hoborg/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
homelab/docs/security-configurations.md

248 lines
7.6 KiB
Markdown
Raw Permalink Blame History

# Security Configuration Files
## Overview
This document catalogs all security-related configuration files in the homelab repository and their deployment locations.
## SSH Security Configurations
### SSH Honeypot
- **Config File**: `config/systemd/ssh-honeypot.service`
- **Deploy To**: `/etc/systemd/system/ssh-honeypot.service`
- **Purpose**: Systemd service for SSH honeypot on port 22
- **Dependencies**: `config/honeypot/response.sh`
- **Config File**: `config/honeypot/response.sh`
- **Deploy To**: `/opt/honeypot/response.sh`
- **Purpose**: Response script for honeypot connections
- **Log File**: `/var/log/honeypot.log`
### SSH Service Hardening
- **System File**: `/etc/ssh/sshd_config`
- **Key Settings**:
- `Port 2222` (moved from default port 22)
- `PermitRootLogin no`
- `PasswordAuthentication no`
- `PubkeyAuthentication yes`
## Network Security
### Nginx Security Headers
- **Config File**: `config/nginx/homelab.conf`
- **Deploy To**: `/etc/nginx/sites-available/homelab`
- **Security Features**:
- SSL/TLS configuration
- Security headers (HSTS, CSP, etc.)
- Rate limiting
- Access controls
### NetworkManager Security
- **Config File**: `config/networkmanager/01-homelab.conf`
- **Deploy To**: `/etc/NetworkManager/conf.d/01-homelab.conf`
- **Purpose**: Static IP and interface security settings
## Service-Specific Security
### Gitea Security
- **Config File**: `config/docker/gitea/docker-compose.yml`
- **Deploy To**: `/opt/docker/gitea/docker-compose.yml`
- **Security Features**:
- Custom SSH port (2223) for Git operations
- Web UI bound to localhost only (127.0.0.1:3000) for reverse proxy
- Non-root user operation via USER_UID/USER_GID environment variables
- Resource limits (1G memory)
- Health checking for service monitoring
- s6-overlay compatible configuration (no read-only filesystem)
- **Security Notes**:
- SSH port 2223 bound to all interfaces for external Git access
- Web port 3000 bound to localhost only for nginx proxy security
- Avoid Docker `user:` directive (breaks s6-overlay init system)
- Use environment variables for privilege dropping instead
### Jellyfin Security
- **Config File**: `config/docker/jellyfin/docker-compose.yml`
- **Security Features**:
- User/group restrictions
- Volume mount security
- Network isolation
### qBittorrent Security
- **Config File**: `config/docker/qbittorrent/docker-compose.yml`
- **Security Features**:
- VPN integration capability
- Web UI access controls
- File permission restrictions
## System Security Services
### Copyparty File Server
- **Config File**: `config/systemd/copyparty.service`
- **Deploy To**: `/etc/systemd/system/copyparty.service`
- **Config File**: `config/copyparty/copyparty.conf`
- **Deploy To**: `~/.config/copyparty/copyparty.conf`
- **Security Features**:
- WebDAV authentication
- Access controls
- Upload restrictions
## Security Hardening Configurations
### Fail2ban Intrusion Prevention
- **Config File**: `config/fail2ban/jail.local`
- **Deploy To**: `/etc/fail2ban/jail.local`
- **Purpose**: Automated IP banning for SSH, web, and service attacks
- **Config Files**: `config/fail2ban/filter.d/`
- **Deploy To**: `/etc/fail2ban/filter.d/`
- **Filters**:
- `sshd-ddos.conf` - SSH connection flooding protection
- `nginx-badbots.conf` - Web scanner and bot detection
- `gitea-auth.conf` - Gitea authentication failure detection
### SSH Security Hardening
- **Config File**: `config/ssh/sshd_config_hardening`
- **Deploy To**: Append to `/etc/ssh/sshd_config`
- **Purpose**: Enhanced SSH security settings
- **Config File**: `config/ssh/banner`
- **Deploy To**: `/etc/ssh/banner`
- **Purpose**: Legal warning banner for SSH connections
### Kernel Security Parameters
- **Config File**: `config/sysctl/99-security.conf`
