- Login via SSH keys only
-
apt-get update && apt-get upgrade
- Create normal user for logins
- Set up configuration management
- Ensure IPv6 is up and running
- Set up
iptables
rules and boot scripts
- Set up NS records
- Define A- and AAAA-records for
@
- Point CNAMES as necessary
- Set up MX records
- Set up SPF record
- Generate 2048-bit key and CSR
- Purchase SSL certificate with provided key and CSR
- Install certificate under
/etc/<webserver>/ssl
or under/etc/ssl
if multiple daemons -
chmod 600
certificate and key - Set up cipher and protocol suites based on Mozilla SSL/TLS guidelines. Modern if possible, intermediate otherwise.
- Test configuration against the Qualys SSL Labs test