# Security Configuration Files ## Overview This document catalogs all security-related configuration files in the homelab repository and their deployment locations. ## SSH Security Configurations ### SSH Honeypot - **Config File**: `config/systemd/ssh-honeypot.service` - **Deploy To**: `/etc/systemd/system/ssh-honeypot.service` - **Purpose**: Systemd service for SSH honeypot on port 22 - **Dependencies**: `config/honeypot/response.sh` - **Config File**: `config/honeypot/response.sh` - **Deploy To**: `/opt/honeypot/response.sh` - **Purpose**: Response script for honeypot connections - **Log File**: `/var/log/honeypot.log` ### SSH Service Hardening - **System File**: `/etc/ssh/sshd_config` - **Key Settings**: - `Port 2222` (moved from default port 22) - `PermitRootLogin no` - `PasswordAuthentication no` - `PubkeyAuthentication yes` ## Network Security ### Nginx Security Headers - **Config File**: `config/nginx/homelab.conf` - **Deploy To**: `/etc/nginx/sites-available/homelab` - **Security Features**: - SSL/TLS configuration - Security headers (HSTS, CSP, etc.) - Rate limiting - Access controls ### NetworkManager Security - **Config File**: `config/networkmanager/01-homelab.conf` - **Deploy To**: `/etc/NetworkManager/conf.d/01-homelab.conf` - **Purpose**: Static IP and interface security settings ## Service-Specific Security ### Gitea Security - **Config File**: `config/docker/gitea/docker-compose.yml` - **Security Features**: - Custom SSH port (2223) - Database isolation - Volume permissions - Network restrictions ### Jellyfin Security - **Config File**: `config/docker/jellyfin/docker-compose.yml` - **Security Features**: - User/group restrictions - Volume mount security - Network isolation ### qBittorrent Security - **Config File**: `config/docker/qbittorrent/docker-compose.yml` - **Security Features**: - VPN integration capability - Web UI access controls - File permission restrictions ## System Security Services ### Copyparty File Server - **Config File**: `config/systemd/copyparty.service` - **Deploy To**: `/etc/systemd/system/copyparty.service` - **Config File**: `config/copyparty/copyparty.conf` - **Deploy To**: `~/.config/copyparty/copyparty.conf` - **Security Features**: - WebDAV authentication - Access controls - Upload restrictions ## Security Hardening Configurations ### Fail2ban Intrusion Prevention - **Config File**: `config/fail2ban/jail.local` - **Deploy To**: `/etc/fail2ban/jail.local` - **Purpose**: Automated IP banning for SSH, web, and service attacks - **Config Files**: `config/fail2ban/filter.d/` - **Deploy To**: `/etc/fail2ban/filter.d/` - **Filters**: - `sshd-ddos.conf` - SSH connection flooding protection - `nginx-badbots.conf` - Web scanner and bot detection - `gitea-auth.conf` - Gitea authentication failure detection ### SSH Security Hardening - **Config File**: `config/ssh/sshd_config_hardening` - **Deploy To**: Append to `/etc/ssh/sshd_config` - **Purpose**: Enhanced SSH security settings - **Config File**: `config/ssh/banner` - **Deploy To**: `/etc/ssh/banner` - **Purpose**: Legal warning banner for SSH connections ### Kernel Security Parameters - **Config File**: `config/sysctl/99-security.conf` - **Deploy To**: `/etc/sysctl.d/99-security.conf` - **Purpose**: Network and memory protection parameters ### Docker Security Configuration - **Config File**: `config/docker/daemon.json` - **Deploy To**: `/etc/docker/daemon.json` - **Purpose**: Docker daemon security hardening ### Service Rate Limiting - **Config File**: `config/systemd/nginx.service.d/rate-limit.conf` - **Deploy To**: `/etc/systemd/system/nginx.service.d/rate-limit.conf` - **Purpose**: Nginx resource limits and connection throttling ## Monitoring and Logging ### Service Monitoring - **Config File**: `config/systemd/glances-web.service` - **Deploy To**: `/etc/systemd/system/glances-web.service` - **Purpose**: System monitoring with web interface ### System Logging - **Config File**: `config/systemd/01-server-logind.conf` - **Deploy To**: `/etc/systemd/logind.conf.d/01-server-logind.conf` - **Purpose**: Login and session security settings ## Security Documentation ### Setup Guides - `docs/ssh-honeypot-setup.md` - SSH honeypot installation and configuration - `docs/ssh-intrusion-monitoring.md` - Comprehensive SSH monitoring guide - `docs/qbittorrent-setup.md` - Secure torrent client setup ### Security Procedures - `docs/security-configurations.md` - This file (configuration catalog) - Various service-specific security notes in configuration files ## Deployment Security ### File Permissions All configuration files include deployment commands with appropriate permissions: ```bash # Service files sudo chmod 644 /etc/systemd/system/*.service # Scripts sudo chmod +x /opt/honeypot/response.sh # Config files sudo chmod 644 /etc/nginx/sites-available/* sudo chmod 600 ~/.config/copyparty/copyparty.conf ``` ### Service Security ```bash # Enable services securely sudo systemctl daemon-reload sudo systemctl enable --now servicename.service # Verify service status sudo systemctl status servicename.service ``` ## Security Validation ### Configuration Testing ```bash # Test nginx configuration sudo nginx -t # Verify SSH configuration sudo sshd -t # Check systemd service syntax sudo systemd-analyze verify /etc/systemd/system/servicename.service ``` ### Security Scanning ```bash # Check listening ports ss -tlnp # Verify service users and permissions sudo systemctl show servicename.service # Check file permissions find config/ -type f -ls ``` ## Security Updates ### Regular Maintenance 1. **Weekly**: Review honeypot logs, update fail2ban rules 2. **Monthly**: Update service configurations, security patches 3. **Quarterly**: Full security audit, penetration testing 4. **Annually**: Certificate renewal, security policy review ### Configuration Backup All configurations are version-controlled in git: ```bash # Backup current configs git add config/ docs/ git commit -m "Update security configurations" # Restore from backup git checkout HEAD -- config/ ``` ## Security Contacts and Escalation ### Log Locations - **Security Incidents**: `/var/log/security.log` - **Authentication**: `/var/log/auth.log` - **Honeypot**: `/var/log/honeypot.log` - **Service Logs**: `journalctl -u servicename.service` ### Incident Response 1. Immediate containment (block IPs, disable services) 2. Evidence preservation (copy logs, take snapshots) 3. Impact assessment (check for compromise) 4. Recovery procedures (restore from known-good configs) 5. Post-incident review (update procedures and configurations) ## Compliance and Standards ### Security Frameworks - **Network Security**: Defense in depth with multiple layers - **Access Control**: Principle of least privilege - **Monitoring**: Comprehensive logging and alerting - **Incident Response**: Documented procedures and escalation ### Audit Trail - All configuration changes tracked in git - Service modifications logged via systemd - Security events captured in dedicated log files - Regular security reviews documented in commit messages