# Command Center Security Hardening

**Status:** Ready  
**Priority:** Tier 1 - Security Foundation  
**Time:** 1 hour  
**Last Updated:** 2026-02-16

## Overview
Defense-in-depth security hardening for Command Center VPS (Dallas hub). Install Fail2Ban, harden SSH, review firewall rules.

## Current State
- ✅ UFW enabled (default deny incoming)
- ✅ Ports 22, 80, 443 open
- ❌ Fail2Ban not installed
- ❌ SSH allows password auth
- ❌ No rate limiting on SSH

## Tasks
1. **Install Fail2Ban** (auto-ban brute force)
2. **SSH Hardening:**
   - Disable password auth (key-only)
   - Optional: Change SSH port
   - Set MaxAuthTries=3
3. **Review UFW rules** (close unnecessary ports)
4. **Document** in deployment-plan.md
5. **Test SSH** with keys before closing password auth

## Success Criteria
- ✅ Fail2Ban active and monitoring
- ✅ SSH key-only authentication
- ✅ Command Center locked down
- ✅ Security config documented

**Fire + Frost + Foundation** 💙🔥❄️