A checklist for securing your freshly started VPS.

README.md

Server checklist

last updated: 2019-11-14

META

Note: CentOS, Fedora, RHEL : SELinux ; Ubuntu, Debian : AppArmor

• Change root password
• Create non-superuser account
• Disable remote root ssh login
• Setup UFW / iptables / nftables
• (Optional) Setup Cockpit
  • Web server manager
• (Optional) Use VPS provider firewall instead of UFW
  • VPS provider uses hardware-based firewall
• (Optional) Use Cloudflare
  • DDoS mitigation
  • DNS
• (Optional) Limit listening address on every service running
  • e.g. SSH, private website/services on nginx
• (Optional) Install screen/tmux

SSH

• Disable Password login
• (Optional) Implement Ed25519 Key exchange
  • RSA can be used, but ed25519/ecdsa are great.
• Implement Multi-factor authentication
  • libpam-google-authenticator
• (Optional) Disable IPv6
  • Only if you access your server via IPv4
• Change SSH port
• Limit SSH listening address

Intrusion Detection System

• Snort
• Fail2Ban (both IDS and SSH)
• DenyHosts

Others

• Unattended upgrades
  • automatic security updates
• Remove unused network facing services link
• Setup Cloud Firewall
  • Disable ufw
  • Setup minimal iptables
  • (see META: cloudflare, vps provider firewall)
• nginx redirection of http -> https
  • Let's Encrypt

Misc

• verdaccio - local npm proxy registry
• pm2
• Logwatch - Daily mail
• Ansible Automation
• Prometheus
  • monitor server (metrics)

References

https://www.digitalocean.com/community/questions/what-is-your-server-security-check-list

https://www.digitalocean.com/community/tutorials/how-to-use-prometheus-to-monitor-your-ubuntu-14-04-server

https://www.digitalocean.com/community/tutorials/how-to-install-prometheus-on-ubuntu-16-04

https://www.process.st/checklist/server-security-checklist/#check-event-log-monitoring-is-properly-configured

https://github.com/n1trux/awesome-sysadmin

https://github.com/sbilly/awesome-security

https://github.com/awesome-selfhosted/awesome-selfhosted