1. Initial Setup
- Change Default Passwords: Replace all default admin/root passwords with strong, unique credentials.
- Create a Non-Root User: For daily tasks, use a regular user account with sudo privileges instead of root.
- Update the System: Apply all available OS and software updates/patches immediately after deployment.
2. Network Security
- Configure a Firewall: Use tools like
ufw,firewalld, oriptablesto restrict open ports to only what’s necessary. - Disable Unused Services and Ports: Shut down all services and close ports that you don’t actively need.
- Use SSH Keys: Disable password-based SSH logins; only allow authentication via SSH keys.
- Change Default SSH Port: Consider moving SSH from port 22 to a non-standard port to reduce automated attacks.
- Enable Fail2ban: Install Fail2ban or similar tools to block IPs after repeated failed login attempts.
3. Software & System Hardening
- Remove Unnecessary Packages: Uninstall software you don’t use to minimize vulnerabilities.
- Install Security Updates Automatically: Set up automatic security updates if possible, or schedule regular manual checks.
- Use Secure Protocols: Ensure services like FTP or HTTP are upgraded to SFTP/FTPS and HTTPS.
- Run a Malware Scanner: Deploy tools (like ClamAV, rkhunter, or chkrootkit) for regular scans.
4. Account and Access Control
- Audit User Accounts: Regularly review user accounts and permissions; disable or remove old/unused accounts.
- Implement Strong Password Policies: Require complex passwords and regular password changes.
- Limit sudo Access: Grant administrative privileges only to users who absolutely need them.
5. Monitoring & Logging
- Enable System Logging: Make sure syslog or journald is active and storing logs.
- Monitor Logs: Use tools like Logwatch or set up log monitoring/alerting for suspicious activity.
- Set Up Intrusion Detection: Consider tools like AIDE or OSSEC for file integrity monitoring.
6. Backups & Disaster Recovery
- Schedule Regular Backups: Back up data and configs regularly, and store copies off-site or in the cloud.
- Test Restores: Periodically test your backups to ensure they’re working and restorable.
7. Physical Security
- Restrict Physical Access: If you manage the server hardware, make sure it’s in a secure, access-controlled environment.
8. Ongoing Maintenance
- Review Security Policies: Update your security policies as threats evolve.
- Train Staff: Make sure anyone with access understands security best practices.
Pro tip: Security isn’t a “set it and forget it” deal—it’s an ongoing process. Scheduling regular maintenance and reviews is just as important as the initial setup.
