Not as hard as I thought at least to cover the essentials. This has recently come up twice for me, first DHH talked about Linux security as locking the front door then in this guide on setting up a production-ready VPS (A+ guide BTW). Similar steps were mentioned in both but I’ll review the latter since it’s my current use case.
For fresh installs start by creating a new user account with sudo permissions. Copy my public SSH key from my local laptop to the remote server. Then lock down SSH access to non-root users and disable password authentication only key-based authentication is allowed.
Then configure the firewall: block all incoming traffic, allow all access to the public internet, allow incoming traffic from OpenSSH, and since I’m running a webservice allow incoming traffic to port 80.
adduser igor # Add igor user
usermod -aG sudo igor # Add igor to the group sudo
ssh-copy-id igor@1.2.3.4 # From laptop copy key to server
vi /etc/ssh/sshd_config # Modify OpenSSH config
→ PasswordAuthentication no
→ PermitRootLogin no
→ UsePAM no
vi /etc/ssh/sshd_config.d/50-cloud-init.conf # Modify OpenSSH config
→ PasswordAuthentication no
systemctl restart ssh # Restart SSH service
sudo ufw default deny incoming # Block all incoming traffic
sudo ufw allow outgoing # Allow access to public internet
sudo ufw allow OpenSSH # Allow access from OpenSSH
sudo ufw allow http # Allow access to port 80
sudo ufw enable
Optional extras are to enable automatic updates and protect against automated attacks using Fail2Ban.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades