(no title)

This script doesn’t harden sshd to the level I’d call safe. Disabling root login is minimum. I’d have port change, timeouts, fail2ban, otp via Pam all configured. Only allow specific IP ranges and users to ssh. I’d use ansible to properly configure instead of this script.

In the case of httpd. Id run it in docker or chroot. Again fail2ban, otp, I’d probably put it on a different port have it proxied via Cloudflare and have httpd only allow Cloudflare ips.

All this that are difficult to learn.

Source: I run my families infrastructure. Which spans multiple servers, routers, switches across 7 houses in 3 countries. I also change my own oil.