@y0x3y
Seems like it, although I edited everything I need in sshd for additional options such as number of attempts, timeout etc. Fail2ban might be usefull for apache server, thanks for suggestion.

@nikolal @y0x3y port knocking might be a good idea too

@michel_slm
This seems good, but difficult to setup on first glance. I will try it when I have more time, for now pubkey auth will do the trick
@y0x3y

@michel_slm
Quite good hardening would be /etc/hosts.allow file set only to specific IP adresses that I use. I have one question though, is it possible for me to access my remote apache server with ssh tunneling? Or can any attacker access my apache server with http if he knows my IP address, since router points to my raspberry server?
@y0x3y

@kravietz
Wazuh looks neat

@nikolal Wazuh is absolutely awesome!

@m10q
Not really needed, but worth considering

@nikolal @m10q I have a nice set-up where SSH is only available on the WireGuard interface, via an Authenticated Tor Hidden Service, or using port-knocking.

Usually use the WireGuard one, the otehr two are failsafes.

@rysiek
That seems advanced for me although I'm using Wireguard with VPN provider, very cool stuff
@m10q

@rysiek @nikolal @m10q I ended up exposing SSH on Yggdrasil network interface only; Tor is anonymous which is not what I need for SSH logins, while Yggdrasil is distributed and encrypted but not anonymous

@kravietz @nikolal @m10q Tor is anonymous unless we're talking about Authenticated Tor Hidden Services. Which is what I was talking about. ;)

@rysiek @nikolal @m10q comes out Tor HidServAuth is basically a connection from an anonymous client authenticated by a static "security cookie"

@kravietz @nikolal @m10q correct, but the "security cookie" is basically a pre-shared key. I.e. only the Tor client explicitly configured to have that particular "cookie" (it's Tor-client-level, not browser-level) will have it.