security: harden server with firewall, fail2ban, and SSH protections #30

Closed

Hermes wants to merge 9 commits from feature/server-hardening into master

pull from: feature/server-hardening

merge into: gortium:master

gortium:master

gortium:feat/worldmonitor

gortium:feat/ups-config

gortium:feat/rollback-sentinel-on-fresh-branch

gortium:fix/honcho-vector-dim-empty

gortium:fix/backup-submodule-update

gortium:feat/restrict-docker-blacklist

gortium:feat/restrict-docker-commands-for-ai-worker

gortium:fix/hermes-matrix-deps-venv-persist

gortium:feat/uconsole-cm5-v3

gortium:fix/update-compose-submodule-matrix-bridge

gortium:feat/nix-deployment-v2

gortium:kvm-pr

gortium:feat/nixos-ci-workflow

gortium:kvm-pr-consolidate

gortium:feat/hermes-workspace-combined

gortium:feat/hyperspace-pods-module

gortium:feat/hermes-workspace

gortium:feat/hermes-workers

gortium:feat/add-paperclip-agent-orchestrator

gortium:feat/syncthing-org-sync

gortium:fix/vpn-iptables-nft-v3

gortium:fix/vpn-iptables-nft-v2

gortium:fix/vpn-iptables-nft-upstream

gortium:feat/nixos-ci

gortium:feat/update-compose-submodule-custom-tools

gortium:feat/kvm-libvirt

gortium:fix/wg-easy-iptables-nft

gortium:feat/compose-submodule-v2

gortium:feat/hermes-fork-dockerfile

gortium:ai-worker-restricted-access

gortium:feat/wireguard-vpn

gortium:feat/k3s-pod-cluster

gortium:feature/server-hardening-clean

gortium:docs/merge-priority-order

gortium:feat/hermes-voice-gpu-support

gortium:feat/uconsole-cm5-v2

gortium:fix/matrix-bridge-v2

gortium:fix/backup-network-v2

gortium:feat/docker-add-qemu-cross-compilation

gortium:feat/docker-add-latex-stack

gortium:feat/docker-add-chromium-browser-deps

gortium:feat/docker-add-curl-poppler-imagemagick

gortium:feat/add-uconsole-host

gortium:home_manager

Conversation 0 Commits 9 Files Changed 9 +852 -4

Hermes commented 2026-05-01 03:07:46 +00:00

Collaborator

Copy Link

Summary

Adds comprehensive server hardening for internet-facing NixOS host.

Changes

Firewall (default deny)

• Only essential ports exposed: SSH (2424), Gitea (2222), HTTP/HTTPS (80/443)
• Rate limiting: SSH (4 conn/min), HTTP/HTTPS (25/min)
• Invalid packet dropping + logging

Fail2ban

• SSH jail: 3 strikes → 1 hour ban
• HTTP auth jail: 5 failures → 1 hour ban
• Bot search jail: 2 hits → 2 hour ban
• Recidive jail: repeat offenders → 1 week ban
• Custom Traefik filters for HTTP jails

SSH Hardening

• Root login disabled
• Max 3 auth tries, 5 sessions
• 30s login grace time
• Verbose logging
• X11/TCP/Agent forwarding disabled

Kernel Hardening

• SYN flood protection
• IP spoofing protection
• Source routing disabled
• ICMP redirects disabled

Dependencies

• Requires: compose PR #15 (Traefik access logs)

Merge compose PR first, then this one.

Deployment

# 1. Deploy compose changes first
cd ~/infra/assets/compose/network
docker compose up -d traefik

# 2. Deploy NixOS config
nh os switch .#lazyworkhorse

# 3. Verify hardening
/opt/data/scripts/security-audit.sh

Verification

# Check firewall
sudo iptables -L -n -v

# Check fail2ban
sudo fail2ban-client status
sudo fail2ban-client status sshd
sudo fail2ban-client status http-auth
sudo fail2ban-client status http-botsearch

