- Change the Default SSH Port maybe to something like 27765 which is difficult to guess
- Disable Root Login
- Using SSH Keys(Public Key) instead of SSH Passwords to prevent sniffing attacks by sniffing network packet sniffing
- Enable Firewall and Set Incoming Port(80/443/SSH) and Possible in Use Outgoing port traffic only.
- Use SFTP only
- Install Antivirus Clam AV and set it to update with cron
- Install a Malware Scanner to run with cron on daily basis
- Disable IP V6
- Disable DNS recursion
- Enable brute forcing prevention through Fail2ban
- Some services can also be installed over a Docker Container in case like Database Systems can run on a Container
- Use rkhunter which is a well known tool for checking vulnerabilities, rootkits, back doors, and possible local exploits on a server
If possible use a VPN via Open VPN