Best practices for hardening new sever in 2017

When setting up droplets on Digital Ocean it is encouraged to setup some basic security and monitoring. I have read around quite a lot recently on best practices for hardening a new Ubuntu server.
Below are the steps I have compiled.
Does the community have any suggestions for tweaks to this list including additions or removals?

  1. Create a non-root user
  2. Add non-root to the sudoers group
  3. Add public ssh key to non-root user
  4. Deny all inbound traffic with ufw firewall
  5. Open required ports within the ufw firewall
  6. Update SSH config – Password-less logins
  7. Update SSH config – Disable root login
  8. Update SSH config – Change ssh port
  9. Unattended upgrades
  10. Postfix for emails
  11. Logswatch to send daily summary emails
  12. Fail2ban
  13. Set the timezone to UTC and install NTP
  14. Secure shared memory
  15. Add a security login banner
  16. Harden the networking layer
  17. Prevent IP spoofing

You definitely need to think about this steps and get it in your mind its basic for a Administrator.

This entry was posted in Linux, Security+. Bookmark the permalink.