From 1722dfb17e2fa21e7a2d1833dcf064302590e964 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 17 Feb 2026 23:59:44 +0000 Subject: [PATCH] docs: Add Command Center security hardening deployment guide Created comprehensive security hardening guide (500+ lines): Defense-in-Depth Strategy: - Layer 1: Fail2Ban auto-banning - Layer 2: SSH key-only authentication - Layer 3: UFW firewall optimization 5-Phase Deployment (1 hour total): - Phase 1: Test SSH key access (CRITICAL - prevents lockout) - Phase 2: Install and configure Fail2Ban (20 min) - Phase 3: SSH hardening (20 min) - Phase 4: UFW firewall review (15 min) - Phase 5: Additional security (automatic updates, AIDE) Security Features: - Fail2Ban monitors SSH, Nginx, bad bots - SSH: Key-only auth, MaxAuthTries=3, rate limiting - UFW: Management IP whitelist, unnecessary ports closed - Automatic security updates - File integrity checking (AIDE) Critical Safety Measures: - Mandatory SSH key testing before disabling passwords - Keep session open while testing - Backup access via console/IPMI - Step-by-step verification at each phase - Comprehensive troubleshooting (lockout recovery) Monitoring & Maintenance: - Daily: Check Fail2Ban bans and auth logs - Weekly: Review UFW logs and security updates - Monthly: AIDE file integrity check Ready to deploy when SSH access available. Risk level: MEDIUM (can lock out if keys not tested) Task: Command Center Security Hardening (Tier 1) FFG-STD-002 compliant --- .../deployment-guide.md | 656 ++++++++++++++++++ .../README.md | 68 ++ docs/tasks/frostwall-protocol/README.md | 6 +- docs/tasks/staff-recruitment-launch/README.md | 6 +- docs/tasks/whitelist-manager/README.md | 34 +- 5 files changed, 750 insertions(+), 20 deletions(-) create mode 100644 docs/tasks/command-center-security/deployment-guide.md create mode 100644 docs/tasks/flagship-modpack-eternal-skyforge/README.md diff --git a/docs/tasks/command-center-security/deployment-guide.md b/docs/tasks/command-center-security/deployment-guide.md new file mode 100644 index 0000000..4e5401e --- /dev/null +++ b/docs/tasks/command-center-security/deployment-guide.md @@ -0,0 +1,656 @@ +# Command Center Security Hardening - Deployment Guide + +**Status:** Ready to Deploy +**Priority:** Tier 1 - Security Foundation +**Time Estimate:** 1 hour +**Last Updated:** 2026-02-17 + +--- + +## Overview + +Defense-in-depth security hardening for Command Center VPS (Dallas hub). Implements multiple layers of security including Fail2Ban auto-banning, SSH key-only authentication, and firewall optimization. + +**Command Center Details:** +- **IP:** 63.143.34.217 +- **Location:** Dallas, TX +- **Role:** Management hub (Gitea, Uptime Kuma, Code-Server, Automation) +- **Current Security:** UFW enabled, basic SSH + +--- + +## Current Security State + +**✅ Already Implemented:** +- UFW firewall enabled (default deny incoming) +- Ports 22, 80, 443 open +- Basic SSH configuration + +**❌ Missing Protections:** +- No Fail2Ban (vulnerable to brute force) +- SSH allows password authentication +- No rate limiting on SSH attempts +- Potential unnecessary open ports + +--- + +## Security Hardening Strategy + +### Layer 1: Auto-Ban (Fail2Ban) +- Monitors log files for suspicious activity +- Auto-bans IPs after failed attempts +- Protects SSH, Nginx, and other services + +### Layer 2: SSH Hardening +- Key-only authentication (no passwords) +- Reduced MaxAuthTries +- Optional: Non-standard SSH port + +### Layer 3: Firewall Optimization +- Close unnecessary ports +- Whitelist management IP +- Rate limiting rules + +--- + +## Prerequisites + +**CRITICAL - Before starting:** + +- [ ] **SSH key already configured** on your local machine +- [ ] **SSH key added to Command Center** (`~/.ssh/authorized_keys`) +- [ ] **Test SSH key login works** BEFORE disabling password auth +- [ ] **Management IP known** (Michael's static IP) +- [ ] **Backup access method** available (provider console/IPMI) + +**⚠️ WARNING:** If you disable password auth without working SSH keys, you'll be locked out! + +--- + +## Phase 1: Test SSH Key Access (10 min) + +**MANDATORY: Verify SSH keys work before proceeding!