# Check SSH config
sudo sshd -T | grep -E "^(permitrootlogin|maxauthtries|loglevel)"

Related

• Skill: nixos-server-hardening
• Based on PR #27 reference implementation

## Summary Adds comprehensive server hardening for internet-facing NixOS host. ## Changes ### Firewall (default deny) - Only essential ports exposed: SSH (2424), Gitea (2222), HTTP/HTTPS (80/443) - Rate limiting: SSH (4 conn/min), HTTP/HTTPS (25/min) - Invalid packet dropping + logging ### Fail2ban - SSH jail: 3 strikes → 1 hour ban - HTTP auth jail: 5 failures → 1 hour ban - Bot search jail: 2 hits → 2 hour ban - Recidive jail: repeat offenders → 1 week ban - Custom Traefik filters for HTTP jails ### SSH Hardening - Root login disabled - Max 3 auth tries, 5 sessions - 30s login grace time - Verbose logging - X11/TCP/Agent forwarding disabled ### Kernel Hardening - SYN flood protection - IP spoofing protection - Source routing disabled - ICMP redirects disabled ## Dependencies - **Requires:** [compose PR #15](https://code.lazyworkhorse.net/gortium/compose/pulls/15) (Traefik access logs) Merge compose PR first, then this one. ## Deployment ```bash # 1. Deploy compose changes first cd ~/infra/assets/compose/network docker compose up -d traefik # 2. Deploy NixOS config nh os switch .#lazyworkhorse # 3. Verify hardening /opt/data/scripts/security-audit.sh ``` ## Verification ```bash # Check firewall sudo iptables -L -n -v # Check fail2ban sudo fail2ban-client status sudo fail2ban-client status sshd sudo fail2ban-client status http-auth sudo fail2ban-client status http-botsearch # Check SSH config sudo sshd -T | grep -E "^(permitrootlogin|maxauthtries|loglevel)" ``` ## Related - Skill: `nixos-server-hardening` - Based on PR #27 reference implementation

Hermes added 6 commits 2026-05-01 03:07:46 +00:00

Add AI model optimizer cron job draft and initial state files 30f8ca3863

security: harden lazyworkhorse with firewall, fail2ban, SSH hardening ... 157d84e508

- Firewall (default deny):
  - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443)
  - Rate limit SSH (max 4 new connections/60s)
  - Rate limit HTTP/HTTPS (25/minute)
  - Drop invalid packets, log dropped packets

- Fail2ban (auto-ban attackers):
  - SSH jail: 3 strikes = 1 hour ban
  - HTTP auth failures: 5 strikes = 1 hour ban
  - HTTP scanning: 2 strikes = 2 hour ban
  - Recidive jail: repeat offenders = 1 week ban

- SSH hardening:
  - No root login
  - Max 3 auth tries, 5 sessions
  - 30s login grace time
  - No X11/TCP/agent forwarding
  - Verbose logging

- Kernel network hardening:
  - SYN flood protection (syncookies)
  - IP spoofing protection (rp_filter)
  - Disable source routing, redirects
  - Log martian packets
  - Connection tuning for high load

- Audit logging enabled

Ports commented for review (likely internal-only):
- 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)

security: add restricted sudo for ai-worker with security audit commands ... b5b0d4c2d1

- Deployment: nh os switch, nixos-rebuild switch (flake path locked)
- Firewall checks: iptables -L, iptables -S
- Fail2ban: status, banned IPs
- Logs: journalctl for kernel and fail2ban
- SSH config: sshd -T for verification
- Docker: ps, inspect (service health)
- Network: ss -tlnp, /proc/net/tcp

All commands are whitelisted with NOPASSWD.
No shell access, no ALL command - principle of least privilege.

security: remove deployment commands from ai-worker sudo rules ... ed7852ac08

ai-worker only needs security audit commands, not deployment access.

Removed:
- nh os switch
- nixos-rebuild switch

Kept:
- Firewall checks (iptables)
- Fail2ban status
- Log inspection (journalctl)
- SSH config (sshd -T)
- Docker service checks
- Network diagnostics

fix: add custom traefik fail2ban filters for http-auth and http-botsearch jails ceaf470f8a

chore: update compose submodule for traefik logging ab78469a29

Hermes added 3 commits 2026-05-01 03:08:38 +00:00

docs: add merge priority order with security hardening as #1 priority ... 25404466bb

- Updated roadmap phase status (Phase 4 complete)
- Added merge priority table with PR #28 (security) at top
- Documented that security must merge before new services exposed
- Added deployment command reference

chore: update compose submodule to traefik logging branch 70bcc797c0

Merge branch 'master' into feature/server-hardening 760cffa3cc

Hermes closed this pull request 2026-05-01 03:34:18 +00:00

Hermes referenced this pull request 2026-05-03 08:58:30 +00:00

Merge Plan - Prioritized for GPU Ollama Access #26

Hermes referenced this pull request 2026-05-15 01:36:44 +00:00

feat: add Syncthing firewall port and update compose submodule #47

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

Reviewers

No Reviewers

Labels

No items

No Label

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

Hermes gortium

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: gortium/infra#30

No description provided.