security: harden lazyworkhorse with firewall, fail2ban, SSH hardening #27

Closed

Hermes wants to merge 4 commits from feature/server-hardening into master

pull from: feature/server-hardening

merge into: gortium:master

gortium:master

gortium:feat/worldmonitor

gortium:feat/ups-config

gortium:feat/rollback-sentinel-on-fresh-branch

gortium:fix/honcho-vector-dim-empty

gortium:fix/backup-submodule-update

gortium:feat/restrict-docker-blacklist

gortium:feat/restrict-docker-commands-for-ai-worker

gortium:fix/hermes-matrix-deps-venv-persist

gortium:feat/uconsole-cm5-v3

gortium:fix/update-compose-submodule-matrix-bridge

gortium:feat/nix-deployment-v2

gortium:kvm-pr

gortium:feat/nixos-ci-workflow

gortium:kvm-pr-consolidate

gortium:feat/hermes-workspace-combined

gortium:feat/hyperspace-pods-module

gortium:feat/hermes-workspace

gortium:feat/hermes-workers

gortium:feat/add-paperclip-agent-orchestrator

gortium:feat/syncthing-org-sync

gortium:fix/vpn-iptables-nft-v3

gortium:fix/vpn-iptables-nft-v2

gortium:fix/vpn-iptables-nft-upstream

gortium:feat/nixos-ci

gortium:feat/update-compose-submodule-custom-tools

gortium:feat/kvm-libvirt

gortium:fix/wg-easy-iptables-nft

gortium:feat/compose-submodule-v2

gortium:feat/hermes-fork-dockerfile

gortium:ai-worker-restricted-access

gortium:feat/wireguard-vpn

gortium:feat/k3s-pod-cluster

gortium:feature/server-hardening-clean

gortium:docs/merge-priority-order

gortium:feat/hermes-voice-gpu-support

gortium:feat/uconsole-cm5-v2

gortium:fix/matrix-bridge-v2

gortium:fix/backup-network-v2

gortium:feat/docker-add-qemu-cross-compilation

gortium:feat/docker-add-latex-stack

gortium:feat/docker-add-chromium-browser-deps

gortium:feat/docker-add-curl-poppler-imagemagick

gortium:feat/add-uconsole-host

gortium:home_manager

Conversation 0 Commits 4 Files Changed 7 +817 -1

Hermes commented 2026-04-30 17:11:44 +00:00

Collaborator

Copy Link

Problem

Server is exposed to internet with:

• No firewall (all ports open)
• No intrusion prevention (fail2ban)
• Minimal SSH hardening
• No kernel-level network protection

Suspected cause of lag: unrestricted connections, possible scanning/brute-force attempts.

Solution

1. Firewall (default deny)

• Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
• Rate limit SSH: max 4 new connections per 60 seconds per IP
• Rate limit HTTP/HTTPS: 25 new connections per minute
• Drop invalid packets
• Log dropped packets for monitoring

2. Fail2ban (automatic IP banning)

• SSH jail: 3 failed attempts = 1 hour ban
• HTTP auth failures: 5 strikes = 1 hour ban
• HTTP scanning: 2 strikes = 2 hour ban
• Recidive jail: repeat offenders = 1 week ban

3. SSH hardening

• No root login
• Max 3 auth tries, 5 sessions
• 30s login grace time
• No X11/TCP/agent forwarding
• Verbose logging

4. Kernel network hardening

• SYN flood protection (tcp_syncookies)
• IP spoofing protection (rp_filter)
• Disable source routing, redirects
• Log martian packets
• Connection tuning for high load

5. ai-worker restricted sudo for security audits

Whitelisted commands for automated security checks:

Category	Commands
Firewall	iptables -L -n -v, iptables -S
Fail2ban	status, get * banned
Logs	journalctl -t kernel, -u fail2ban, -u firewall
SSH	sshd -T (config verification)
Docker	docker ps, docker inspect
Network	ss -tlnp, cat /proc/net/tcp

Security: No deployment commands, no shell access, no ALL command - principle of least privilege.

