Disclamer; this is not a complete list, and should only be used a starting point to sanity check new Virtual Server deployments.
- Change your default SSH Port
- Disable root ssh
- Disable ssh password auth
- Enable IPTables/nftables
- Configure IPTables
- Enable two factor auth in pam
- Properly setup sudo
- Setup yubikey and/or google-authenticator
- Disable TLSv1, SSLv2, and SSLv3 on all of your services
- Enforce decent crypto algorithms
- Enable auditd
- Enable and configure SELinux
- Configure services to run on private addresses, (
127.0.0.1,192.168/16,10/8)