diff --git a/.claude/skills/proxmox-lxc.md b/.claude/skills/proxmox-lxc.md index a8d46a3..12796e4 100644 --- a/.claude/skills/proxmox-lxc.md +++ b/.claude/skills/proxmox-lxc.md @@ -139,13 +139,7 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c ' ufw allow 443 ufw --force enable - # --- SECURITY HARDENING --- - - # SSH härten: Kein Root-Login, kein Passwort-Login - sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config - sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config - sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config - systemctl restart sshd + # --- SECURITY HARDENING (ohne SSH - stört beim Deploy) --- # Fail2Ban gegen Brute-Force apt install -y fail2ban diff --git a/.claude/skills/security.md b/.claude/skills/security.md index c1e0f23..d9ed640 100644 --- a/.claude/skills/security.md +++ b/.claude/skills/security.md @@ -62,10 +62,10 @@ Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG ## SERVER-SECURITY CHECKS (via SSH) -### SSH-Hardening prüfen +### SSH-Hardening prüfen (optional - NICHT bei Entwicklungs-/Staging-Servern) +SSH-Hardening kann das Deployment stören. Nur auf Produktionsservern aktivieren. ```bash ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication' -# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes ``` ### Firewall prüfen @@ -111,11 +111,6 @@ ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running" Wenn Probleme gefunden werden, SOFORT fixen: ```bash -# Root-Login deaktivieren -ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config" -ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config" -ssh deploy@$SSH_HOST "sudo systemctl restart sshd" - # Fail2Ban installieren ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban" @@ -126,6 +121,13 @@ ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-recon ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env" ``` +### SSH-Hardening (NUR Produktion, NICHT auf Staging/Dev) +```bash +ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config" +ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config" +ssh deploy@$SSH_HOST "sudo systemctl restart sshd" +``` + ## TOOLS - `npm audit --json` für Dependency-Check - Grep nach Secret-Patterns im gesamten Projekt