✅ Initial Setup
- [ ] Change default root password
- [ ] Create a sudo user and disable root login over SSH
- [ ] Set up SSH key authentication and disable password login
- [ ] Change default SSH port (optional but recommended)
✅ Firewall & Access Control
- [ ] Enable UFW or iptables
- [ ] Allow only necessary ports (80,443,SSH)
- [ ] Install and configure Fail2ban
- [ ] Set up rate limiting for SSH
✅ Monitoring & Auditing
- [ ] Install Lynis and run security audit
- [ ] Set up file integrity monitoring (AIDE)
- [ ] Configure auditd for system call tracking
- [ ] Enable login alerts via email
✅ Malware Protection
- [ ] Install ClamAV and schedule weekly scans
- [ ] Install RKHunter for rootkit detection
- [ ] Set up ModSecurity WAF for web applications
✅ Updates & Maintenance
- [ ] Enable automatic security updates
- [ ] Regularly check for CVE vulnerabilities
- [ ] Schedule weekly security reports
- [ ] Rotate SSH keys every 6 months
✅ Hardening
- [ ] Remove unnecessary packages and services
- [ ] Disable unused kernel modules
- [ ] Set proper file permissions (e.g., /etc/passwd 644)
- [ ] Use AppArmor or SELinux
- [ ] Disable directory browsing
- [ ] Hide server/PHP versions
✅ Backups
- [ ] Automate daily backups
- [ ] Encrypt backup files
- [ ] Test restore procedure monthly
Complete this checklist quarterly or after major changes.