What is your server security check list?

I usually recommend people to follow “CIS Security Benchmarks”, for example for Ubuntu 14.04

Related to security in an after-the-fact sort of way: Backups…lots of backups. Regular backups of your web-folders and databases in different folders for different times. Have those backups initiated from a different server that ssh’s into the droplet and backs up things then disconnects.

Also: a snapshot of your droplet in a working state.

If your server is compromised, or crashes …you can spin-up a droplet from that image and then restore your web-folder and databases from the most recent backup.

1. Password-less logins.
2. Change SSH port – no need for fail2ban then.
3. Close all ports by default, and then manually open individual ports that are needed.
4. Related to #3 limit access to open ports (by source/destination) wherever possible.
5. Remove all unnecessary packages/services that came preinstalled.
6. Update all packages, restart the entire server (assuming some of them may need it).

Those are the basics I always run.

1. Password-less logins.
2. Change SSH port – no need for fail2ban then.
3. Close all ports by default, and then manually open individual ports that are needed.
4. Related to #3 limit access to open ports (by source/destination) wherever possible.
5. Remove all unnecessary packages/services that came preinstalled.
6. Update all packages, restart the entire server (assuming some of them may need it).

Those are the basics I always run.

1. Password-less logins.
2. Change SSH port – no need for fail2ban then.
3. Close all ports by default, and then manually open individual ports that are needed.
4. Related to #3 limit access to open ports (by source/destination) wherever possible.
5. Remove all unnecessary packages/services that came preinstalled.
6. Update all packages, restart the entire server (assuming some of them may need it).

Those are the basics I always run.

1. Password-less logins.
2. Change SSH port – no need for fail2ban then.
3. Close all ports by default, and then manually open individual ports that are needed.
4. Related to #3 limit access to open ports (by source/destination) wherever possible.
5. Remove all unnecessary packages/services that came preinstalled.
6. Update all packages, restart the entire server (assuming some of them may need it).

Those are the basics I always run.

@asb hi bro, i was just thinking, this tutorials could be used with ubuntu 16.04 without any issue or not? https://www.digitalocean.com/community/tutorials/how-to-protect-ssh-with-fail2ban-on-ubuntu-14-04

While they might not be the first things that come to mind when thinking about security, monitoring and logging can play an important in role. Often no one notices when a system is initially compromised. The Linux Auditing System is one powerful tool that provides an audit trail for actions that occur on a server allowing you to notice when something out of the ordinary happens. Other useful software for monitoring your servers include Nagios and Prometheus. Both can alert you when resource usage like bandwidth is abnormal. As your infrastructure becomes more complex, setting up centralized logging allows you to search and visualize your logs all in one place. The ELK Stack (Elasticsearch, Logstash, and Kibana) is a popular solution for this.