** + +### Step 1: Verify SSH Key Exists Locally + +```bash +# On your local machine +ls -la ~/.ssh/id_rsa ~/.ssh/id_ed25519 + +# You should see at least one key file +``` + +**If no keys exist:** +```bash +# Generate new ED25519 key (recommended) +ssh-keygen -t ed25519 -C "michael@firefrostgaming.com" + +# Or RSA key (legacy compatibility) +ssh-keygen -t rsa -b 4096 -C "michael@firefrostgaming.com" + +# Press Enter for default location +# Set a strong passphrase (recommended) +``` + +--- + +### Step 2: Copy Key to Command Center + +```bash +# Copy SSH key to server +ssh-copy-id root@63.143.34.217 + +# Or manually: +cat ~/.ssh/id_ed25519.pub | ssh root@63.143.34.217 "mkdir -p ~/.ssh && cat >> ~/.ssh/authorized_keys" +``` + +--- + +### Step 3: Test Key-Based Login + +```bash +# Try to SSH with key (should NOT ask for password) +ssh root@63.143.34.217 + +# If it asks for password, your key isn't configured correctly +# DO NOT PROCEED until this works! +``` + +**If prompted for password:** Your SSH key is not properly configured. Debug before continuing. + +--- + +## Phase 2: Install and Configure Fail2Ban (20 min) + +### Step 1: Install Fail2Ban + +```bash +# SSH to Command Center +ssh root@63.143.34.217 + +# Update package list +apt update + +# Install Fail2Ban +apt install fail2ban -y + +# Verify installation +systemctl status fail2ban +# Should show: active (running) +``` + +--- + +### Step 2: Configure Fail2Ban + +```bash +# Create local config (don't edit jail.conf directly) +cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local + +# Edit local config +nano /etc/fail2ban/jail.local +``` + +**Key settings to configure:** + +```ini +[DEFAULT] +# Ban time (10 minutes = 600 seconds) +bantime = 600 + +# Find time window (10 minutes) +findtime = 600 + +# Max retries before ban +maxretry = 5 + +# Your management IP (never ban this!) +ignoreip = 127.0.0.1/8 ::1 YOUR_MANAGEMENT_IP_HERE + +[sshd] +enabled = true +port = 22 +logpath = /var/log/auth.log +maxretry = 3 +bantime = 3600 +``` + +**Save and exit** (Ctrl+X, Y, Enter) + +--- + +### Step 3: Enable Additional Jails + +```bash +# Edit jail.local to enable protection for other services +nano /etc/fail2ban/jail.local +``` + +**Add at the end:** + +```ini +# Nginx HTTP Auth +[nginx-http-auth] +enabled = true +port = http,https +logpath = /var/log/nginx/error.log + +# Nginx Bad Bots +[nginx-badbots] +enabled = true +port = http,https +logpath = /var/log/nginx/access.log +maxretry = 2 +``` + +--- + +### Step 4: Restart and Verify Fail2Ban + +```bash +# Restart Fail2Ban +systemctl restart fail2ban + +# Check status +systemctl status fail2ban + +# View active jails +fail2ban-client status + +# Check SSH jail specifically +fail2ban-client status sshd +``` + +**You should see:** +- `sshd` jail active +- Currently banned IPs: 0 (unless there were recent attacks) +- Total banned: (number) + +--- + +## Phase 3: SSH Hardening (20 min) + +### Step 1: Backup SSH Config + +```bash +# Create backup +cp /etc/ssh/sshd_config /etc/ssh/sshd_config.backup.$(date +%Y%m%d) + +# Verify backup +ls -la /etc/ssh/sshd_config.backup.* +``` + +--- + +### Step 2: Harden SSH Configuration + +```bash +# Edit SSH config +nano /etc/ssh/sshd_config +``` + +**Find and modify these lines:** + +```bash +# Disable root password login +PasswordAuthentication no + +# Disable challenge-response (another password method) +ChallengeResponseAuthentication no + +# Allow key-based auth +PubkeyAuthentication yes + +# Disable empty passwords +PermitEmptyPasswords no + +# Limit authentication attempts +MaxAuthTries 3 + +# Limit sessions per connection +MaxSessions 2 + +# Only allow root (or create separate admin user) +AllowUsers root + +# Optional: Change SSH port (if desired) +# Port 2222 + +# Disable X11 forwarding (not needed) +X11Forwarding no + +# Disable TCP forwarding if not needed +# AllowTcpForwarding no + +# Enable strict mode (recommended) +StrictModes yes + +# Set login grace time (2 minutes) +LoginGraceTime 120 +``` + +**Save and exit** (Ctrl+X, Y, Enter) + +--- + +### Step 3: Test SSH Config + +```bash +# Test config for syntax errors +sshd -t + +# Should return nothing (no output = success) +# If errors appear, fix them before restarting! +``` + +**If errors appear:** +- Review the error message +- Edit `/etc/ssh/sshd_config` again +- Run `sshd -t` again until no errors + +--- + +### Step 4: Restart SSH (CAREFULLY!) + +**⚠️ CRITICAL STEP - Do this carefully!