When setting up droplets on Digital Ocean it is encouraged to setup some basic security and monitoring. I have read around quite a lot recently on best practices for hardening a new Ubuntu server.
Below are the steps I have compiled.
Does the community have any suggestions for tweaks to this list including additions or removals?
- Create a non-root user
- Add non-root to the sudoers group
- Add public ssh key to non-root user
- Deny all inbound traffic with ufw firewall
- Open required ports within the ufw firewall
- Update SSH config – Password-less logins
- Update SSH config – Disable root login
- Update SSH config – Change ssh port
- Unattended upgrades
- Postfix for emails
- Logswatch to send daily summary emails
- Set the timezone to UTC and install NTP
- Secure shared memory
- Add a security login banner
- Harden the networking layer
- Prevent IP spoofing
You definitely need to think about this steps and get it in your mind its basic for a Administrator.