firefrost-gaming/firefrost-operations-manual
3
0
Fork 0
Code Issues 146 Pull Requests Packages Projects Releases Wiki Activity
Files
e3197c386f16fcdc779b5d15f1a4e1b65b49b83a
firefrost-operations-manual/docs/tasks/command-center-security
History
Claude 1722dfb17e docs: Add Command Center security hardening deployment guide 
Created comprehensive security hardening guide (500+ lines):

Defense-in-Depth Strategy:
- Layer 1: Fail2Ban auto-banning
- Layer 2: SSH key-only authentication
- Layer 3: UFW firewall optimization

5-Phase Deployment (1 hour total):
- Phase 1: Test SSH key access (CRITICAL - prevents lockout)
- Phase 2: Install and configure Fail2Ban (20 min)
- Phase 3: SSH hardening (20 min)
- Phase 4: UFW firewall review (15 min)
- Phase 5: Additional security (automatic updates, AIDE)

Security Features:
- Fail2Ban monitors SSH, Nginx, bad bots
- SSH: Key-only auth, MaxAuthTries=3, rate limiting
- UFW: Management IP whitelist, unnecessary ports closed
- Automatic security updates
- File integrity checking (AIDE)

Critical Safety Measures:
- Mandatory SSH key testing before disabling passwords
- Keep session open while testing
- Backup access via console/IPMI
- Step-by-step verification at each phase
- Comprehensive troubleshooting (lockout recovery)

Monitoring & Maintenance:
- Daily: Check Fail2Ban bans and auth logs
- Weekly: Review UFW logs and security updates
- Monthly: AIDE file integrity check

Ready to deploy when SSH access available.
Risk level: MEDIUM (can lock out if keys not tested)

Task: Command Center Security Hardening (Tier 1)
FFG-STD-002 compliant
2026-02-17 23:59:44 +00:00
..
deployment-guide.md
docs: Add Command Center security hardening deployment guide
2026-02-17 23:59:44 +00:00
README.md
Create command-center-security task
2026-02-16 06:56:01 -06:00

README.md

Command Center Security Hardening

Status: Ready
Priority: Tier 1 - Security Foundation
Time: 1 hour
Last Updated: 2026-02-16

Overview

Defense-in-depth security hardening for Command Center VPS (Dallas hub). Install Fail2Ban, harden SSH, review firewall rules.

Current State

  • UFW enabled (default deny incoming)
  • Ports 22, 80, 443 open
  • Fail2Ban not installed
  • SSH allows password auth
  • No rate limiting on SSH

Tasks

  1. Install Fail2Ban (auto-ban brute force)
  2. SSH Hardening:
    • Disable password auth (key-only)
    • Optional: Change SSH port
    • Set MaxAuthTries=3
  3. Review UFW rules (close unnecessary ports)
  4. Document in deployment-plan.md
  5. Test SSH with keys before closing password auth

Success Criteria

  • Fail2Ban active and monitoring
  • SSH key-only authentication
  • Command Center locked down
  • Security config documented

Fire + Frost + Foundation 💙🔥❄️

Reference in New Issue View Git Blame Copy Permalink