Linux server principles

This is a list, in no particular order, of principles to adhere when running a secure Linux server.

1. SSH – Never allow direct SSH root access (set PermitRootLogin No).
2. SSH – Do not use SSH keys without a passphrase.
3. SSH – If possible, do not run SSH on a public IP interface (preferably use a management VLAN).
4. SSH/SSL – Use strong SSH ciphers and MAC algorithms (Check with https://testssl.sh/).
5. Never run anything as root (use sudo).
6. Use deny all, allow only firewall principle. Block everything by default, only open what’s needed.
7. Configure the mail daemon to use a smarthost (unless it’s a mailserver).
8. Always use a timeserver daemon to keep server in sync (ntp).
9. Always use a package manager and apply, at least once a month, updates (apt, yum etc.)
10. Have backups in place and regularly test the restores.
11. Do not just backup raw database data. Dump databases and backup those dumps (mysqldump, pg_dump).