homelab/docs/security-configurations.md

Security Configuration Files

Overview

This document catalogs all security-related configuration files in the homelab repository and their deployment locations.

SSH Security Configurations

SSH Honeypot

• Config File: config/systemd/ssh-honeypot.service

• Deploy To: /etc/systemd/system/ssh-honeypot.service

• Purpose: Systemd service for SSH honeypot on port 22

• Dependencies: config/honeypot/response.sh

• Config File: config/honeypot/response.sh

• Deploy To: /opt/honeypot/response.sh

• Purpose: Response script for honeypot connections

• Log File: /var/log/honeypot.log

SSH Service Hardening

• System File: /etc/ssh/sshd_config
• Key Settings:
  • Port 2222 (moved from default port 22)
  • PermitRootLogin no
  • PasswordAuthentication no
  • PubkeyAuthentication yes

Network Security

Nginx Security Headers

• Config File: config/nginx/homelab.conf
• Deploy To: /etc/nginx/sites-available/homelab
• Security Features:
  • SSL/TLS configuration
  • Security headers (HSTS, CSP, etc.)
  • Rate limiting
  • Access controls

NetworkManager Security

• Config File: config/networkmanager/01-homelab.conf
• Deploy To: /etc/NetworkManager/conf.d/01-homelab.conf
• Purpose: Static IP and interface security settings

Service-Specific Security

Gitea Security

• Config File: config/docker/gitea/docker-compose.yml
• Security Features:
  • Custom SSH port (2223)
  • Database isolation
  • Volume permissions
  • Network restrictions

Jellyfin Security

• Config File: config/docker/jellyfin/docker-compose.yml
• Security Features:
  • User/group restrictions
  • Volume mount security
  • Network isolation

qBittorrent Security

• Config File: config/docker/qbittorrent/docker-compose.yml
• Security Features:
  • VPN integration capability
  • Web UI access controls
  • File permission restrictions

System Security Services

Copyparty File Server

• Config File: config/systemd/copyparty.service
• Deploy To: /etc/systemd/system/copyparty.service
• Config File: config/copyparty/copyparty.conf
• Deploy To: ~/.config/copyparty/copyparty.conf
• Security Features:
  • WebDAV authentication
  • Access controls
  • Upload restrictions

Security Hardening Configurations

Fail2ban Intrusion Prevention

• Config File: config/fail2ban/jail.local

• Deploy To: /etc/fail2ban/jail.local

• Purpose: Automated IP banning for SSH, web, and service attacks

• Config Files: config/fail2ban/filter.d/

• Deploy To: /etc/fail2ban/filter.d/

• Filters:

  • sshd-ddos.conf - SSH connection flooding protection
  • nginx-badbots.conf - Web scanner and bot detection
  • gitea-auth.conf - Gitea authentication failure detection

SSH Security Hardening

• Config File: config/ssh/sshd_config_hardening

• Deploy To: Append to /etc/ssh/sshd_config

• Purpose: Enhanced SSH security settings

• Config File: config/ssh/banner

• Deploy To: /etc/ssh/banner

• Purpose: Legal warning banner for SSH connections

Kernel Security Parameters

• Config File: config/sysctl/99-security.conf
• Deploy To: /etc/sysctl.d/99-security.conf
• Purpose: Network and memory protection parameters

Docker Security Configuration

• Config File: config/docker/daemon.json
• Deploy To: /etc/docker/daemon.json
• Purpose: Docker daemon security hardening

Service Rate Limiting

• Config File: config/systemd/nginx.service.d/rate-limit.conf
• Deploy To: /etc/systemd/system/nginx.service.d/rate-limit.conf
• Purpose: Nginx resource limits and connection throttling

Monitoring and Logging

Service Monitoring

• Config File: config/systemd/glances-web.service
• Deploy To: /etc/systemd/system/glances-web.service
• Purpose: System monitoring with web interface

System Logging

• Config File: config/systemd/01-server-logind.conf
• Deploy To: /etc/systemd/logind.conf.d/01-server-logind.conf
• Purpose: Login and session security settings

Security Documentation

Setup Guides

• docs/ssh-honeypot-setup.md - SSH honeypot installation and configuration
• docs/ssh-intrusion-monitoring.md - Comprehensive SSH monitoring guide
• docs/qbittorrent-setup.md - Secure torrent client setup

Security Procedures

• docs/security-configurations.md - This file (configuration catalog)
• Various service-specific security notes in configuration files

Deployment Security

File Permissions

All configuration files include deployment commands with appropriate permissions:

# Service files
sudo chmod 644 /etc/systemd/system/*.service

# Scripts  
sudo chmod +x /opt/honeypot/response.sh

# Config files
sudo chmod 644 /etc/nginx/sites-available/*
sudo chmod 600 ~/.config/copyparty/copyparty.conf

Service Security

# Enable services securely
sudo systemctl daemon-reload
sudo systemctl enable --now servicename.service

# Verify service status
sudo systemctl status servicename.service

Security Validation

Configuration Testing

# Test nginx configuration
sudo nginx -t

# Verify SSH configuration
sudo sshd -t

# Check systemd service syntax
sudo systemd-analyze verify /etc/systemd/system/servicename.service

Security Scanning

# Check listening ports
ss -tlnp

# Verify service users and permissions  
sudo systemctl show servicename.service

# Check file permissions
find config/ -type f -ls

Security Updates

Regular Maintenance

1. Weekly: Review honeypot logs, update fail2ban rules
2. Monthly: Update service configurations, security patches
3. Quarterly: Full security audit, penetration testing
4. Annually: Certificate renewal, security policy review

Configuration Backup

All configurations are version-controlled in git:

# Backup current configs
git add config/ docs/
git commit -m "Update security configurations"

# Restore from backup
git checkout HEAD -- config/

Security Contacts and Escalation

Log Locations

• Security Incidents: /var/log/security.log
• Authentication: /var/log/auth.log
• Honeypot: /var/log/honeypot.log
• Service Logs: journalctl -u servicename.service

Incident Response

1. Immediate containment (block IPs, disable services)
2. Evidence preservation (copy logs, take snapshots)
3. Impact assessment (check for compromise)
4. Recovery procedures (restore from known-good configs)
5. Post-incident review (update procedures and configurations)

Compliance and Standards

Security Frameworks

• Network Security: Defense in depth with multiple layers
• Access Control: Principle of least privilege
• Monitoring: Comprehensive logging and alerting
• Incident Response: Documented procedures and escalation

Audit Trail

• All configuration changes tracked in git
• Service modifications logged via systemd
• Security events captured in dedicated log files
• Regular security reviews documented in commit messages