Comment by jeroenhd

Apparently there's a comment size limit, who knew! Anyway, continued:

- Did I mention updating? You'd better update! Did you update? Good, then you're probably fine!

- Install a firewall. The Internet may tell you that you need to learn nftables but in practice tools like `ufw` will protect you just fine. Work in whitelist mode for incoming traffic. Work in whitelist mode for outgoing traffic if you want to spend an hour every week debugging why your server went down again.

- Pick good passwords, or even better, don't use passwords at all. Use key based authentication for SSH, use WebAuthn/U2F/whatever for admin panels, make it as hard as possible to brute force your way in. Don't reuse passwords! You don't want to get hacked because your password showed up.

- Keep an eye on risky software. For example, WordPress itself is quite secure, but many of its plugins have been plagued with vulnerabilities.

- Make maintenance/updating your services easy. Sometimes that means you need to spend more time setting everything up. Sometimes that means configuring your system in a suboptimal way, or even disabling other security features. Locking everything down can make it impossible to properly update your software and software you don't update is just waiting to get exploited by a bot.

- Not a security measure per se, but useful to reduce log spam: change the SSH port from 22 to literally anything else.

- When serving anything UDP (DNS/SSDP/whatever) make sure to check if there's a DDOS potential and see if you can mitigate it. If you can't, see if you can whitelist destination/source IPs in your firewall.

- HTTPS is free and quite easy. Why not enable it? If you turn it on, you can use "outdated" security mechanisms like HTTP Basic Auth without hesitation!

- Make sure to migrate in time when a software package gets out of date. Ubuntu 18.04 will receive updates for years to come, but you should probably plan to migrate two years before the end date. The longer you wait, the more difficult migration will be, the longer you'll put it off and the more likely you'll run vulnerable, outdated software.

- Hack yourself. Run port scans against your own servers; you might just find that you forgot that Docker will bypass your firewall. That's how I found out! I've accidentally had stuff running publicly that should've been private for months because I didn't port scan after installing new software. Other tools include stuff like wordpress security scanners, OWASP ZAP, etc.

- Sometimes you'll find yourself in a tricky situation: one of your services is vulnerable but no update is out for your platform yet. Consider temporarily disabling the service if it's not _that_ important or restrict your firewall to accept only certain IP addresses if you can't live without it.

- If you're only going to use the service yourself, you might not need to expose it to the internet. Maybe you can use a VPN to only allow trusted devices to connect. Maybe you can use Tor to make a service available (from behind NAT, even!). Never fully disable authentication and such on trusted networks unless you don't care about getting hacked, though.

- If you feel like the software you're running may be a common target, read your web server logs. See if you're getting flooded with weird requests and Google the URLs to see if you might be vulnerable.

- Periodically check if software you've installed is no longer necessary. Removing unnecessary attack surface not only makes your server more secure, it'll also help you keep down the amount of maintenance you need to do!

- Install security updates. Really, that's maybe the most important part, after picking good passwords. An updated server is a happy server. In most cases, an updated server is an unhackable server!

- Don't fall for emails like "I found a vulnerability in your server, do you provide a bug bounty".

- If you write your own software, regularly update dependencies and run vulnerability scanners (preferably automated). Stuff like https://owasp.org/www-project-dependency-check/ isn't hard to integrate into your workflow and might warn you of vulnerable libraries you didn't even know you used!

- Terms to throw into Google if you're interested: WAF (Web Application Firewall), Fail2ban, Tarpit (networking), cgroups, systemd hardening, snort, suricata

Finally, for your personal devices: use a password manager with a Really Good master password and enable 2FA. For most services a good password is a password you don't know. Use software that's as convenient to use as possible without sacrificing security (i.e. use a password manager that integrates with your phone's/browser's autofill). Stuff like WebAuthn/U2F/FIDO2 can make 2FA very usable without having to copy a bunch of numbers every time you log in and they're available on more devices than you might think. You can go ultra secure (I, for one, enabled 2FA on SSH at some point) but the harder you make it for yourself, the less likely it is that you'll find yourself using your fancy security.

Some people will probably disagree with me on some points. Some of them are overkill, some of them are not strict enough. There's no one true answer for any of this, because every server is different and has different security requirements.

In case you feel overwhelmed: what I just typed out isn't followed by (way too) many companies. If you work outside a tech company I doubt the IT departments/people even know what company secrets are on what server. Companies will silently or unknowingly run vulnerable software for years without getting hacked! Your home server may be more secure than a critical application server that some Fortune 500 company relies on, simply because you can run updates and they're stuck with some outdated OS/software/hardware/network/configuration that they can't move away from without spending millions!