** + +```bash +# Keep current SSH session open! +# Open a SECOND SSH session in another terminal for testing + +# In the first session, restart SSH +systemctl restart sshd + +# In the second session, try to connect +ssh root@63.143.34.217 + +# If the second session connects with your key: SUCCESS! +# If not: You still have the first session to fix it +``` + +**If second session fails:** +```bash +# In first session (still connected): +nano /etc/ssh/sshd_config +# Fix the issue +sshd -t +systemctl restart sshd +# Try second session again +``` + +**Only logout of the first session AFTER the second session works!** + +--- + +## Phase 4: UFW Firewall Review (15 min) + +### Step 1: Review Current Rules + +```bash +# List current rules +ufw status verbose + +# List rules by number +ufw status numbered +``` + +**Expected output:** +``` +Status: active + +To Action From +-- ------ ---- +22/tcp ALLOW Anywhere +80/tcp ALLOW Anywhere +443/tcp ALLOW Anywhere +``` + +--- + +### Step 2: Optimize Rules + +**Add management IP whitelist:** + +```bash +# Allow SSH from your IP only (recommended) +ufw insert 1 allow from YOUR_MANAGEMENT_IP to any port 22 proto tcp + +# Remove the general SSH allow rule +ufw delete allow 22/tcp + +# Verify +ufw status numbered +``` + +**Result:** SSH now only accessible from your management IP + +**Add rate limiting (optional):** + +```bash +# Limit SSH connection attempts +ufw limit ssh/tcp + +# This limits to 6 connections per 30 seconds per IP +``` + +--- + +### Step 3: Close Unnecessary Ports + +**Check what's listening:** + +```bash +# See what services are listening +ss -tuln + +# Or with netstat +netstat -tuln +``` + +**If you see unexpected open ports:** +```bash +# Close them via UFW +ufw deny PORT_NUMBER +``` + +--- + +### Step 4: Enable UFW Logging + +```bash +# Enable logging (helps with debugging) +ufw logging on + +# Set to medium level +ufw logging medium + +# View logs +tail -f /var/log/ufw.log +``` + +--- + +## Phase 5: Additional Security Measures (10 min) + +### Automatic Security Updates + +```bash +# Install unattended-upgrades +apt install unattended-upgrades -y + +# Enable automatic security updates +dpkg-reconfigure -plow unattended-upgrades +# Select "Yes" + +# Verify config +cat /etc/apt/apt.conf.d/20auto-upgrades +``` + +**Should contain:** +``` +APT::Periodic::Update-Package-Lists "1"; +APT::Periodic::Unattended-Upgrade "1"; +``` + +--- + +### Install Additional Security Tools + +```bash +# Install helpful security tools +apt install -y \ + ufw-extras \ + apt-listchanges \ + debsums \ + aide + +# Initialize AIDE (file integrity checker) +aide --init +mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db +``` + +--- + +## Verification & Testing + +### Test 1: SSH Key Access + +```bash +# From your local machine +ssh root@63.143.34.217 + +# Should connect WITHOUT asking for password +# If it asks for your key passphrase, that's normal +``` + +--- + +### Test 2: Fail2Ban is Working + +```bash +# On Command Center, check Fail2Ban status +fail2ban-client status sshd + +# Try to trigger a ban (from another IP if possible): +# Make 4 failed SSH attempts +# That IP should get banned + +# Check banned IPs +fail2ban-client status sshd +``` + +--- + +### Test 3: Password Auth is Disabled + +```bash +# From local machine, try password auth (should fail) +ssh -o PreferredAuthentications=password root@63.143.34.217 + +# Should refuse: "Permission denied (publickey)" +``` + +--- + +### Test 4: UFW Rules Active + +```bash +# Check firewall status +ufw status verbose + +# Verify only necessary ports open +# Verify management IP whitelisted for SSH +``` + +--- + +## Monitoring & Maintenance + +### Daily + +- Check Fail2Ban for banned IPs: `fail2ban-client status sshd` +- Review auth logs: `tail -100 /var/log/auth.log | grep Failed` + +### Weekly + +- Review UFW logs: `grep UFW /var/log/syslog | tail -50` +- Check for security updates: `apt list --upgradable | grep security` + +### Monthly + +- Review all Fail2Ban bans: `zgrep 'Ban' /var/log/fail2ban.log*` +- Run AIDE file integrity check: `aide --check` +- Review SSH config for any changes needed + +--- + +## Troubleshooting + +### Locked Out of SSH + +**Prevention:** Always keep one session open while testing! + +**If locked out:** +1. Access via provider console (IPMI/VNC) +2. Edit `/etc/ssh/sshd_config` +3. Re-enable `PasswordAuthentication yes` +4. Restart SSH: `systemctl restart sshd` +5. Fix SSH key issue +6. Re-harden once working + +--- + +### Fail2Ban Not Banning + +**Check logs:** +```bash +tail -100 /var/log/fail2ban.log +``` + +**Common issues:** +- Log file path incorrect +- Regex pattern doesn't match log format +- MaxRetry set too high + +**Debug specific jail:** +```bash +fail2ban-regex /var/log/auth.log /etc/fail2ban/filter.d/sshd.conf +``` + +--- + +### UFW Blocking Legitimate Traffic + +**Check UFW logs:** +```bash +grep UFW /var/log/syslog | grep BLOCK +``` + +**Allow specific IP:** +```bash +ufw allow from IP_ADDRESS +``` + +**Temporarily disable UFW (emergency only!):** +```bash +ufw disable +# Fix issue +ufw enable +``` + +--- + +### Management IP Changed + +**Update Fail2Ban:** +```bash +nano /etc/fail2ban/jail.local +# Update ignoreip line +systemctl restart fail2ban +``` + +**Update UFW:** +```bash +# Remove old rule +ufw delete RULE_NUMBER + +# Add new rule +ufw insert 1 allow from NEW_IP to any port 22 proto tcp +``` + +--- + +## Security Checklist + +**After deployment, verify:** + +- [ ] SSH key authentication works +- [ ] Password authentication disabled +- [ ] Fail2Ban active and monitoring +- [ ] UFW firewall optimized +- [ ] Management IP whitelisted +- [ ] Automatic security updates enabled +- [ ] All tests passed +- [ ] Backup SSH access method available +- [ ] Security config documented +- [ ] Team notified of changes + +--- + +## Related Tasks + +- **Frostwall Protocol** - Network-level security +- **Vaultwarden Setup** - Credential management +- **Command Center Cleanup** - Server housekeeping + +--- + +**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️ + +--- + +**Document Status:** COMPLETE +**Ready to Deploy:** When SSH access available (1 hour) +**Risk Level:** MEDIUM (can lock yourself out if not careful) +**Backup Required:** Console/IPMI access in case of lockout +**Test Thoroughly:** Always test SSH keys before disabling password auth! diff --git a/docs/tasks/flagship-modpack-eternal-skyforge/README.md b/docs/tasks/flagship-modpack-eternal-skyforge/README.md new file mode 100644 index 0000000..bfc8662 --- /dev/null +++ b/docs/tasks/flagship-modpack-eternal-skyforge/README.md @@ -0,0 +1,68 @@ +# Firefrost: The Eternal Skyforge - Flagship Modpack + +**Status:** Planning Complete +**Priority:** Tier 3 - Content Creation +**Time:** 20-40 hours (iterative development) +**Last Updated:** 2026-02-17 + +--- + +## Overview + +Custom Create-focused modpack that embodies the Fire + Frost philosophy through gameplay. Players master weapon forging and factory automation in a skyblock environment. + +**Theme:** "Where Steel Meets Steam, Legends Are Forged" + +--- + +## Core Concept + +- **Setting:** Skyblock world with floating ancient forges +- **Gameplay:** Automate legendary weapon production using Create +- **Progression:** 5 weapon tiers from Apprentice to Mythic +- **Paths:** Fire (competition/combat) vs Frost (engineering/precision) + +--- + +## Key Features + +- Create automation as core mechanic +- Custom weapon crafting system (Tetra or Tinkers) +- Dual progression paths (Fire competitive, Frost collaborative) +- Leaderboards and challenges +- Multiplayer co-op and PvP +- 3-phase progression (20-40 