I’d give your simple setup a score 3.5 based as you described it. Without testing the code of the actual site you’ll never really know how secure it really is. If you have bad dev’s that don’t do security best practices then yeah your site is probably a 0.
Security Tools
Wuzzah
Nexus
Proxy and VM
Personally it isn’t best practice to have your proxy sit directly on your firewall. It is best to set this up on a VM. With that being said you also need to make sure your proxy is in a DMZ in the case the proxy VM is compromised it cannot move laterally in our network. Take precautions on the VM hosting your cat site with adequate firewall rules to make sure if compromised, cannot move laterally on your network.
I would suggest setting up apparmor or SELinux to help protect your VM’s from being compromised.
Firewall and Third Party
Try to scope down inbound traffic to your site with IP’s you want accessing it.
Might be worth installing crowdsec with bouncers to help mitigate known threats from IP addresses and shutdown brute force attacks.
Data At Rest
What about data? Where does it sit? Is it encrypted? Do you have snapshots?
There is a lot to consider when dealing with security on that front as well.
Thank you for all this help. It is a lot to think about/implement.
I have snort in PFsense installed, I need to learn how to use it/implement it.
I had crowdsec installed in PFsense, from Tom’s tutorial on installing it in PFsense. I am unsure if it was a reboot or an update, it is not showing up in PFsense. I am going to figure it out and get it working again.
The site, a temp page, is just the default Nginx page with the HTML changed to display a few lines of text—no pictures or anything else.
Everything is self-contained in the VM. I do have it set for snapshots and backups. It is not encrypted.
Could a DMZ zone be a Vlan that only has rules that let it talk to the WAN, and nothing else on the one interface?