't use a standard user e.g. the 'pi' user on Raspbian.
	3. Follow these steps: https://www.cyberciti.biz/tips/linux-security.html
	- for me the following sections were helpful (mostly because of my special software and hardware configuration): #1, #5, #8, #12, #13, #16, #17, #20, #23, #24, #25, #26, #27 already using keepass, #29 already done but plz check major tools whether all information is logged, #30, #32, #33, #36, #37, #39
	4. Start nginx and php-fpm as simple user e.g. 'nginx' instead of root. (You could use systemd for that, you can find example service files in my gists)

	Nginx
	1. Use SSL CSR with 2048 bit and sha512
	2. Only make your applications available through HTTPS and ignore HTTP
	3. Only allow TLS1.2
	4. Only allow strong ssl_ciphers, recommended: "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA HIGH !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";
	5. Use Chain Certificate
	6. Generate Unique dhparam by using openssl
	7. set server_tokens off to prevent the server from version info leakage
	8. Prevent Browsers to open application in frames or iframes (https://geekflare.com/add-x-frame-options-nginx/)
	9. X-XSS Protection
	10. probably use wapitit security audit tool to check for common security issues

	Php
	1. Follow these steps: https://www.cyberciti.biz/tips/php-security-best-practices-tutorial.html
	- for me the following sections were helpful: #1, #2, #3, #4, #5, #7 (check this whether it makes sense), #8 (check whether it makes sense and your tools still work after these changes), #10 (check the default values), #11 (check whether it makes sense), #12, #13 (use php-fpm but check whether redirect makes sense), #15, #16, #18, #19 (check whether this makes sense), #20 (check SElinux protection for nginx), #21 (check whether this makes sense),