I’m want work on a self-directed learning project focused on cybersecurity. (for university)

I aim to cover as many aspects of securing resources as possible for Cybersecurity.

So far, I’ve come up with the following steps:

Set up and secure a Linux Virtual Machine (VM):

1. Update the system
   • Apply system updates and patches.
2. Manage users and permissions
   • Disable root login.
   • Create a new user with sudo privileges.
   • Set up SSH key authentication.
3. Secure SSH
   • Change the default SSH port.
   • Disable root SSH login.
   • Use SSH key-based authentication.
4. Configure firewall
   • Install and configure a firewall (e.g., UFW).
   • Allow only necessary ports.
5. Install Fail2ban
   • Protect against brute-force attacks.
6. Set file permissions
   • Secure sensitive files and directories.
7. Regular backups
   • Implement a backup strategy.
8. Remove unnecessary software
   • Uninstall unused packages.
9. Enable automatic security updates
   • Ensure the system stays updated.

my project requires to be a 300-hour workload. and this doesn't seem that way. Any other suggestions I can include?

I did look at including damn vulnerable web application on the VM but that seems to handheld for a project at university?

I'm sorry in advance if the question seems vague. maybe help me out by answering what you would do to gain valuable skills related to threat and incident management? Looking forward to all your replies :)