I once wrote a list of topics to remember when securing a webserver. I planned to write it into an article, but I haven't come so far yet. I have tried to add (?) to some of them as these are also questions to myself if it's even possible.
Here are the topics, maybe you can use it for guidelines:
Things you should always do
- Don’t run unnecessary services
- Improve security with SUDO
- Get emails for every security update
- Firewall (iptables)
- SSH key and forced SSH password
- Protect your passwords (1Password, never use twice)
- Only provide source control deploy keys for the server
How to further enhance security
- Private networked database server
- Encrypt critical files
- Private networked backup
Increase security even more
- VPS SSH tunnel
- 2 factor SSH authentication (?)
Files outside the server
- Encrypt your local workspaces
- Trust your third party services (source control)
- Never commit passwords to source control