This is a brain dump of my task list when bringing up a new server. (For my purposes, a linode running some version of Ubuntu.)

1. Create a user account.
   1. Add user to wheel.
   2. Set up sudo for wheel.
   3. Set up ssh authorized-ids.
   4. Change shell to zsh.
   5. Copy dot-files.
2. SSH config file tweaks.
   1. Disable SSH root logins.
   2. Disable SSH password logins (key only).
   3. Disable access for non-ssh-group users.
   4. Disable DNS lookups (UseDNS no).
   5. Other?
3. Move sshd listening port to nonstandard high port. Test that logins still work! (I'm not convinced this buys much -- see firewall & fail2ban at number 8 below.)
4. Change root password.
5. Set the hostname.
6. Set up DNS entry(-ies) (forward & reverse).
7. Download OS updates. (Configure repos / mirrors as needed first.)
8. Activate firewall (ufw).
   • Add rule for SSH.
   • Install fail2ban and configure to work with ufw.
9. Set the time zone (dpkg-reconfigure tzdata).
10. Set up an offsite backup. (rsnapshot or other)
11. Set locale.
12. Reboot -- make sure ssh logins work after rebooting, etc. (Easier to fix problems now than when you need to log in at some later time.)
13. Install packages for whatever purpose the machine is going to be used. (Apache, git, etc.)
14. Portscan the server (externally is preferred) to make sure there are no leaks.

I'll come back to this list occasionally to revise it. Please leave a comment if you think something important is missing...