the base

Keep the system up to date. Unattended upgrades is not new debian but more often used by ubuntu users. But from time to time you need the system check done by hand. Security leaks by misconfiguration or baseconfig update is not fixed by unattended upgrades!

apt -y update
apt -y upgrade
apt -y dist-upgrade

the user

No need to operate as root. Root can do

rm -Rf /*

the user can't - try it - you will do it only once! Second argument is that the most common attack brute force vector tries first to access as root. Disallow ssh root access combined with iptables ( ufw ) and fail2ban saves you a lot of headaches.

apt install sudo
adduser m0r4k
Adding user `m0r4k' ...
Adding new group `m0r4k' (1001) ...
Adding new user `m0r4k' (1001) with group `m0r4k' ...
Creating home directory `/home/m0r4k' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for m0r4k
Enter the new value, or press ENTER for the default
	Full Name []: 
	Room Number []: 
	Work Phone []: 
	Home Phone []: 
	Other []: 
Is the information correct? [Y/n] 
adduser m0r4k sudo

the kick in

The most important part of base setup is the reconfiguration of the sshd. Restrict the ssh login and turn on the firewall. After installing fail2ban we've build a good base for headless OS.

ATTENTION - before you restrict the ssh daemon you need to login as user [ m0r4k ] and try [ sudo su ]. If this doesn't work you won't get su privileges anymore and you are locked out as superuser!

ssh config
cat /etc/group | grep sudo # check user is in sudo group
sed 's/PermitRootLogin yes/PermitRootLogin no/g' -i /etc/ssh/sshd_config
sed 's/\#StrictModes yes/StrictModes yes/g' -i /etc/ssh/sshd_config
systemctl restart sshd
fil2ban & ufw
apt -y install fail2ban ufw
ufw default allow outgoing
ufw default deny incoming
ufw allow ssh/tcp
ufw allow http/tcp
ufw allow https/tcp
ufw limit ssh/tcp
ufw logging on
ufw enable