Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
32385fc4dbfa911e9475e53aeca2200434c0281b
homelab-optimized/docs/security/SECURITY_HARDENING_SUMMARY.md
Gitea Mirror Bot 32385fc4db
Some checks failed
Documentation / Deploy to GitHub Pages (push) Has been cancelled
Details
Documentation / Build Docusaurus (push) Has been cancelled
Details
Sanitized mirror from private repository - 2026-03-19 08:47:21 UTC
2026-03-19 08:47:21 +00:00

4.6 KiB
Raw Blame History

Security Hardening Summary - seattle-vm

Overview

Comprehensive security hardening completed for seattle-vm (Contabo VPS) running multiple web services while preserving Tailscale and direct IP access.

Services Identified

  • Nginx: Reverse proxy for web services
  • Obsidian: Note-taking application (obs.vish.gg) - Public
  • Wallabag: Read-later service (wb.vish.gg) - Public
  • PufferPanel: Game server management (pp.vish.gg) - Restricted to Tailscale
  • MinIO: Object storage - Restricted to Tailscale
  • Revolt: Chat services - Restricted to Tailscale
  • Nextcloud: File sharing - Restricted to Tailscale

Security Measures Implemented

1. Firewall Configuration (UFW)

  • Status: Active and properly configured
  • Public Access: Only ports 22 (SSH), 80 (HTTP), 443 (HTTPS)
  • Tailscale Restricted: Sensitive services (PufferPanel, MinIO, Revolt) restricted to 100.64.0.0/10
  • SSH: Configured for key-based authentication only

2. Intrusion Prevention (fail2ban)

  • Status: Active with enhanced configuration
  • Jails: SSH, Nginx, PufferPanel monitoring
  • Custom Filter: Created PufferPanel authentication monitoring
  • Monitoring: 2587 failed login attempts detected in last 7 days

3. Web Server Hardening (Nginx)

  • Security Headers: Implemented comprehensive security headers
    • X-Frame-Options: SAMEORIGIN
    • X-Content-Type-Options: nosniff
    • X-XSS-Protection: 1; mode=block
    • Content Security Policy
    • Referrer Policy
    • Permissions Policy
  • Rate Limiting: 10 requests/second general, 1 request/second for login
  • Connection Limiting: 20 connections per IP
  • SSL/TLS: Strong cipher suites, TLS 1.2+ only
  • Server Tokens: Hidden nginx version information

4. Automatic Updates

  • unattended-upgrades: Configured for automatic security updates
  • apt-listchanges: Email notifications for package changes
  • Status: 0 security updates currently pending

5. System Monitoring

  • logwatch: Daily system monitoring reports
  • Custom Script: Weekly security maintenance checks
  • Cron Schedule: Sundays at 2:00 AM
  • Monitoring Includes:
    • Failed login attempts
    • fail2ban status
    • Security updates
    • SSL certificate expiration
    • Disk usage
    • Memory usage
    • Network connections
    • Container security status

6. Container Security

  • Docker Containers: 3 running (obsidian, wallabag, minio)
  • User Context: All running as root (acceptable for isolated containers)
  • Network Security: Access controlled via UFW rules
  • Status: Monitored via security maintenance script

Current Security Status

Strengths

  • Strong firewall configuration with service-specific restrictions
  • Active intrusion prevention with custom monitoring
  • Comprehensive web server security headers
  • Automatic security updates enabled
  • Regular security monitoring and reporting
  • SSL certificates valid until 2041
  • Low resource usage (6.4% memory, 24% disk)

⚠️ Areas of Note

  • High number of failed login attempts (2587 in 7 days) - being monitored
  • Docker containers running as root (mitigated by network isolation)
  • Some SSL certificates lack OCSP stapling (warnings only)

🔧 Maintenance

  • Automated: Security updates, daily logwatch reports, weekly security checks
  • Manual: SSL certificate renewal (not needed until 2041)
  • Monitoring: Security maintenance script logs to /var/log/security-maintenance.log

Access Preservation

  • Tailscale: All existing Tailscale access preserved
  • Direct IP: SSH and public web services accessible via direct IP
  • Service Restrictions: Sensitive services (PufferPanel, MinIO, Revolt) restricted to Tailscale network only

Next Steps

  1. Monitor security maintenance logs weekly
  2. Review fail2ban logs for persistent attackers
  3. Consider implementing additional container security measures if needed
  4. Regular review of UFW rules as services change

Files Modified

  • /etc/ufw/ - Firewall rules
  • /etc/fail2ban/jail.local - Enhanced fail2ban configuration
  • /etc/fail2ban/filter.d/pufferpanel.conf - Custom PufferPanel filter
  • /etc/nginx/nginx.conf - Rate limiting zones
  • /etc/nginx/snippets/security-headers.conf - Security headers
  • /etc/nginx/sites-enabled/obsidian - Added security headers
  • /etc/nginx/sites-enabled/wallabag - Added security headers
  • /root/scripts/security-maintenance.sh - Weekly security check script

Security Maintenance Schedule

  • Daily: logwatch reports
  • Weekly: Comprehensive security maintenance check (Sundays 2:00 AM)
  • Automatic: Security updates via unattended-upgrades
Reference in New Issue View Git Blame Copy Permalink