Task regarding securing applications on backup server is wrong in the core as it is potentially building wrong habits. The task is to open port for nginx and block for apache.
The problem here is that it builds impression that it’s enough to close port for one known app. This is wrong at the core. It would be much more appropriate to block all ports except for the few ones that are in use - in this case it would mean:
- Block all incoming traffic
- Open traffic from all IPs on Nginx port
- Open SSH port from jump host