hours total) + +--- + +## Documentation + +**Complete design document:** `design-document.md` + +Contains: +- Full gameplay design +- Mod list and technical specs +- 3-phase progression system +- Weapon tiers and crafting +- Factory templates +- Quest design +- Development roadmap (4-5 months) +- Marketing strategy + +--- + +## Success Criteria + +- ✅ Design document complete +- ⏳ Phase 1: Core setup (2 weeks) +- ⏳ Phase 2: Recipe development (3 weeks) +- ⏳ Phase 3: Questing (3 weeks) +- ⏳ Phase 4: Polish & balance (4 weeks) +- ⏳ Phase 5: Beta testing (4 weeks) +- ⏳ Phase 6: Launch + +**Target:** 10,000+ downloads in 6 months + +--- + +**Fire + Frost + Foundation = Where Love Builds Legacy** 💙🔥❄️ diff --git a/docs/tasks/frostwall-protocol/README.md b/docs/tasks/frostwall-protocol/README.md index c368da5..77df86e 100644 --- a/docs/tasks/frostwall-protocol/README.md +++ b/docs/tasks/frostwall-protocol/README.md @@ -1,10 +1,10 @@ # The Frostwall Protocol - GRE Tunnel Security Architecture -**Status:** Rebuild Pending +**Status:** PLANNING COMPLETE - Ready to Deploy **Owner:** Michael "Frostystyle" Krause **Priority:** CRITICAL - Tier 1 Security Foundation -**Last Updated:** 2026-02-16 -**Time Estimate:** 3-4 hours +**Last Updated:** 2026-02-17 +**Time Estimate:** 3-4 hours deployment (SSH required) --- diff --git a/docs/tasks/staff-recruitment-launch/README.md b/docs/tasks/staff-recruitment-launch/README.md index 7ee21d2..f38b574 100644 --- a/docs/tasks/staff-recruitment-launch/README.md +++ b/docs/tasks/staff-recruitment-launch/README.md @@ -1,10 +1,10 @@ # Staff Recruitment Launch -**Status:** READY - POSTING TODAY +**Status:** DOCUMENTATION COMPLETE - Ready to Post **Owner:** Michael "Frostystyle" Krause **Priority:** Tier 0 - Immediate Win -**Last Updated:** 2026-02-16 -**Time Estimate:** 2-3 hours (setup) + ongoing management +**Last Updated:** 2026-02-17 +**Time Estimate:** 30 min (finalize) + 2-3 hours (post & manage) --- diff --git a/docs/tasks/whitelist-manager/README.md b/docs/tasks/whitelist-manager/README.md index f5df9ab..59a619c 100644 --- a/docs/tasks/whitelist-manager/README.md +++ b/docs/tasks/whitelist-manager/README.md @@ -1,10 +1,10 @@ # Whitelist Manager Web Dashboard -**Status:** Planning +**Status:** DEPLOYMENT READY **Owner:** Michael "Frostystyle" Krause **Priority:** Tier 0 - Immediate Win -**Last Updated:** 2026-02-16 -**Time Estimate:** 2-2.5 hours +**Last Updated:** 2026-02-17 +**Time Estimate:** 30-45 minutes deployment --- @@ -43,7 +43,7 @@ Web dashboard at `whitelist.firefrostgaming.com` for managing player whitelists - **Backend:** Python Flask application - **Frontend:** HTML + TailwindCSS responsive design - **Authentication:** Basic auth (username/password) via HTTPS -- **Hosting:** Ghost VPS (Chicago) - same server as Wiki.js Staff +- **Hosting:** Billing VPS (38.68.14.188, Chicago) - "Money on Billing" principle --- @@ -110,18 +110,24 @@ Web dashboard at `whitelist.firefrostgaming.com` for managing player whitelists ## Current Status -**Planning Phase:** -- ✅ Deployment plan complete (40+ pages) -- ✅ Requirements gathered -- ✅ Tech stack selected -- ✅ Server list compiled (11 servers) -- ⏳ Awaiting medical clearance to begin build +**COMPLETE - Ready for Deployment:** +- ✅ Complete Flask web application built +- ✅ Fire & Frost themed TailwindCSS UI +- ✅ Pterodactyl API integration complete +- ✅ All configuration files created +- ✅ Deployment scripts and guides ready +- ✅ Security implemented (HTTPS, auth, API key management) +- ⏳ **Awaiting SSH access to Billing VPS for deployment** + +**Deployment Package Location:** +`/deployments/whitelist-manager/` in operations manual repository **Next Steps:** -1. Obtain Pterodactyl API key -2. Set up DNS record -3. Begin Phase 1: Infrastructure setup -4. Follow 6-phase deployment plan +1. Obtain SSH access to Billing VPS (38.68.14.188) +2. Configure DNS: `whitelist.firefrostgaming.com` → `38.68.14.188` +3. Run deployment (30-45 minutes using provided scripts) +4. Test all functions +5. Document credentials in Vaultwarden ---