I saved it as script.sh, gave it chmod u+x script.sh executable permissions and ran it as root ./script.sh, although I know that scripts should be run from sudo for security. But I know what I’m doing and why. Everything is described with comments in English. User was created during installation of the system, hence the change. I use sudo and user on a daily basis. Here it is a quick solution. These commands can be executed equally well using sudo.
#!/bin/bash
# Create a group admins
groupadd admins
# Add user user to group admins
usermod -a -G admins user
# Check which groups user has assigned
id user
# Remove user from group wheel
gpasswd -d user wheel
# Check which groups user has assigned
id user
# Create directory .ssh
mkdir -p /home/user/.ssh
# Create a file authorized_keys
touch /home/user/.ssh/authorized_keys
# Change permissions for .ssh directory
chmod 700 /home/user/.ssh
# Generate RSA key and put it into authorized_keys
echo "ssh-rsa A....." >> /home/user/.ssh/authorized_keys
# Change permissions for authorized_keys
chmod 600 /home/user/.ssh/authorized_keys
# Change the owner to user for the whole /home/user directory
chown -R user:user /home/user
# Create hosts.allow and hosts.deny . Skip these steps if you are using a dynamic IP assigned by your ISO from DHCP
touch /etc/hosts.{allow,deny}
# Deny the ssh access for all
echo "sshd: ALL" >> /etc/hosts.deny
# Allow ssh access only from the specific IP address Replace XXX.XXX.XXX.XX with your public, static IP address
echo "sshd: XXX.XXX.XXX.XX" >> /etc/hosts.allow
#Change default wheel group to admins
sed -i 's/%wheel/%admins/g' /etc/sudoers
# This enforces the use of key-based authentication instead of the use of passwords
# for logging in as root and reduces risks by preventing brute-force attacks.
sed -i 's/PermitRootLogin yes/PermitRootLogin prohibit-password/g' /etc/ssh/sshd_config
# Disable password authentication
sed -i 's/PasswordAuthentication yes/PasswordAuthentication no/g' /etc/ssh/sshd_config
# Disable empty passwords
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/g' /etc/ssh/sshd_config
# Change default port 22 to higher for ssh 22222 is to obvious - it is an example
sed -i 's/#Port 22/Port 22222/g' /etc/ssh/sshd_config
# Enable SELinux rule for a defined port
semanage port -a -t ssh_port_t -p tcp 22222
# Add a firewalld rule to allow traffic on a defined port
firewall-cmd --add-port 22222/tcp
# remove ssh firewalld rule
firewall-cmd --permanent --remove-service=ssh
# remove cockpit firewalld rule
firewall-cmd --permanent --remove-service=cockpit
# set rules to be permanent
firewall-cmd --runtime-to-permanent
# reload firewalld rules - changes will take effect
firewall-cmd --reload
# list firewalld rules
firewall-cmd --list-all
# Restricting access to specific group
echo "AllowGroups admins" >> /etc/ssh/sshd_config
# restart ssh daemon
systemctl restart sshd
# Now we have a secured ssh on a very basic level that should be sufficient.
# set timezone to Warsaw. Use timedatectl list-timezones to check the proper zone.
timedatectl set-timezone Europe/Warsaw
# remove cockpit from the system. Pardon, but web-based server management is not secure. No matter how it will be written. Pure CLI rulez.
systemctl stop cockpit
systemctl disable cockpit
dnf remove cockpit -y
rm -f /etc/issue.d/cockpit.issue
rpm -e subscription-manager-cockpit
rpm -e cockpit-storaged
rpm -e cockpit-system
rpm -e cockpit-podman
rpm -e cockpit-packagekit
rpm -e cockpit-bridge
rpm -e cockpit-ws
rm -R -f /run/cockpit
rm -R -f /etc/cockpit
rm -R -f /usr/share/cockpit
rm -R -f /var/lib/selinux/targeted/active/modules/100/cockpit
rm -R -f /usr/share/selinux/targeted/default/active/modules/100/cockpit
## ****** Additionall steps if needed ******
# adding insights from Red Hat https://red.ht/insights-dashboard Of course only if needed
insights-client --register
# install epel release to be able to install additional tools
dnf -y install https://dl.fedoraproject.org/.../epel-release-latest-8...
# install additional tools
# https://www.tecmint.com/view-multiple-files-in-linux/
dnf install multitail -y
# https://linuxize.com/post/how-to-use-linux-screen/
dnf install screen -y
# https://www.linux-magazine.com/.../2017/196/Tutorials-lnav
dnf install lnav -y
# Disable splash screen during boot. Splash screen is not very informative to be honest. I prefer to see what is going on during the boot.
sed -i 's/rhgb quiet//g' /etc/default/grub
grub2-mkconfig -o /boot/grub2/grub.cfg