Hello all, recently subscribed to get the ISPConfig book, it's quite nice but I got it because I wanted to read the security considerations. I'll be running a few e-commerce websites so I'd like to get a nice security for it. I'm already using ufw, let's encrypt for SSL on whole server (config panel, mail, ftp...), give the clients secure passwords and so. Any tips on adding more security? Btw, I'm currently using Apache but probably will move onto nginx, I've got more personal experience with nginx, does ISPConfig work equally with them, or does it support more features on Apache? Thanks.
What you might do is to harden the SSL settings (SSL cipher suite etc), the ssl cipher suite is not set by ISPConfig, it uses the one that is globally set in the apache config and you might want to check the one that ships with the OS and replace it with a stricter one from here https://mozilla.github.io/server-side-tls/ssl-config-generator/ Then you should consider to harden the PHP settings (e.g. disable some unused functions, but do that only in the php.ini file for php-fpm, mod_php and cgi php but not in the cli (commandline PHP) php.ini file. The functionality is quite equal, just webdav is not available on nginx servers. But I guess webdav is not used freqently anyway.
