Hello!

I am starting to self host a number of small services on a commercial VPS. I’m looking for guidance on how to lock it down, and in general best security practices. I’ve found some resources online, but any advice from others would go a long way. For reference, I have almost no web management or web services background, but am very comfortable with *nix/CLI etc.

My current structure is this:

• stock Debian, fully updated
• nginx for webserving and reverse proxy (not the reverse proxy standalone tool, just regular nginx installed as a service)
• various services built and deployed through docker-compose
• services are proxied to subdomains
• SSL certs for everything with LetsEncrypt

I’ve done things like disabled root ssh, disabled ssh passwords (only key pairs allowed) and set ufw to only allow http, https, and ssh, and set https for everything to the best of my ability.

What best practices should I be following? How often should I restart/update services? Is using ‘latest’ through docker-compose sufficient?

What else should I do to harden nginx? Any admin tools to use for monitoring, white or blacklisting?

Lots of newbie questions here - I appreciate any help or guidance the community has. Thank you!