post-install hardening phase of the ages

As a System Administrator & shared hosting provider, I would like an optional 'hardening phase' added to the WHM installation finale, so as to launch the environment in a more secure fashion particularly when considering default tcp settings for critical services;

#################################

This may be a resurrection of about three to nine posts here & abroad asking for the SSHD mod, but still, it likely requires mentioning.

**Delicious options! YES, just options.

1) alter SSHD to a sane non-standard port, disable root logins, setup keys or users

2) alter Exim to non-standard port, suggest adding RBLs

3) enable DKIM/SPF, etc, server-wide

4) wipe all unnecessary local default accounts, (userdel)

5) ask to add additional networking monitoring tools (tcptrack, tcpdump)

6) as per above- verify/execute all local iptables/firewalling mods, reverify

7) probably a few things to consider for mysqld & safe accessibility

8) setup tcp-wrapper controls for whm/sshd if you really, really want to

9) ask to setup basic controls/rulesets for mod_security & mod_evasive

10)

11)

################################

The goal is to not make it severely daunting or hugely frightening. For myself, or anyone.

I'm sure there are more filesystem-level things to do but you're already handling everything I can think of, at least, before people start uploading things. All the things.

Any additional ideas would be super rad & helpful. This might be too heavy handed.

But then again, it's 2018. :|

Thanks for your time!