Ports to Review

Currently blocked (commented) - uncomment if public access needed:

• 8000 (Portainer)
• 4242 (Coms)
• 5000, 8087, 8089 (TAK services)

Deployment

cd /home/gortium/infra
nh os switch --flake .#lazyworkhorse

Verification

# Check firewall
sudo iptables -L -n -v

# Check fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd

# Check banned IPs
sudo fail2ban-client get sshd banned

# Check dropped connections
sudo journalctl -t kernel | grep "IPTables-Dropped"

# Verify ai-worker sudo (as ai-worker)
sudo -l

Related

• Improves server security posture
• Should reduce lag from unrestricted connections
• Enables automated security checks via ai-worker

## Problem Server is exposed to internet with: - No firewall (all ports open) - No intrusion prevention (fail2ban) - Minimal SSH hardening - No kernel-level network protection Suspected cause of lag: unrestricted connections, possible scanning/brute-force attempts. ## Solution ### 1. Firewall (default deny) - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443) - Rate limit SSH: max 4 new connections per 60 seconds per IP - Rate limit HTTP/HTTPS: 25 new connections per minute - Drop invalid packets - Log dropped packets for monitoring ### 2. Fail2ban (automatic IP banning) - SSH jail: 3 failed attempts = 1 hour ban - HTTP auth failures: 5 strikes = 1 hour ban - HTTP scanning: 2 strikes = 2 hour ban - Recidive jail: repeat offenders = 1 week ban ### 3. SSH hardening - No root login - Max 3 auth tries, 5 sessions - 30s login grace time - No X11/TCP/agent forwarding - Verbose logging ### 4. Kernel network hardening - SYN flood protection (tcp_syncookies) - IP spoofing protection (rp_filter) - Disable source routing, redirects - Log martian packets - Connection tuning for high load ### 5. ai-worker restricted sudo for security audits Whitelisted commands for automated security checks: | Category | Commands | |----------|----------| | Firewall | `iptables -L -n -v`, `iptables -S` | | Fail2ban | `status`, `get * banned` | | Logs | `journalctl -t kernel`, `-u fail2ban`, `-u firewall` | | SSH | `sshd -T` (config verification) | | Docker | `docker ps`, `docker inspect` | | Network | `ss -tlnp`, `cat /proc/net/tcp` | **Security:** No deployment commands, no shell access, no ALL command - principle of least privilege. ## Ports to Review Currently blocked (commented) - uncomment if public access needed: - 8000 (Portainer) - 4242 (Coms) - 5000, 8087, 8089 (TAK services) ## Deployment ```bash cd /home/gortium/infra nh os switch --flake .#lazyworkhorse ``` ## Verification ```bash # Check firewall sudo iptables -L -n -v # Check fail2ban sudo fail2ban-client status sudo fail2ban-client status sshd # Check banned IPs sudo fail2ban-client get sshd banned # Check dropped connections sudo journalctl -t kernel | grep "IPTables-Dropped" # Verify ai-worker sudo (as ai-worker) sudo -l ``` ## Related - Improves server security posture - Should reduce lag from unrestricted connections - Enables automated security checks via ai-worker

Hermes added 2 commits 2026-04-30 17:11:45 +00:00

Add AI model optimizer cron job draft and initial state files 30f8ca3863

security: harden lazyworkhorse with firewall, fail2ban, SSH hardening ... 157d84e508

- Firewall (default deny):
  - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
  - Rate limit SSH (max 4 new connections/60s)
  - Rate limit HTTP/HTTPS (25/minute)
  - Drop invalid packets, log dropped packets

- Fail2ban (auto-ban attackers):
  - SSH jail: 3 strikes = 1 hour ban
  - HTTP auth failures: 5 strikes = 1 hour ban
  - HTTP scanning: 2 strikes = 2 hour ban
  - Recidive jail: repeat offenders = 1 week ban

- SSH hardening:
  - No root login
  - Max 3 auth tries, 5 sessions
  - 30s login grace time
  - No X11/TCP/agent forwarding
  - Verbose logging

- Kernel network hardening:
  - SYN flood protection (syncookies)
  - IP spoofing protection (rp_filter)
  - Disable source routing, redirects
  - Log martian packets
  - Connection tuning for high load

- Audit logging enabled

Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)

Hermes added 1 commit 2026-04-30 17:33:36 +00:00

security: add restricted sudo for ai-worker with security audit commands ... b5b0d4c2d1

- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp

All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.

Hermes added 1 commit 2026-04-30 17:36:36 +00:00

security: remove deployment commands from ai-worker sudo rules ... ed7852ac08

ai-worker only needs security audit commands, not deployment access.

Removed:
- nh os switch
- nixos-rebuild switch

Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics

Hermes closed this pull request 2026-04-30 17:47:40 +00:00

Hermes deleted branch feature/server-hardening 2026-04-30 17:47:40 +00:00

Hermes referenced this pull request 2026-05-01 03:07:46 +00:00

security: harden server with firewall, fail2ban, and SSH protections #30

Hermes referenced this pull request 2026-05-01 03:34:11 +00:00

security: harden lazyworkhorse with firewall, fail2ban, SSH hardening #28

Hermes referenced this pull request 2026-05-03 08:58:30 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this pull request 2026-05-13 16:49:19 +00:00

fix: update compose submodule — remove apk add iptables-nft #45

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#27

No description provided.