https://pimylifeup.com/raspberry-pi-security/

**Firewall**
sudo apt install ufw

Now block brute forcing of SSH and VNC:
sudo ufw limit 22/tcp
sudo ufw limit 5900/tcp

Open http and https ports for nginx, apache, filebrowser, etc:
sudo ufw allow 80
sudo ufw allow 443
sudo ufw allow 8080

sudo ufw enable

sudo ufw status verbose (check status)
sudo ufw app list (shows list of allowed apps)

**Auto Updates**
sudo apt update && sudo apt upgrade -y
sudo apt install unattended-upgrades
sudo systemctl enable --now unattended-upgrades

To configure auto updates:
->Blacklisting packages
Add them under "Unattended-Upgrade::Package-Blacklist"

->Notifications to mail
sudo apt install mailutils
Add mail in "Unattended-Upgrade::Mail "user@domain.com"

->Setting time for auto reboot
Unattended-Upgrade::Automatic-Reboot "true";
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
Unattended-Upgrade::Automatic-Reboot-Time "16:00";

For more info: https://www.starline.de/en/magazine/technical-articles/enabling-automatic-security-updates-on-linux
**

**2FA for ssh**
https://pimylifeup.com/setup-2fa-ssh/
sudo apt install libpam-google-authenticator
google-authenticator

Answer all the questions as required. Select "no" only for Time compensation question.

sudo nano/etc/pam.d/sshd
auth required pam_google_authenticator.so		(add to bottom)
sudo nano /etc/ssh/sshd_config

Change "ChallengeResponseAuthentication" to yes
sudo systemctl restart sshd

For ssh keys:
sudo nano /etc/pam.d/sshd
Comment out "@include common-auth"
sudo nano/etc/ssh/sshd_config
AuthenticationMethods publickey,keyboard-interactive	(add to bottom)
sudo systemctl restart sshd