I spin up new Linux instances often enough I’ve been meaning to develop my own baseline template and never do… Whether this winds up being an Ansible playbook or something else, I’m not sure, but I need it often enough I really should just kick it off and iterate over it over time.
Or, you know, more likely I’ll hyperfocus and knock it out if I do it at all :D
Goals: - Alter base sshd - custom port - disable root login completely - key-only access for users - SSH certs would be better… - Allow specific user(s) only - Maybe group-based? - firewall - nftables? ufw? - SELinux - kernel hardening - Full sudo logging - auditd? - Need to capture anything done via sudo su - not just sudo - fail2ban - aide? - unattended upgrades? - rootkit scanners - OpenSCAP?