I wouldn't arue with your overall sentiments but a couple of responses to your points.
- Enable the firewall.
Good suggestion, although this is not such an issue with EC2 appliances. AWS has a firewall built-in. So there is no need to enable IPtables in any appliances launched from the Hub.
- Disable ssh access for root.
Whilst it definately applies to Linux desktop systems, IMO it's not so relevant in a server setup. All applications that are running should be running in non-priveleged accounts already so the root account is only used for admin. And a hacked sudo user account is no less dangerous to your server than a hacked root account. More often that not you will be wanting to do lots of stuff that requires root (or sudo) when logged in anyway, so while it doesn't really give you any more security, it does mean extra typing.
- Install security patches regularly.
Whilst TKL auto installs Ubuntu security updates, you are right that the apps installed from upstream aren't and must be manually updated (if the app itself doesn't have some update mechanism). It's also worth keeping in mind that apps installed from the universe repo don't automatically get any updates (even if if they relate to security).
I strongly suggest that Turnkey releases a "System Hardening" document...
Yeah that'd be cool. Perhaps someone could start one on the community docs wiki?
A couple of things...
I wouldn't arue with your overall sentiments but a couple of responses to your points.
Good suggestion, although this is not such an issue with EC2 appliances. AWS has a firewall built-in. So there is no need to enable IPtables in any appliances launched from the Hub.
Whilst it definately applies to Linux desktop systems, IMO it's not so relevant in a server setup. All applications that are running should be running in non-priveleged accounts already so the root account is only used for admin. And a hacked sudo user account is no less dangerous to your server than a hacked root account. More often that not you will be wanting to do lots of stuff that requires root (or sudo) when logged in anyway, so while it doesn't really give you any more security, it does mean extra typing.
Whilst TKL auto installs Ubuntu security updates, you are right that the apps installed from upstream aren't and must be manually updated (if the app itself doesn't have some update mechanism). It's also worth keeping in mind that apps installed from the universe repo don't automatically get any updates (even if if they relate to security).
Yeah that'd be cool. Perhaps someone could start one on the community docs wiki?