We use PfSense running HA Proxy (which is a plugin available naively to PfSense), which acts as our TLS termination for the public certificates (internal servers have internal certs) as well as our load balancers. TLS certs are managed with the ACME plugin for Let's Encrypt, and the Intel processor is using AES-NI to speed up the TLS.

overall for security just using a static service for serving the content solves most attack vectors, as there aren't any CGI or related scriptlets running server side.
Cut off public SSH (if required some advocate alternate ports, but this isn't so much as intrusion prevention as to prevent lock outs caused by spam bots). SSH should be using key based authentication.

For ciphers and modes for TLS / SSH etc, I recommend checking out cipherli.st and the Mozilla TLS guidelines. Cipherli.st has an up to date set of configs for most software TLS/SSH settings, and the Mozilla guide has better explanations of how these modes work and what they do.

For PfSense I allow our management pages externally since they also run our VPN (users can download a client), but if you don't need that I would cut off external access to PfSense.

I setup a rule to allow ports 80,443,873 to HAProxy (via PfSense, set to allow to a single host which is the IP HAProxy is listening on). For HAProxy it does a simple TCP socket check for 873 since Rsync isn't a supported mode in HAProxy, so if the socket is open it just balances between the servers.

Cheers,
-Jim

On Fri, Oct 26, 2018 at 1:12 PM Ken Young <kenyis@rogers.com> wrote:
Hello,
 
My name is Ken Young and I am working with the StarlingX Open Source community to set up a mirror of all our 3rd Party dependency code and CentOS.  We currently have a prototype running but we would like to harden the security measures we have in place for the server.  For example, we would like to move this server behind an external firewall.
 
Would you be willing to share what security hardening you have completed for your mirrors?  Any information would be greatly appreciated.
 
Thank you in advance.
 
Regards,
Ken Y
 
_______________________________________________
CentOS-mirror mailing list
CentOS-mirror@centos.org
https://lists.centos.org/mailman/listinfo/centos-mirror

 This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. If you are not the intended recipient you are notified that disclosing, copying, distributing or taking any action in reliance on the contents of this information is strictly prohibited.