Immediately After Deployment
- Update all packages:
apt update && apt upgrade -y - Change the root password
- Create a non-root user with sudo access
- Set up SSH key authentication
- Disable root password login via SSH
Firewall
- Install and enable UFW
- Only open ports you actually need (SSH, HTTP, HTTPS)
- Default policy: deny incoming, allow outgoing
SSH Hardening
- Use key-based authentication only
- Change the default SSH port (reduces scan noise)
- Limit login attempts with MaxAuthTries
- Install and configure Fail2Ban
System Maintenance
- Enable automatic security updates
- Set up log rotation
- Configure NTP for accurate time
Monitoring
- Set up disk space alerts
- Monitor service uptime
- Review auth logs regularly:
sudo tail /var/log/auth.log
Backups
- Configure daily automated backups
- Store backups offsite (not on the same server)
- Test backup restoration periodically