This is basic steps to secure your apache based web server. We are working with CentOS 7 vm in this particular tutorial.

Change ssh default port number
Open ssh configuration file and change default port number 22 to 222 or any other port that is available.

vi /etc/ssh/sshd_conf
Port 222

Install fail2ban
Install epel-release

yum install epel-release

Install fail2ban

yum install fail2ban

Enable fail2ban

systemctl enable fail2ban

Edit jail.conf and change ssh port number to 222 which is the one we are using for ssh connections.

vi /etc/fail2ban/jail.local
[sshd]
enabled = true
port = 222
#action = firewallcmd-ipset
logpath = %(sshd_log)s
maxretry = 5
bantime = 86400

Start the service

systemctl enable fail2ban
systemctl start fail2ban 

Run command below to see all ban IP address.

fail2ban-client status sshd

OSSEC Host Intrusion Detection system installation
Lets install OSSEC in local mode. Meaning you running only one OSSEC system and don’t have dedicated servers to run it.

firewall-cmd --permanent --zone=public --add-port=1514/udp
 firewall-cmd --reload
yum install mysql-devel postgresql-devel gcc
wget -U ossec https://bintray.com/artifact/download/ossec/ossec-hids/ossec-hids-2.8.3.tar.gz 
tar -zxvf ossec-hids-2.8.3.tar.gz 
cd ossec-hids-2.8.3 cd ossec-hids-2.8.3 
./install.sh

We pretty much allow all defaults, and when asked what type of installation choose local unless you run dedicated ossec server

 What kind of installation do you want (server, agent, local, hybrid or help)? server 

We will now add our web root directory so it can be scanned for changes. We assuming our webroot is located under /var/www/html. Please note you will need same amount of space or more for ossec to create all diff. files.

vi /var/ossec/etc/ossec.conf

Please follow this link to add webroot to ossec scan

Firewalld configuration
We will need to open ports for http and https traffic and also allow access via alternative ssh port as well as access for nagios monitoring and ossec.

firewall-cmd --zone=public --permanent --add-service=http\udp
firewall-cmd --zone=public --permanent --add-port=https\udp
firewall-cmd --zone=public --permanent --add-port=1514\udp
firewall-cmd --zone=public --permanent --add-port=5666\tcp
firewall-cmd --zone=public --permanent --add-port=222\tcp
firewall-cmd --reload

Securing /tmp directory
In order to secure tmp directory we created separate partition during install 1GB size.

fdisk -l
Disk /dev/mapper/centos-tmp: 1048 MB, 1048576000 bytes, 2048000 sectors
Units = sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes

We will be mounting /tmp partiiotn with noexec, nosuid and nodev options from fstab

cat /etc/fstab
/dev/mapper/centos-tmp  /tmp                    xfs     rw,loop,noexec,nosuid,nodev        0 0

Secure web permissions
Assuming our webroot will be under /var/html/mysite. We will assigh following users and permissions to web root directory

chown -R apache.apache /var/www/html/mysite/
chmod -R 755 /var/www/html/mysite

Install rkhunter

yum install rkhunter
rkhunter --checkall