homelab-optimized/docs/security/SERVER_HARDENING.md

Server Hardening Summary

🛡️ Security Measures Implemented

SSH Security

• Primary SSH (Port 22): Key-based authentication only, password authentication disabled
• Backup SSH (Port 2222): Emergency access when Tailscale is down
  • Restricted to authorized IP addresses
  • Same security settings as primary SSH
  • Currently authorized IP: YOUR_WAN_IP
• SSH Hardening: Disabled root password login, reduced login grace time, limited auth tries

Firewall Configuration

• UFW Firewall: Active with default deny incoming policy
• Rate Limiting: SSH and HTTP connections rate-limited to prevent brute force
• Service-Specific Rules:
  • SSH: Ports 22 and 2222 (rate limited)
  • HTTP/HTTPS: Ports 80 and 443 (rate limited)
  • Gaming Services: Minecraft (25565), Garry's Mod (27015), PufferPanel (8080)
  • Revolt Chat: Ports 3000, 5000, 9000
• Tailscale Integration: Tailscale network (100.64.0.0/10) trusted

Intrusion Prevention

• Fail2ban: Active with 6 jails protecting:
  • SSH (both ports 22 and 2222)
  • Nginx HTTP authentication
  • Currently 34 IPs banned on SSH
• Ban Settings: 1-hour bans after 3 failed attempts within 10 minutes

Web Server Security

• Nginx Hardening:
  • Modern TLS protocols only (TLS 1.2+)
  • Secure cipher suites
  • Security headers (HSTS, X-Frame-Options, etc.)
  • Server tokens hidden

System Security

• Automatic Updates: Security updates configured for automatic installation
• User Account Security: Non-essential accounts secured
• System Monitoring:
  • Security check script: /root/scripts/security-check.sh
  • Logwatch installed for system monitoring
  • Backup access manager: /root/scripts/backup-access-manager.sh

🔧 Management Tools

Backup SSH Access Manager

Location: /root/scripts/backup-access-manager.sh

Commands:

• ./backup-access-manager.sh status - Show current status
• ./backup-access-manager.sh add-ip <IP> - Add IP to backup access
• ./backup-access-manager.sh remove-ip <IP> - Remove IP from backup access
• ./backup-access-manager.sh connect-info - Show connection instructions

Security Monitoring

Location: /root/scripts/security-check.sh

• Run manually or via cron for security status checks
• Monitors fail2ban, firewall, SSH, and system updates

🚨 Emergency Access Procedures

When Tailscale is Down

1. Ensure your current IP is authorized for backup SSH access
2. Connect using: ssh -p 2222 root@YOUR_SERVER_IP
3. Use the backup access manager to add/remove authorized IPs as needed

Current Backup Access

• Port: 2222
• Authorized IP: YOUR_WAN_IP
• Authentication: SSH keys only (no passwords)

📊 Current Security Status

Active Protections

• ✅ SSH hardened (key-based auth only)
• ✅ Firewall active with rate limiting
• ✅ Fail2ban protecting SSH and web services
• ✅ Nginx with modern TLS configuration
• ✅ Automatic security updates enabled
• ✅ Backup SSH access configured
• ✅ System monitoring in place

Services Protected

• SSH (ports 22, 2222)
• Nginx web server
• Gaming services (Minecraft, Garry's Mod)
• PufferPanel management interface
• Revolt chat services

🔄 Maintenance Recommendations

1. Regular Updates: System will auto-update security patches
2. Monitor Logs: Check /var/log/auth.log and fail2ban logs regularly
3. Review Access: Periodically review authorized IPs for backup SSH
4. Backup Keys: Ensure SSH keys are backed up securely
5. Test Access: Periodically test backup SSH access method

📞 Support Commands

• Check firewall status: ufw status verbose
• Check fail2ban status: fail2ban-client status
• Check SSH configuration: sshd -T
• View security logs: tail -f /var/log/auth.log
• Run security check: /root/scripts/security-check.sh