last updated: 2019-11-14
Note: CentOS, Fedora, RHEL : SELinux ; Ubuntu, Debian : AppArmor
- Change root password
- Create non-superuser account
- Disable remote root ssh login
- Setup UFW / iptables / nftables
- (Optional) Setup Cockpit
- Web server manager
- (Optional) Use VPS provider firewall instead of UFW
- VPS provider uses hardware-based firewall
- (Optional) Use Cloudflare
- DDoS mitigation
- DNS
- (Optional) Limit listening address on every service running
- e.g. SSH, private website/services on nginx
- (Optional) Install screen/tmux
- Disable Password login
- (Optional) Implement Ed25519 Key exchange
- RSA can be used, but ed25519/ecdsa are great.
- Implement Multi-factor authentication
libpam-google-authenticator
- (Optional) Disable IPv6
- Only if you access your server via IPv4
- Change SSH port
- Limit SSH listening address
- Snort
- Fail2Ban (both IDS and SSH)
- DenyHosts
- Unattended upgrades
- automatic security updates
- Remove unused network facing services link
- Setup Cloud Firewall
- Disable ufw
- Setup minimal iptables
- (see META: cloudflare, vps provider firewall)
- nginx redirection of http -> https
- Let's Encrypt
- verdaccio - local npm proxy registry
- pm2
- Logwatch - Daily mail
- Ansible Automation
- Prometheus
- monitor server (metrics)
https://www.digitalocean.com/community/questions/what-is-your-server-security-check-list
https://www.digitalocean.com/community/tutorials/how-to-install-prometheus-on-ubuntu-16-04
https://github.com/n1trux/awesome-sysadmin
https://github.com/sbilly/awesome-security
https://github.com/awesome-selfhosted/awesome-selfhosted