[SECURITY] Pi hardening: firewall, fail2ban, SSH keys

## 🛡️ Raspberry Pi Security Hardening

**Parent:** #1

### Current State
- Password-based SSH authentication
- No firewall configured
- No brute-force protection
- Default user `enviropi` with known password

### Tasks
- [ ] Enable UFW firewall (allow SSH 22, deny all inbound)
- [ ] Install and configure fail2ban for SSH
- [ ] Generate SSH key pair and disable password auth
- [ ] Change default user password
- [ ] Disable root SSH login
- [ ] Set up automatic security updates (`unattended-upgrades`)
- [ ] Configure logwatch for daily security summaries
- [ ] Restrict GPIO/serial access to service user only

### UFW Rules
```bash
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow ssh
sudo ufw enable
```

### fail2ban Config
```ini
[sshd]
enabled = true
port = ssh
filter = sshd
maxretry = 5
bantime = 3600
```

---
*Ref: #1 Roadmap — Security & Infrastructure*

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[SECURITY] Pi hardening: firewall, fail2ban, SSH keys #3

🛡️ Raspberry Pi Security Hardening

Current State

Tasks

UFW Rules

fail2ban Config

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

[SECURITY] Pi hardening: firewall, fail2ban, SSH keys #3

Description

🛡️ Raspberry Pi Security Hardening

Current State

Tasks

UFW Rules

fail2ban Config

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions