Security
Create (or update) an iptables file with the following. This will block all traffic except HTTP/S, SSH, and ping.
/etc/network/iptables
*filter
# Allow all loopback (lo0) traffic and drop all traffic to 127/8 that
# doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all outbound traffic
-A OUTPUT -j ACCEPT
# Allow HTTP and HTTPS connections from anywhere
-A INPUT -p tcp --dport 80 -j ACCEPT
-A INPUT -p tcp --dport 443 -j ACCEPT
# Allow SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# Log iptables denied calls
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound (default deny)
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Create a start script to load your iptables config.
/etc/network/if-pre-up.d/iptables
#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables
And make it executable.
chmod 755 /etc/network/if-pre-up.d/iptables
Load iptables now.
iptables-restore < /etc/network/iptables
Install fail2ban. This program will scan your server logs and temporarily ban malicious IPs, e.g. an IP repeatedly trying and failing to log in. The default configuration is OK, but you might want to read up on its documentation at a later time and make adjustments.
apt install fail2ban