- **Deploy To**: `/etc/sysctl.d/99-security.conf`
- **Purpose**: Network and memory protection parameters
### Docker Security Configuration
- **Config File**: `config/docker/daemon.json`
- **Deploy To**: `/etc/docker/daemon.json`
- **Purpose**: Docker daemon security hardening
### Service Rate Limiting
- **Config File**: `config/systemd/nginx.service.d/rate-limit.conf`
- **Deploy To**: `/etc/systemd/system/nginx.service.d/rate-limit.conf`
- **Purpose**: Nginx resource limits and connection throttling
## Monitoring and Logging
### Service Monitoring
- **Config File**: `config/systemd/glances-web.service`
- **Deploy To**: `/etc/systemd/system/glances-web.service`
- **Purpose**: System monitoring with web interface
### System Logging
- **Config File**: `config/systemd/01-server-logind.conf`
- **Deploy To**: `/etc/systemd/logind.conf.d/01-server-logind.conf`
- **Purpose**: Login and session security settings
## Security Documentation
### Setup Guides
- `docs/ssh-honeypot-setup.md` - SSH honeypot installation and configuration
- `docs/ssh-intrusion-monitoring.md` - Comprehensive SSH monitoring guide
- `docs/qbittorrent-setup.md` - Secure torrent client setup
### Security Procedures
- `docs/security-configurations.md` - This file (configuration catalog)
- Various service-specific security notes in configuration files
## Deployment Security
### File Permissions
All configuration files include deployment commands with appropriate permissions:
```bash
# Service files
sudo chmod 644 /etc/systemd/system/*.service
# Scripts
sudo chmod +x /opt/honeypot/response.sh
# Config files
sudo chmod 644 /etc/nginx/sites-available/*
sudo chmod 600 ~/.config/copyparty/copyparty.conf
```
### Service Security
```bash
# Enable services securely
sudo systemctl daemon-reload
sudo systemctl enable --now servicename.service
# Verify service status
sudo systemctl status servicename.service
```
## Security Validation
### Configuration Testing
```bash
# Test nginx configuration
sudo nginx -t
# Verify SSH configuration
sudo sshd -t
# Check systemd service syntax
sudo systemd-analyze verify /etc/systemd/system/servicename.service
```
### Security Scanning
```bash
# Check listening ports
ss -tlnp
# Verify service users and permissions
sudo systemctl show servicename.service
# Check file permissions
find config/ -type f -ls
```
## Security Updates
### Regular Maintenance
1. **Weekly**: Review honeypot logs, update fail2ban rules
2. **Monthly**: Update service configurations, security patches
3. **Quarterly**: Full security audit, penetration testing
4. **Annually**: Certificate renewal, security policy review
### Configuration Backup
All configurations are version-controlled in git:
```bash
# Backup current configs
git add config/ docs/
git commit -m "Update security configurations"
# Restore from backup
git checkout HEAD -- config/
```
## Security Contacts and Escalation
### Log Locations
- **Security Incidents**: `/var/log/security.log`
- **Authentication**: `/var/log/auth.log`
- **Honeypot**: `/var/log/honeypot.log`
- **Service Logs**: `journalctl -u servicename.service`
### Incident Response
1. Immediate containment (block IPs, disable services)
2. Evidence preservation (copy logs, take snapshots)
3. Impact assessment (check for compromise)
4. Recovery procedures (restore from known-good configs)
5. Post-incident review (update procedures and configurations)
## Compliance and Standards
### Security Frameworks
- **Network Security**: Defense in depth with multiple layers
- **Access Control**: Principle of least privilege
- **Monitoring**: Comprehensive logging and alerting
- **Incident Response**: Documented procedures and escalation
### Audit Trail
- All configuration changes tracked in git
- Service modifications logged via systemd
- Security events captured in dedicated log files
- Regular security reviews documented in commit messages
Reference in New Issue View Git Blame Copy Permalink