Server yang baru di-deploy secara default tidak aman. Berikut checklist hardening yang perlu dilakukan.

1. Disable Root Login SSH

# /etc/ssh/sshd_config
PermitRootLogin no
PasswordAuthentication no
PubkeyAuthentication yes

2. Gunakan SSH Key, Bukan Password

# Generate key pair (di mesin lokal)
ssh-keygen -t ed25519 -C "your@email.com"
Copy public key ke server
ssh-copy-id user@server-ip

3. Setup Firewall (UFW)

ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp   # SSH
ufw allow 80/tcp   # HTTP
ufw allow 443/tcp  # HTTPS
ufw enable

4. Fail2Ban untuk Brute Force Protection

apt install fail2ban
Konfigurasi ban IP setelah beberapa kali gagal login

5. Update Rutin

# Setup automatic security updates
apt install unattended-upgrades
dpkg-reconfigure unattended-upgrades

6. Minimal Service yang Berjalan

Matikan semua service yang tidak diperlukan:

systemctl disable bluetooth systemctl disable cups systemctl disable avahi-daemon

7. Monitoring Log

# Pantau login attempts
tail -f /var/log/auth.log
Gunakan tool seperti logwatch
apt install logwatch