Hi,
In terms of security, each server is secure. It’s just different users may have different security best practices. It’s an issue on how far you go with the security best practices.
The first part is to secure the host (the VPS itself).
For example, some VPS providers allow password authentication. It is a best practice to disable password authentication.
Having said that, we are not touching the host configuration here because it is dealt with elsewhere.
Each container by default is not directly accessible by the Internet (due to the NAT networking). If, however, you setup macvlan or bridge networking, you may decide to expose a container (or more) to the Internet. In this case, the Ubuntu container images have sane defaults (no password authentication).
The guide that you reference,
- says to set a password for the
root. For me, that’s a no-no because we do not do password authentication. The idea is that you SSH to a user account (public-key authentication only), and thensudoto root. Later on in the post, they say to enable fullsudoaccess to the non-root account which would make the root password superfluous. - says to add a non-root user to the host. The instructions are missing the
chownof~nonrootuser/.sshto the accountnonrootuser. Regarding containers, the Ubuntu container images already have a non-root account calledubuntu. - The Ubuntu container already have
unattended-upgradesinstalled, and by default the perform the upgrades for the security packages. - Setting up
fail2banon SSH is probably not be needed since you have disallowed password authentication. - 2FA is generally not needed for services not facing directly the Internet. Therefore, while you may setup for the host, I do not think it is require for the containers.
- You may install
logwatchfor some containers. Note that you would need to figure out how to send emails. That is, most providers block outgoing connections towards port 25 as a way to fight spam. Normally you would create a third-party mail provider account.