Don’t allow root ssh access, you could also change the ssh port to one that’s not 22. Also you could disallow ssh password login and allow key-based authentication only.

Below a couple of ideas, some building on what has already been stated. It’s all detailed here:

• https://gofoss.net/server-hardening-basics/
• https://gofoss.net/server-hardening-advanced/

Feedback really welcomed, as there’s always something to be learned in server security :)

–

General hardening:

• set up a firewall (ufw)
• make sure your system time is correct (ntp)
• enable unattended upgrades
• limit privileged access (sudo)
• hide process information (/proc)
• enforce strict password policy (pam, login.defs)
• enforce stricter permissions (umask)
• close all unused ports (check with nmap)
• install a malware scanner (lmd)
• install an antivirus (clamav)
• disable core dumps
• disable unused kernel modules
• add legal banner

SSH:

• change the port
• limit the nb of login attempts
• limit access to admin users
• enable access logs
• forbid remote access to root
• use auth keys with instead of password auth
• disconnect after inactivity period
• remove short encryption keys

MySQL (if applicable):

• run a hardening script
• disable remote access
• prevent unauthorised access to local files
• create separate users with limited privileges for each app

Apache (if applicable):

• enable security modules
• hide http headers
• set up modsecurity, a web app firewall

PHP (if applicable):

• hide php version in headers
• disable remote code execution
• disable potentially harmful functions
• limit script runtime & memory allocation

Network security (sysctl):

• ip spoofing protection
• ignore icmp broadcasts & redirects
• disable source paket routing
• block syn attacks
• log martians
• ignore pings