1. Vulnerability scan your servers often
2. Test new patches
3. Patch your servers often and based on criticality
4. Create strong unique login password and sudo password (randomly generated)
5. Limit user accounts and their access to only what is necessary
6. Avoid root login and instead use sudo when possible
7. Use a trusted Password/Key vault
8. Do not reuse passwords anywhere
9. Apply entire disk encryption
10. Ensure it’s safely behind a firewall and only if it’s unavoidable should you have ports open to the public
11. Ensure service accounts are limited to only perform tasks they are intended to perform
12. Backup the servers regularly and save them in multiple locations. Consider Offline backups for the most important servers. Test the backups
13. Make sure the servers are part of your disaster recovery plan
14. Lock down ssh- ensure root access is disabled, login password is disabled, and only use an authentication key pair for access in ssh
15. Only whitelist ssh to and from trusted internal IPs
16. Make sure you have endpoint protection installed
17. Use an Intrusion prevention software like fail2ban
18. Monitor the health with a trusted software
19. Forward your linux logs or have them collected remotely for security monitoring in your SIEM
20. If possible, have a third party audit your security