Setup for a new Ubuntu server, based on http://www.codelitt.com/blog/my-first-10-minutes-on-a-server-primer-for-securing-ubuntu/

ubuntu-setup.sh

# Update the system's packages
apt-get update
apt-get upgrade

# Set up the `deploy` user
useradd deploy
mkdir /home/deploy
mkdir /home/deploy/.ssh
chmod 700 /home/deploy/.ssh
usermod -s /bin/bash deploy

# Set up ssh key access for `deploy` user
touch /home/deploy/.ssh/authorized_keys

# MANUAL STEP: edit `/home/deploy/.ssh/authorized_keys` to contain the public key you'd like to use for logging `deploy` in" key
chmod 400 /home/deploy/.ssh/authorized_keys
chown deploy:deploy /home/deploy -R

# MANUAL STEP: `passwd deploy` to configure a password for this user

# MANUAL STEP: `visudo` and add these lines:
# root    ALL=(ALL) ALL
# %sudo   ALL=(ALL:ALL) ALL`

# Add `deploy` to the `sudo` group
usermod -aG sudo deploy

# Configure ssh
vim /etc/ssh/sshd_config
# PermitRootLogin no
# PasswordAuthentication no
# AllowUsers deploy@(your-VPN-or-static-IP)
# AddressFamily inet

# set up a firewall
apt-get install ufw
sudo ufw allow 22
sudo ufw allow 80
sudo ufw allow 443
sudo ufw disable
sudo ufw enable

# Auto upgrades
apt-get install unattended-upgrades
vim /etc/apt/apt.conf.d/10periodic
# MANUAL STEP: Update this file to match this:
# APT::Periodic::Update-Package-Lists "1";
# APT::Periodic::Download-Upgradeable-Packages "1";
# APT::Periodic::AutocleanInterval "7";
# APT::Periodic::Unattended-Upgrade "1";
vim /etc/apt/apt.conf.d/50unattended-upgrades
# MANUAL STEP: Update this file to match this:

# fail2ban
apt-get install fail2ban

# 2-factor auth
apt-get install libpam-google-authenticator
su deploy
google-authenticator

# Logwatch
apt-get install logwatch

# Node
curl -sL https://deb.nodesource.com/setup_4.x | sudo -E bash -
sudo apt-get install -y nodejs