I'm going back to my roots...
Linux security checklist:
- Secure SSH.
- Disable root.
- Separate network services. One network service per system/vm. It's worth considering containers (with an adequate level of security).
- Disable IPv6 (if not using).
- Make backup, backup, backup copies... and test them.
- Use protocols for encrypted communication SCP, SSH, RSYNC, SFTP, SSL (VPN, WWW) and data on disks.
- Check listening ports and disable any that are not required.
- Enable blocking after three failed attempts.
- Run fail2ban.
- Enable audit log.
- Manage SELinux.
- Create separate partitions /usr /home /var /var/tmp /tmp also for services and app's WWW, FTP.
- Use built-in kernel options to secure your system.
- Control the number of users with admin privileges and disable when not required.
- Use a central system to manage Kerberos.
- Physical security for servers - disable access to USB/DVD/firewire/thunderbolt from OS and BIOS, flood and fire protection.
- Run redundant links and power supply.
- Disable and remove unused services.
- Disable and remove unused applications.
- Disable autostart of services, applications and containers that are not required.
- Audit and apply security.
- Implement honeypots.
- Externally scan your server for vulnerabilities.
- Regularly update your system and apps.
- Run a kernel audit and secure.
- Block all ports except those necessary in your firewall.
- Make sure that there are no users on the server without passwords.
- Set the system to use login keys and a strong password.
- Set to force password change every 30 days and enable password history.
