diff --git a/cloud-init/swarm-manager.yml b/cloud-init/swarm-manager.yml
index b27d58d..22dbc2e 100644
--- a/cloud-init/swarm-manager.yml
+++ b/cloud-init/swarm-manager.yml
@@ -12,6 +12,7 @@ packages:
   - curl
   - gnupg
   - lsb-release
+  - fail2ban
 
 write_files:
   - path: /etc/iptables/rules.v4
@@ -47,7 +48,24 @@ write_files:
       -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp6-port-unreachable
       COMMIT
 
+
 runcmd:
+  - 'iptables-restore < /etc/iptables/rules.v4'
+  - 'ip6tables-restore < /etc/iptables/rules.v6'
+
+  - [systemctl, enable, --now, fail2ban]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/ssh/etc/ssh/sshd_config, --output, /etc/ssh/sshd_config.d/99-hardening.conf]
+  - [systemctl, restart, ssh]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-network-filesystems.conf, --output, /etc/modprobe.d/disable-network-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-filesystems.conf, --output, /etc/modprobe.d/disable-rare-filesystems.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-rare-protocols.conf, --output, /etc/modprobe.d/disable-rare-protocols.conf]
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/modprobe/etc/modprobe.d/disable-vivid.conf, --output, /etc/modprobe.d/disable-vivid.conf]
+
+  - [curl, https://gitea.it/Unitoo/dot-files/raw/branch/master/sysctl/etc/sysctl.conf, --output, /etc/sysctl.d/99-hardening.conf]
+  - [sysctl, -p]
+
   - [mkdir, -p, /usr/local/apt-keys]
   - [gpg, --fetch-keys, https://neilalexander.s3.dualstack.eu-west-2.amazonaws.com/deb/key.txt]
   - 'gpg --export 569130E8CA20FBC4CB3FDE555898470A764B32C9 | tee /usr/local/apt-keys/yggdrasil-keyring.gpg > /dev/null'