The Reluctant Sysadmin's Guide to Securing a Linux Server ( pboyd.io )
It scratches the surface of the most obvious stuff. I’d only add running apps in isolation (docker or adduser) and maybe fail2ban.
![](https://kbin.pithyphrase.net/media/cache/resolve/entry_thumb/0a/f7/0af755c37ff9cac991fd78ab5ecca0c5dff2cf0377550847d907449c74bbfcba.png)
It scratches the surface of the most obvious stuff. I’d only add running apps in isolation (docker or adduser) and maybe fail2ban.