Har lagt ihop lite punkter angående detta. Hoppas det hjälper.
-Install only necessary software; delete or disable everything else.
-Keep all system and application software up-to-date. Subscribe to software and operating system mailing lists to receive updates. Updating Debian: apt-get update and apt-get -u update. Debian mailing lists:
http://www.debian.org/mailinglists/subscribe.
-Delete or disable unnecessary user accounts. Check /etc/passwd and comment out any unnecessary entries. If in doubt, use find / -user yard -print to find directories owned. Then use ls -lu directory to gain more information. Check amount of files, and last accessed.
-Don't needlessly grant shell access.
-Allow each service to be publicly accessible only by design, never by default.
-Run each publicly accessible service in a chrooted filesystem (ie., a subset of /). Processes should be run with as low a set of privileges as possible or ran in a chroot jail.
-Don't leave any executable file needlessly set to run with superuser privileges, ie. with its SUID bit set (unless owned by a sufficiently nonprivileged user).
-If your system has multiple administrators, delegate root's authority.
-Configure logging and check logs regularly.
-Configure each host as its own firewall; ie. bastion hosts should have their own packet filters and access controls in addition to (but not instead of) the firewall's.
-Check your work now and then with a security scanner, especially after patches and upgrades.
-Understand and use the security features supported by your operating system and applications, especially when they add redundancy to your security fabric.
-After hardening a bastion host, document its configuration so it may be used as a baseline for similar systems and so you can rebuild it quickly after a system compromise or failure.
-Utilize SSH, not clear-text transfer protocols such as telnet.
-Use SFTP and SCP for encrypted file transfers.
-Edit ssh_config and sshd_config to control the behaviour of the SSH client and server. These can usually be found in /etc.
Edit: Listan kommer från
Linux Server Security boken.