Security Baseline “13+2”

1. SFTP locked to user chroot
2. Fail2Ban basic jail(s)
3. UFW deny‑by‑default; allow SSH mgt only
4. TLS hardening (OQS/OpenSSL config)
5. Docs — capture configs and evidence

+2. Key/cert rotation playbook; Backups with test restore