Copy from The Digital Life Blog
Optimize your deployments to lower the attack surface, especially when you’re running administrative web interfaces and Docker Containers.
SECURITY IS NOT A SIMPLE CHECK-LIST
First, I want to emphasize how important it is that you develop your own security strategy. Because when you search on the web about “How to protect Linux” or “Harden your Linux Server”, you’ll find tons of articles. People are just throwing out their “best practices” (just like this article here :). And you might be seduced to just grab some commands, run it on your server, and then assume you’re done! Fine, you don’t need to worry about security anymore!
Well, that’s probably the worst thing you could do. Because Cybersecurity is much more complicated than a simple Check-List. It’s not just enough to copy-paste some commands. There are so many aspects of server security that you would need to consider. And even when you went through all the recommendations, you might still miss something, or face edge-cases you haven’t thought about. That’s of course, very challenging!
But it’s still a great idea to have a solid setup that’s protected from the most common and critical threats on the web. So, my biggest wish is that you carefully think about it and develop your own security strategy. Because some recommendations in this article might apply to your scenario, while some might not. However, I still want to give you some ideas, tips, and of course, practical examples, how I’m planning a security strategy on my servers. Let’s go!
ALWAYS UPDATE YOUR SOFTWARE
This is the most basic and simple thing you should always do! It’s also the most effective one to protect your Linux Server. because for most security vulnerabilities there is already a patch out there, once they’re disclosures. So, you might want to upgrade your software as soon as there is a new security patch available.
On my Ubuntu servers, I use the “unattended-upgrades” package, which should be already installed. You simply can configure it with these two commands.
sudo apt install unattended-upgrades
sudo dpkg-reconfigure --priority=low unattended-upgrades
DON’T FORGET TO UPDATE YOUR DOCKER CONTAINERS
Another important fact, most tutorials forget, is to update your Docker Containers as well! Because Docker Containers are not storing and downloading any updates automatically. The correct way to upgrade them is to destroy the container and redeploy it with a new image.
Of course, I don’t want to do this manually all the time, therefore I’m using a tool that’s called Watchtower. I’ve made a separate tutorial on Watchtower and how to configure it, here.
Continue to Blog Post
You can read more here