Linux server principles

This is a list, in no particular order, of principles to adhere when running a secure Linux server.

  1. SSH — Never allow direct SSH root access (set PermitRootLogin No).
  2. SSH — Do not use SSH keys without a passphrase.
  3. SSH — If possible, do not run SSH on a public IP interface (preferably use a management VLAN).
  4. SSH/SSL — Use strong SSH ciphers and MAC algorithms (Check with https://testssl.sh/).
  5. Never run anything as root (use sudo).
  6. Use deny all, allow only firewall principle. Block everything by default, only open what’s needed.
  7. Configure the mail daemon to use a smarthost (unless it’s a mailserver).
  8. Always use a timeserver daemon to keep server in sync (ntp).
  9. Always use a package manager and apply, at least once a month, updates (apt, yum etc.)
  10. Have backups in place and regularly test the restores.
  11. Do not just backup raw database data. Dump databases and backup those dumps (mysqldump, pg_dump).

Originally published at Jan van den Berg.