Great question, it keeps on popping up here and there. You reminded me that I have setup an Ansible role for all my new server and I should hurry up and write a tutorial for that... Basically, here are the very minimal tasks I execute on all the new ubuntu LTS servers:
- Run apt-get upgrade
- Install & configure fail2ban
- Disallow root SSH access (I believe this is the default for DreamCompute instances but better be explicit)
- Disallow password authentication (same as above, already default but double-checking)
- Install unattended-upgrades
- Adjust APT update intervals (daily)
- Make sure unattended-upgrades only installs from $ubuntu_release-security
Additional steps would be setup the ufw firewall, add the server logs to the log aggregator (if you have one) and add it to the monitoring server. This should cover the very basic... "Safe web server" is a whole different story though: security is a process, you don't buy it off the shelf. Let's say that if you run stock software, keeping it up to date to the latest supported security update should provide you at least some peace of mind.
By the way, I don't see why you shouldn't be able to change the default SSH port on a DreamCompute server. If you move it though remember to update the Security Groups accordingly.