I often see questions on /r/selfhosted on how to secure a server. Here is a quick checklist of things you might want to look into.
Follow best practices for the basics
- Verify your install images using gpg and sha256
- Use strong passwords, defiantly think about using a password manager like KeePass
- Don't use the same password for root and the regular user.
- Don't run scripts/applications using sudo/su where possible.
- Learn linux permissions to avoid using sudo/su where possible.
- Use SSH Public Keys
- Regularly Update
Lock down the Server
- Disable root login via SSH
- Close all unused incoming ports via UFW/iptables
- Limit outgoing ports as well as incoming using UFW/iptables
- Watch for credential stuffing/brute force attacks with Fail2ban
Backup your configs/files
- Securely encrypted backup via Duplicity
- External Backup to external drive.
- Remote backup, either via a regularly swapped out external drive or via the cload
Set up monitoring services to let you know when something goes wrong
- Send email on syslog message
- Set up notifications for when updates are available
- Monitor system critical files with Tripwire
- Set up ssh login notifications with gotify
- Set up Graylog or a similar system log aggregator in order to do log analysis
Here are a few extra things you can do to bolster your ssh security
- Use a non standard port, this stops like 80% of the dumb bots
- Enable geo-blocking on your ssh port, easy to do in pfsense using the package PFBlockerNG or with iptables
- Close you ssh port based on the time, will you ever really need to ssh in at 3am? Possibly
- Add 2FA using google-authenticator-libpam this should stop 99% of brute force attacks
- Use something like fwknop for encrypted port knocking - best to avoid unencrypted port knocking using knockd