|
|
157d84e508
|
security: harden lazyworkhorse with firewall, fail2ban, SSH hardening
- Firewall (default deny):
- Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
- Rate limit SSH (max 4 new connections/60s)
- Rate limit HTTP/HTTPS (25/minute)
- Drop invalid packets, log dropped packets
- Fail2ban (auto-ban attackers):
- SSH jail: 3 strikes = 1 hour ban
- HTTP auth failures: 5 strikes = 1 hour ban
- HTTP scanning: 2 strikes = 2 hour ban
- Recidive jail: repeat offenders = 1 week ban
- SSH hardening:
- No root login
- Max 3 auth tries, 5 sessions
- 30s login grace time
- No X11/TCP/agent forwarding
- Verbose logging
- Kernel network hardening:
- SYN flood protection (syncookies)
- IP spoofing protection (rp_filter)
- Disable source routing, redirects
- Log martian packets
- Connection tuning for high load
- Audit logging enabled
Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)
|
2026-04-30 17:10:16 +00:00 |
|
