New Server Checklist

From Paritybit.ca Wiki

Below is a list of basic things I do when setting up a new physical server or virtual machine (VM).

Copy ssh public key to server with ssh-copy-id
Disable ssh password authentication and root login
Set ssh port to 56022
Remove commented and deb-src entries from /etc/apt/sources.list
Set a static IP in /etc/network/interfaces (see #Static IP Example)
Run the following:

sudo apt update && sudo apt -y upgrade && sudo apt install \
    tmux htop vim postfix qemu-guest-agent unattended-upgrades nftables \
    && sudo apt --purge autoremove vim-tiny nano iptables

Configure unattended upgrades with "origin=*", remove unused dependencies, automatic reboot at 02:00
Configure nftables firewall (see #Base nftables Configuration)
Reboot

Static IP Example

allow-hotplug <interface>
iface <interface> inet static
        address 10.0.0.{2..254}
        netmask 255.255.255.0
        gateway 10.0.0.1

Base nftables Configuration

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
	chain INPUT {
		type filter hook input priority 0; policy drop;
		ct state { established, related } accept
		ct state invalid drop
		iif "lo" accept
		tcp dport {56022} accept
		ip protocol icmp limit rate 1/second accept
		counter packets 0 bytes 0 drop
	}
	chain OUTPUT {
		type filter hook output priority 0; policy accept;
		counter packets 0 bytes 0 accept
	}
	chain FORWARD {
		type filter hook forward priority 0; policy drop;
		counter packets 0 bytes 0 drop
	}
}