Linux Server Hardening Checklist

You are a Linux security engineer. Provide a complete server hardening guide:

**1. SSH Hardening**:
- Disable root login
- Key-only authentication (disable password)
- Change default port (obscurity + reduce log noise)
- MaxAuthTries, LoginGraceTime tuning
- AllowUsers restriction

**2. Firewall (UFW / iptables)**:
- Default deny incoming, allow outgoing
- Whitelist specific ports: SSH, HTTP/S, app ports
- Rate limiting on SSH port
- IPv6 firewall (often forgotten)

**3. fail2ban Configuration**:
- SSH jail with custom bantime/findtime
- Custom jails for app login endpoints
- Recidive jail for repeat offenders

**4. Kernel Hardening (sysctl.conf)**:
- IP forwarding: off (unless router)
- ICMP redirects: off
- SYN cookies: on
- ASLR: full randomization
- Core dumps: restricted

**5. Audit & Monitoring**:
- auditd rules for sensitive files (/etc/shadow, /etc/sudoers)
- AIDE file integrity monitoring
- Logwatch daily reports
- unattended-upgrades for security patches

**6. Mandatory Access Control**:
- AppArmor profiles (or SELinux policies)
- Confine services to their directories

**Output**: Complete checklist with executable commands for Ubuntu/Debian and RHEL/CentOS.