Hermes Agent
7994aad8d8
- Firewall (default deny): - Allow only essential ports: SSH(2424), Gitea(2222), HTTP(80), HTTPS(443) - Rate limit SSH (max 4 new connections/60s) - Rate limit HTTP/HTTPS (25/minute) - Drop invalid packets, log dropped packets - Fail2ban (auto-ban attackers): - SSH jail: 3 strikes = 1 hour ban - HTTP auth failures: 5 strikes = 1 hour ban - HTTP scanning: 2 strikes = 2 hour ban - Recidive jail: repeat offenders = 1 week ban - SSH hardening: - No root login - Max 3 auth tries, 5 sessions - 30s login grace time - No X11/TCP/agent forwarding - Verbose logging - Kernel network hardening: - SYN flood protection (syncookies) - IP spoofing protection (rp_filter) - Disable source routing, redirects - Log martian packets - Connection tuning for high load - Audit logging enabled Ports commented for review (likely internal-only): - 8000 (Portainer), 4242 (Coms), 5000/8087/8089 (TAK)