A few things to do on a new linux box to secure it.
Change the root password to something long and complex. You won’t need to remember it, just store it somewhere secure - this password will only be needed if you lose the ability to log in over ssh or lose your sudo password.
passwd
apt-get update
apt-get upgrade
useradd NEWNAMEHERE
mkdir /home/NEWNAMEHERE
mkdir /home/NEWNAMEHERE/.ssh
chmod 700 /home/NEWNAMEHERE/.ssh
vim /home/deploy/.ssh/authorized_keys
Add the contents of the id_rsa.pub on your local machine and any other public keys that you want to have access to this server to this file.
chmod 400 /home/NEWNAMEHERE/.ssh/authorized_keys
chown deploy:deploy /home/NEWNAMEHERE -R
Now test your new account logging into your new server with the new user (keep the terminal window with the root login open). If you’re successful, switch back to the terminal with the root user active and set a sudo
password for your login user:
passwd NEWNAMEHERE
Set a complex password - you can either store it somewhere secure or make it something memorable to the team. This is the password you’ll use to sudo.
visudo
Comment all existing user/group grant lines and add:
root ALL=(ALL) ALL
NEWNAMEHERE ALL=(ALL) ALL
vim /etc/ssh/sshd_config
Ensure permit root login is disabled.
PermitRootLogin no
Restart ssh
service ssh restart
ufw allow 22
ufw allow 80
ufw allow 443
ufw enable
apt-get install unattended-upgrades
This file:
vim /etc/apt/apt.conf.d/10periodic
Should have this in it:
APT::Periodic::Update-Package-Lists "1"; APT::Periodic::Download-Upgradeable-Packages "1"; APT::Periodic::AutocleanInterval "7"; APT::Periodic::Unattended-Upgrade "1";
Open:
vim /etc/apt/apt.conf.d/50unattended-upgrades
Make sure this is in there:
Unattended-Upgrade::Allowed-Origins { "Ubuntu lucid-security"; // "Ubuntu lucid-updates"; };
Took my preferred bits from: https://plusbryan.com/my-first-5-minutes-on-a-server-or-essential-security-for-linux-servers