A practical setup for SSH + web apps, modern nftables/systemd defaults, and a debugging checklist to prove bans actually work..