Sanitized mirror from private repository - 2026-04-19 08:15:48 UTC

docs/security/SERVER_HARDENING.md

@@ -0,0 +1,105 @@
+# Server Hardening Summary
+
+## 🛡️ Security Measures Implemented
+
+### SSH Security
+- **Primary SSH (Port 22)**: Key-based authentication only, password authentication disabled
+- **Backup SSH (Port 2222)**: Emergency access when Tailscale is down
+  - Restricted to authorized IP addresses
+  - Same security settings as primary SSH
+  - Currently authorized IP: YOUR_WAN_IP
+- **SSH Hardening**: Disabled root password login, reduced login grace time, limited auth tries
+
+### Firewall Configuration
+- **UFW Firewall**: Active with default deny incoming policy
+- **Rate Limiting**: SSH and HTTP connections rate-limited to prevent brute force
+- **Service-Specific Rules**:
+  - SSH: Ports 22 and 2222 (rate limited)
+  - HTTP/HTTPS: Ports 80 and 443 (rate limited)
+  - Gaming Services: Minecraft (25565), Garry's Mod (27015), PufferPanel (8080)
+  - Revolt Chat: Ports 3000, 5000, 9000
+- **Tailscale Integration**: Tailscale network (100.64.0.0/10) trusted
+
+### Intrusion Prevention
+- **Fail2ban**: Active with 6 jails protecting:
+  - SSH (both ports 22 and 2222)
+  - Nginx HTTP authentication
+  - Currently 34 IPs banned on SSH
+- **Ban Settings**: 1-hour bans after 3 failed attempts within 10 minutes
+
+### Web Server Security
+- **Nginx Hardening**:
+  - Modern TLS protocols only (TLS 1.2+)
+  - Secure cipher suites
+  - Security headers (HSTS, X-Frame-Options, etc.)
+  - Server tokens hidden
+
+### System Security
+- **Automatic Updates**: Security updates configured for automatic installation
+- **User Account Security**: Non-essential accounts secured
+- **System Monitoring**: 
+  - Security check script: `/root/scripts/security-check.sh`
+  - Logwatch installed for system monitoring
+  - Backup access manager: `/root/scripts/backup-access-manager.sh`
+
+## 🔧 Management Tools
+
+### Backup SSH Access Manager
+Location: `/root/scripts/backup-access-manager.sh`
+
+Commands:
+- `./backup-access-manager.sh status` - Show current status
+- `./backup-access-manager.sh add-ip <IP>` - Add IP to backup access
+- `./backup-access-manager.sh remove-ip <IP>` - Remove IP from backup access
+- `./backup-access-manager.sh connect-info` - Show connection instructions
+
+### Security Monitoring
+Location: `/root/scripts/security-check.sh`
+- Run manually or via cron for security status checks
+- Monitors fail2ban, firewall, SSH, and system updates
+
+## 🚨 Emergency Access Procedures
+
+### When Tailscale is Down
+1. Ensure your current IP is authorized for backup SSH access
+2. Connect using: `ssh -p 2222 root@YOUR_SERVER_IP`
+3. Use the backup access manager to add/remove authorized IPs as needed
+
+### Current Backup Access
+- **Port**: 2222
+- **Authorized IP**: YOUR_WAN_IP
+- **Authentication**: SSH keys only (no passwords)
+
+## 📊 Current Security Status
+
+### Active Protections
+- ✅ SSH hardened (key-based auth only)
+- ✅ Firewall active with rate limiting
+- ✅ Fail2ban protecting SSH and web services
+- ✅ Nginx with modern TLS configuration
+- ✅ Automatic security updates enabled
+- ✅ Backup SSH access configured
+- ✅ System monitoring in place
+
+### Services Protected
+- SSH (ports 22, 2222)
+- Nginx web server
+- Gaming services (Minecraft, Garry's Mod)
+- PufferPanel management interface
+- Revolt chat services
+
+## 🔄 Maintenance Recommendations
+
+1. **Regular Updates**: System will auto-update security patches
+2. **Monitor Logs**: Check `/var/log/auth.log` and fail2ban logs regularly
+3. **Review Access**: Periodically review authorized IPs for backup SSH
+4. **Backup Keys**: Ensure SSH keys are backed up securely
+5. **Test Access**: Periodically test backup SSH access method
+
+## 📞 Support Commands
+
+- Check firewall status: `ufw status verbose`
+- Check fail2ban status: `fail2ban-client status`
+- Check SSH configuration: `sshd -T`
+- View security logs: `tail -f /var/log/auth.log`
+- Run security check: `/root/scripts/security-check.sh`