It scratches the surface of the most obvious stuff. I’d only add running apps in isolation (docker or adduser) and maybe fail2ban.
It scratches the surface of the most obvious stuff. I’d only add running apps in isolation (docker or adduser) and maybe fail2ban.
This is definitely good advice - and an interesting point on removing ‘‘sudo’’
I would add a clarification: moving SSH to cert only prevents password guessing, but also - if possible - only allow specific IPs to access it. This could be down to the country level if roaming a lot. Also use >1 IP so that you don’t lock yourself out!
Yes! Geo ip filtering got rid of so much brute forcing for me.