put fail2ban on mysqld with 3 retries

Useless. By default, it is only open at 127.0.0.1. And if you change this behavior, then change it back.

for each site

1 server - 1 site. So much more convenient and safer.

prohibited the execution of scripts in folders where files are uploaded

Superfluous. Without a specially left hole, executable files will not get there.

I encrypt customer data, such as email and password.

It makes no sense. If there is access to the server, then they will be able to decrypt it.

Can I sleep peacefully now or am I missing something?

Firewall? It is not particularly needed, but just in case, they put it with just a couple of commands.
To make sure only whitelisted ports are open.
In addition, the main mistake now is a logical application-level error, when the rights to certain actions are not always checked.

You can turn off the server.

Use containers. Create a separate container with all the software for each site separately. In the root system, leave only the basic software and the firewall. Throw in only 80/443 ports. Well, sskh by key in the root. Even if one of the sites is hacked, it will be problematic to get into the neighboring container. In order not to configure each container with handles - use chef / ansible or whatever you like. And every new site is a new container with mysqld/php/nginx and everything else. Even if you accidentally install something that is not protected from the software, it is problematic to get access to it outside.
Create a separate container with nginx to which the firewall will redirect 80/443 ports. And it already proxies requests to the necessary containers. Store both SSL certificates and keys in it. So that they would not be stolen during a break-in.
And of course ossec or analogues + notifications from it. They'll tell you about the invasion at that very moment. put in each container.

server:
- denied login from under the root via SSH
never on thousands of servers, my root was not broken for 10 years
- changed the SSH
port, you can just scan your new port, it also makes no sense
- hung fail2ban on mysqld, ssh with the number of attempts 3
never they didn’t pick up my password for muscle or ssx on thousands of servers for 10 years, use long generated passwords and sleep peacefully, it won’t save you from a real threat if you blew the password
- for each site I created mysql user
oh my god, but what about happens to another? they even create shit panels like this
- they forbade going above /var/www via SSH, without sudo su
at all, why should anyone be allowed to go there
use authorization by keys and not by passwords for ssx

It is also necessary to prohibit all incoming traffic on ports except 22, 80, 443.

Is MD5 + salt reliable?

password_hash is long overdue

I've written here minimally about the protection of the site , who are interested - Welcome!

- weekly backup - IMHO too rare, at least daily
- after updates, do not forget to restart services that need to pick up new libs. You can see what needs to be restarted with needrestart -rl
- the web application can close the WAF. There is modsecurity, there is naxsi (only for nginx). But this requires a significant amount of time to set up and maintain
- you can install HIDS, such as ossec. After proper configuration, it catches suspicious activity, we must not forget to regularly review reports
- you can install NIDS: snort, suricata
- you can read PCI DSS and implement your favorite moments

added fail2ban to mysqld

You need to close external access to MySQL:
You need not only a separate MySQL user, but also a user at the OS level - this is even more important.

SSH login with key only. Not by password.
Isolate applications in separate containers. All applications. Usually 1 application 1 container. Well, in extreme cases - chroot to each site.
Open only the necessary ports on the firewall (usually 22, 80, 443 and all).
but if you have a fluid site engine, then everything is bad.
update regularly.
think again how to set the rights to the directories.
backups daily.

Let's put everything together:
1.ssh - prohibition of root, entry by key.
2.firewall - prohibit everything except what you need.
3.Containers for each application.
4.prohibit mysql look at the gun.
5.change the md5 hash to a more modern algorithm.

I looked at this post and remembered how I set up my monster before ng. I read a lot of unnecessary information on the topic of security. What I advise you to do and not to do.
As a result, he spat: a long password for
SSH + fail2ban
Virtualization on XEN, each service has its own virtual machine. 2 virtual machines with http/mysql. Between two mysql replication.
All virtual machines are backed up daily
Well, since I am far from system administration and a lazy shopper:
When you enter via ssh from outside >> sms to the phone
And a couple of scripts with speaking names and run through the telegram bot:
Sausage sausage - swap virtual machines http
mayday - completion of virtual machines, backup, transfer to disk and encrypt the entire disk with a random key. On my test, this is done in 15 seconds.
Ass - close all ports.
PS: Mysql is looking out, it needs it. Passwords are always long. But I myself use phpmyadmin, which weighs on the domain registered in hosts on my machine. No domain - no access. Very comfortably.
I also changed the fail2ban settings. So that the ban was not 15 minutes, but immediately a day. Few people break SSH, 2-3 bans a day. But on SIP ports, the ban list per day exceeds 300 rules.