Add comprehensive security documentation

- docs/ssh-honeypot-setup.md: Complete SSH honeypot installation and monitoring guide
- docs/ssh-intrusion-monitoring.md: SSH attack detection and analysis procedures
- docs/security-configurations.md: Updated catalog of all security configuration files
- Includes installation procedures, monitoring commands, and troubleshooting guides

docs/security-configurations.md

@@ -0,0 +1,240 @@
+# Security Configuration Files
+
+## Overview
+
+This document catalogs all security-related configuration files in the homelab repository and their deployment locations.
+
+## SSH Security Configurations
+
+### SSH Honeypot
+- **Config File**: `config/systemd/ssh-honeypot.service`
+- **Deploy To**: `/etc/systemd/system/ssh-honeypot.service`  
+- **Purpose**: Systemd service for SSH honeypot on port 22
+- **Dependencies**: `config/honeypot/response.sh`
+
+- **Config File**: `config/honeypot/response.sh`
+- **Deploy To**: `/opt/honeypot/response.sh`
+- **Purpose**: Response script for honeypot connections
+- **Log File**: `/var/log/honeypot.log`
+
+### SSH Service Hardening
+- **System File**: `/etc/ssh/sshd_config`
+- **Key Settings**:
+  - `Port 2222` (moved from default port 22)
+  - `PermitRootLogin no`
+  - `PasswordAuthentication no`  
+  - `PubkeyAuthentication yes`
+
+## Network Security
+
+### Nginx Security Headers
+- **Config File**: `config/nginx/homelab.conf`
+- **Deploy To**: `/etc/nginx/sites-available/homelab`
+- **Security Features**:
+  - SSL/TLS configuration
+  - Security headers (HSTS, CSP, etc.)
+  - Rate limiting
+  - Access controls
+
+### NetworkManager Security
+- **Config File**: `config/networkmanager/01-homelab.conf`
+- **Deploy To**: `/etc/NetworkManager/conf.d/01-homelab.conf`
+- **Purpose**: Static IP and interface security settings
+
+## Service-Specific Security
+
+### Gitea Security
+- **Config File**: `config/docker/gitea/docker-compose.yml`
+- **Security Features**:
+  - Custom SSH port (2223)
+  - Database isolation
+  - Volume permissions
+  - Network restrictions
+
+### Jellyfin Security  
+- **Config File**: `config/docker/jellyfin/docker-compose.yml`
+- **Security Features**:
+  - User/group restrictions
+  - Volume mount security
+  - Network isolation
+
+### qBittorrent Security
+- **Config File**: `config/docker/qbittorrent/docker-compose.yml`
+- **Security Features**:
+  - VPN integration capability
+  - Web UI access controls
+  - File permission restrictions
+
+## System Security Services
+
+### Copyparty File Server
+- **Config File**: `config/systemd/copyparty.service`
+- **Deploy To**: `/etc/systemd/system/copyparty.service`
+- **Config File**: `config/copyparty/copyparty.conf`
+- **Deploy To**: `~/.config/copyparty/copyparty.conf`
+- **Security Features**:
+  - WebDAV authentication
+  - Access controls
+  - Upload restrictions
+
+## Security Hardening Configurations
+
+### Fail2ban Intrusion Prevention
+- **Config File**: `config/fail2ban/jail.local`
+- **Deploy To**: `/etc/fail2ban/jail.local`
+- **Purpose**: Automated IP banning for SSH, web, and service attacks
+
+- **Config Files**: `config/fail2ban/filter.d/`
+- **Deploy To**: `/etc/fail2ban/filter.d/`
+- **Filters**:
+  - `sshd-ddos.conf` - SSH connection flooding protection
+  - `nginx-badbots.conf` - Web scanner and bot detection
+  - `gitea-auth.conf` - Gitea authentication failure detection
+
+### SSH Security Hardening
+- **Config File**: `config/ssh/sshd_config_hardening`
+- **Deploy To**: Append to `/etc/ssh/sshd_config`
+- **Purpose**: Enhanced SSH security settings
+
+- **Config File**: `config/ssh/banner`
+- **Deploy To**: `/etc/ssh/banner`
+- **Purpose**: Legal warning banner for SSH connections
+
+### Kernel Security Parameters
+- **Config File**: `config/sysctl/99-security.conf`
+- **Deploy To**: `/etc/sysctl.d/99-security.conf`
+- **Purpose**: Network and memory protection parameters
+
