Firewall & Attack Surface Reduction

Firewall

• Default deny incoming — only SSH, HTTP, and HTTPS traffic is allowed
• Intrusion prevention integrated with firewall for immediate banned-IP drops
• Previously unnecessary open ports now blocked

Attack Surface Reduction

• Removed unused container runtime and related packages
• All internal services bind to localhost only — nginx handles all external traffic