There are a few things that need to be done to your system to be secure. This script will do it all for you.
sudo su -
apt install apparmor -y
systemctl enable apparmor
systemctl start apparmor
sed -i 's/GRUB_CMDLINE_LINUX=""/GRUB_CMDLINE_LINUX="apparmor=1"/g' /etc/default/grub
update-grub
aa-enforce /etc/apparmor.d/*
apt autoremove -y
apt autoclean -y
apt install sudo -y
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
chown root:root /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly
chmod og-rwx /etc/cron.hourly /etc/cron.daily /etc/cron.weekly /etc/cron.monthly
chown root:root /etc/grub/menu.lst
chmod 0400 /etc/grub/menu.lst
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.d/99-sysctl.conf
echo "net.ipv4.icmp_ignore_bogus_error_responses=1" >> /etc/sysctl.d/99-sysctl.conf
echo "net.ipv4.conf.all.rp_filter=0\nnet.ipv4.conf.default.rp_filter=0" >> /etc/sysctl.d/99-sysctl.conf
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.d/99-sysctl.conf
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -s 127.0.0.0/8 -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables-save > /etc/iptables.rules
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp ! --tcp-flags ALL ACK,RST,SYN,FIN -m congestion --cngset 0x1/0x1 -j DROP
iptables -N port-scanning
iptables -A port-scanning -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s --limit-burst 2 -j RETURN
iptables -A port-scanning -j DROP
iptables -N syn_floodiptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROPiptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPTiptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROPiptables -A OUTPUT -p icmp -j ACCEPT
sed -i 's/^PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/^PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
sed -i 's/^LogLevel INFO/LogLevel VERBOSE/g' /etc/ssh/sshd_config
sed -i 's/^MaxAuthTries 6/MaxAuthTries 3/g' /etc/ssh/sshd_config
sed -i 's/^LoginGraceTime 120/LoginGraceTime 30/g' /etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh_host_*
chmod 600 /etc/ssh/ssh_*_key
systemctl disable apt-daily.service apt-daily-upgrade.service apt-daily-upgrade.timer apt-daily.timer
echo "Storage=none\nProcessSizeMax=0" >> /etc/systemd/coredump.conf
echo "net.ipv4.conf.all.accept_redirects=0\nnet.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.d/99-sysctl.conf
echo "net.ipv4.conf.all.accept_source_route=0\nnet.ipv4.conf.default.accept_source_route=0" >> /etc/sysctl.d/99-sysctl.conf
echo "fs.suid_dumpable = 0" >> /etc/sysctl.d/99-sysctl.conf