+### Docker Security Configuration
+- **Config File**: `config/docker/daemon.json`
+- **Deploy To**: `/etc/docker/daemon.json`
+- **Purpose**: Docker daemon security hardening
+
+### Service Rate Limiting
+- **Config File**: `config/systemd/nginx.service.d/rate-limit.conf`
+- **Deploy To**: `/etc/systemd/system/nginx.service.d/rate-limit.conf`
+- **Purpose**: Nginx resource limits and connection throttling
+
+## Monitoring and Logging
+
+### Service Monitoring
+- **Config File**: `config/systemd/glances-web.service`
+- **Deploy To**: `/etc/systemd/system/glances-web.service`
+- **Purpose**: System monitoring with web interface
+
+### System Logging
+- **Config File**: `config/systemd/01-server-logind.conf`
+- **Deploy To**: `/etc/systemd/logind.conf.d/01-server-logind.conf`
+- **Purpose**: Login and session security settings
+
+## Security Documentation
+
+### Setup Guides
+- `docs/ssh-honeypot-setup.md` - SSH honeypot installation and configuration
+- `docs/ssh-intrusion-monitoring.md` - Comprehensive SSH monitoring guide
+- `docs/qbittorrent-setup.md` - Secure torrent client setup
+
+### Security Procedures
+- `docs/security-configurations.md` - This file (configuration catalog)
+- Various service-specific security notes in configuration files
+
+## Deployment Security
+
+### File Permissions
+All configuration files include deployment commands with appropriate permissions:
+
+```bash
+# Service files
+sudo chmod 644 /etc/systemd/system/*.service
+
+# Scripts  
+sudo chmod +x /opt/honeypot/response.sh
+
+# Config files
+sudo chmod 644 /etc/nginx/sites-available/*
+sudo chmod 600 ~/.config/copyparty/copyparty.conf
+```
+
+### Service Security
+```bash
+# Enable services securely
+sudo systemctl daemon-reload
+sudo systemctl enable --now servicename.service
+
+# Verify service status
+sudo systemctl status servicename.service
+```
+
+## Security Validation
+
+### Configuration Testing
+```bash
+# Test nginx configuration
+sudo nginx -t
+
+# Verify SSH configuration
+sudo sshd -t
+
+# Check systemd service syntax
+sudo systemd-analyze verify /etc/systemd/system/servicename.service
+```
+
+### Security Scanning
+```bash
+# Check listening ports
+ss -tlnp
+
+# Verify service users and permissions  
+sudo systemctl show servicename.service
+
+# Check file permissions
+find config/ -type f -ls
+```
+
+## Security Updates
+
+### Regular Maintenance
+1. **Weekly**: Review honeypot logs, update fail2ban rules
+2. **Monthly**: Update service configurations, security patches
+3. **Quarterly**: Full security audit, penetration testing
+4. **Annually**: Certificate renewal, security policy review
+
+### Configuration Backup
+All configurations are version-controlled in git:
+```bash
+# Backup current configs
+git add config/ docs/
+git commit -m "Update security configurations"
+
+# Restore from backup
+git checkout HEAD -- config/
+```
+
+## Security Contacts and Escalation
+
+### Log Locations
+- **Security Incidents**: `/var/log/security.log`
+- **Authentication**: `/var/log/auth.log`
+- **Honeypot**: `/var/log/honeypot.log`
+- **Service Logs**: `journalctl -u servicename.service`
+
+### Incident Response
+1. Immediate containment (block IPs, disable services)
+2. Evidence preservation (copy logs, take snapshots)
+3. Impact assessment (check for compromise)
+4. Recovery procedures (restore from known-good configs)
+5. Post-incident review (update procedures and configurations)
+
+## Compliance and Standards
+
+### Security Frameworks
+- **Network Security**: Defense in depth with multiple layers
+- **Access Control**: Principle of least privilege
+- **Monitoring**: Comprehensive logging and alerting
+- **Incident Response**: Documented procedures and escalation
+
+### Audit Trail  
+- All configuration changes tracked in git
+- Service modifications logged via systemd
+- Security events captured in dedicated log files
+- Regular security reviews documented in commit messages