homelab-optimized/docs/security/SERVER_HARDENING.md

# Server Hardening Summary

## 🛡️ Security Measures Implemented

### SSH Security
- **Primary SSH (Port 22)**: Key-based authentication only, password authentication disabled
- **Backup SSH (Port 2222)**: Emergency access when Tailscale is down
  - Restricted to authorized IP addresses
  - Same security settings as primary SSH
  - Currently authorized IP: YOUR_WAN_IP
- **SSH Hardening**: Disabled root password login, reduced login grace time, limited auth tries

### Firewall Configuration
- **UFW Firewall**: Active with default deny incoming policy
- **Rate Limiting**: SSH and HTTP connections rate-limited to prevent brute force
- **Service-Specific Rules**:
  - SSH: Ports 22 and 2222 (rate limited)
  - HTTP/HTTPS: Ports 80 and 443 (rate limited)
  - Gaming Services: Minecraft (25565), Garry's Mod (27015), PufferPanel (8080)
  - Revolt Chat: Ports 3000, 5000, 9000
- **Tailscale Integration**: Tailscale network (100.64.0.0/10) trusted

### Intrusion Prevention
- **Fail2ban**: Active with 6 jails protecting:
  - SSH (both ports 22 and 2222)
  - Nginx HTTP authentication
  - Currently 34 IPs banned on SSH
- **Ban Settings**: 1-hour bans after 3 failed attempts within 10 minutes

### Web Server Security
- **Nginx Hardening**:
  - Modern TLS protocols only (TLS 1.2+)
  - Secure cipher suites
  - Security headers (HSTS, X-Frame-Options, etc.)
  - Server tokens hidden

### System Security
- **Automatic Updates**: Security updates configured for automatic installation
- **User Account Security**: Non-essential accounts secured
- **System Monitoring**: 
  - Security check script: `/root/scripts/security-check.sh`
  - Logwatch installed for system monitoring
  - Backup access manager: `/root/scripts/backup-access-manager.sh`

## 🔧 Management Tools

### Backup SSH Access Manager
Location: `/root/scripts/backup-access-manager.sh`

Commands:
- `./backup-access-manager.sh status` - Show current status
- `./backup-access-manager.sh add-ip <IP>` - Add IP to backup access
- `./backup-access-manager.sh remove-ip <IP>` - Remove IP from backup access
- `./backup-access-manager.sh connect-info` - Show connection instructions

### Security Monitoring
Location: `/root/scripts/security-check.sh`
- Run manually or via cron for security status checks
- Monitors fail2ban, firewall, SSH, and system updates

## 🚨 Emergency Access Procedures

### When Tailscale is Down
1. Ensure your current IP is authorized for backup SSH access
2. Connect using: `ssh -p 2222 root@YOUR_SERVER_IP`
3. Use the backup access manager to add/remove authorized IPs as needed

### Current Backup Access
- **Port**: 2222
- **Authorized IP**: YOUR_WAN_IP
- **Authentication**: SSH keys only (no passwords)

## 📊 Current Security Status

### Active Protections
- ✅ SSH hardened (key-based auth only)
- ✅ Firewall active with rate limiting
- ✅ Fail2ban protecting SSH and web services
- ✅ Nginx with modern TLS configuration
- ✅ Automatic security updates enabled
- ✅ Backup SSH access configured
- ✅ System monitoring in place

### Services Protected
- SSH (ports 22, 2222)
- Nginx web server
- Gaming services (Minecraft, Garry's Mod)
- PufferPanel management interface
- Revolt chat services

## 🔄 Maintenance Recommendations

1. **Regular Updates**: System will auto-update security patches
2. **Monitor Logs**: Check `/var/log/auth.log` and fail2ban logs regularly
3. **Review Access**: Periodically review authorized IPs for backup SSH
4. **Backup Keys**: Ensure SSH keys are backed up securely
5. **Test Access**: Periodically test backup SSH access method

## 📞 Support Commands

- Check firewall status: `ufw status verbose`
- Check fail2ban status: `fail2ban-client status`
- Check SSH configuration: `sshd -T`
- View security logs: `tail -f /var/log/auth.log`
- Run security check: `/root/scripts/security-check.sh`