I have been looking at hardening *nix servers for my lab and maybe carry some of that over to work. CIS benchmarks are something I like doing but that’s barely scratching the surface. What do you do for your servers?
I have Lynis, systemd-analyze, Kernel self protection in mind but I’d love to hear your thoughts. Bonus points for the most paranoid setups!
Is this for internal facing servers? Not much more than CIS and the usual Best Practices (no root for SSH, etc)
For a DMZ node, minimal software (ie Arch) and automated defenses like fail2ban, key authentication, etc…
Firewalls with Geo-IP blocking also help, but that’s not technically what you’re asking for.