Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-18 10:57:41 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m2s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-18 10:57:41 +00:00
commit 4c8d376e9b
1418 changed files with 359979 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

112
docs/security/SECURITY_HARDENING_SUMMARY.md Normal file
View File

@@ -0,0 +1,112 @@
# Security Hardening Summary - seattle-vm
## Overview
Comprehensive security hardening completed for seattle-vm (Contabo VPS) running multiple web services while preserving Tailscale and direct IP access.
## Services Identified
- **Nginx**: Reverse proxy for web services
- **Obsidian**: Note-taking application (obs.vish.gg) - Public
- **Wallabag**: Read-later service (wb.vish.gg) - Public
- **PufferPanel**: Game server management (pp.vish.gg) - Restricted to Tailscale
- **MinIO**: Object storage - Restricted to Tailscale
- **Revolt**: Chat services - Restricted to Tailscale
- **Nextcloud**: File sharing - Restricted to Tailscale
## Security Measures Implemented
### 1. Firewall Configuration (UFW)
- **Status**: Active and properly configured
- **Public Access**: Only ports 22 (SSH), 80 (HTTP), 443 (HTTPS)
- **Tailscale Restricted**: Sensitive services (PufferPanel, MinIO, Revolt) restricted to 100.64.0.0/10
- **SSH**: Configured for key-based authentication only
### 2. Intrusion Prevention (fail2ban)
- **Status**: Active with enhanced configuration
- **Jails**: SSH, Nginx, PufferPanel monitoring
- **Custom Filter**: Created PufferPanel authentication monitoring
- **Monitoring**: 2587 failed login attempts detected in last 7 days
### 3. Web Server Hardening (Nginx)
- **Security Headers**: Implemented comprehensive security headers
- X-Frame-Options: SAMEORIGIN
- X-Content-Type-Options: nosniff
- X-XSS-Protection: 1; mode=block
- Content Security Policy
- Referrer Policy
- Permissions Policy
- **Rate Limiting**: 10 requests/second general, 1 request/second for login
- **Connection Limiting**: 20 connections per IP
- **SSL/TLS**: Strong cipher suites, TLS 1.2+ only
- **Server Tokens**: Hidden nginx version information
### 4. Automatic Updates
- **unattended-upgrades**: Configured for automatic security updates
- **apt-listchanges**: Email notifications for package changes
- **Status**: 0 security updates currently pending
### 5. System Monitoring
- **logwatch**: Daily system monitoring reports
- **Custom Script**: Weekly security maintenance checks
- **Cron Schedule**: Sundays at 2:00 AM
- **Monitoring Includes**:
- Failed login attempts
- fail2ban status
- Security updates
- SSL certificate expiration
- Disk usage
- Memory usage
- Network connections
- Container security status
### 6. Container Security
- **Docker Containers**: 3 running (obsidian, wallabag, minio)
- **User Context**: All running as root (acceptable for isolated containers)
- **Network Security**: Access controlled via UFW rules
- **Status**: Monitored via security maintenance script
## Current Security Status
### ✅ Strengths
- Strong firewall configuration with service-specific restrictions
- Active intrusion prevention with custom monitoring
- Comprehensive web server security headers
- Automatic security updates enabled
- Regular security monitoring and reporting
- SSL certificates valid until 2041
- Low resource usage (6.4% memory, 24% disk)
### ⚠️ Areas of Note
- High number of failed login attempts (2587 in 7 days) - being monitored
- Docker containers running as root (mitigated by network isolation)
- Some SSL certificates lack OCSP stapling (warnings only)
### 🔧 Maintenance
- **Automated**: Security updates, daily logwatch reports, weekly security checks
- **Manual**: SSL certificate renewal (not needed until 2041)
- **Monitoring**: Security maintenance script logs to `/var/log/security-maintenance.log`
## Access Preservation
- **Tailscale**: All existing Tailscale access preserved
- **Direct IP**: SSH and public web services accessible via direct IP
- **Service Restrictions**: Sensitive services (PufferPanel, MinIO, Revolt) restricted to Tailscale network only
## Next Steps
1. Monitor security maintenance logs weekly
2. Review fail2ban logs for persistent attackers
3. Consider implementing additional container security measures if needed
4. Regular review of UFW rules as services change
## Files Modified
- `/etc/ufw/` - Firewall rules
- `/etc/fail2ban/jail.local` - Enhanced fail2ban configuration
- `/etc/fail2ban/filter.d/pufferpanel.conf` - Custom PufferPanel filter
- `/etc/nginx/nginx.conf` - Rate limiting zones
- `/etc/nginx/snippets/security-headers.conf` - Security headers
- `/etc/nginx/sites-enabled/obsidian` - Added security headers
- `/etc/nginx/sites-enabled/wallabag` - Added security headers
- `/root/scripts/security-maintenance.sh` - Weekly security check script
## Security Maintenance Schedule
- **Daily**: logwatch reports
- **Weekly**: Comprehensive security maintenance check (Sundays 2:00 AM)
- **Automatic**: Security updates via unattended-upgrades