fix: remove SSH hardening from LXC setup - blocks deployment

SSH hardening (no root, no password) prevents pct exec and deploy
access on dev/staging servers. Moved to security skill as
production-only optional step. Kept: fail2ban, auto-updates, sysctl.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Christian Mueller 2026-03-21 00:18:13 +01:00
parent 4fea7e781f
commit 24219530fa
2 changed files with 10 additions and 14 deletions

View File

@ -139,13 +139,7 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c '
ufw allow 443 ufw allow 443
ufw --force enable ufw --force enable
# --- SECURITY HARDENING --- # --- SECURITY HARDENING (ohne SSH - stört beim Deploy) ---
# SSH härten: Kein Root-Login, kein Passwort-Login
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
systemctl restart sshd
# Fail2Ban gegen Brute-Force # Fail2Ban gegen Brute-Force
apt install -y fail2ban apt install -y fail2ban

View File

@ -62,10 +62,10 @@ Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
## SERVER-SECURITY CHECKS (via SSH) ## SERVER-SECURITY CHECKS (via SSH)
### SSH-Hardening prüfen ### SSH-Hardening prüfen (optional - NICHT bei Entwicklungs-/Staging-Servern)
SSH-Hardening kann das Deployment stören. Nur auf Produktionsservern aktivieren.
```bash ```bash
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication' ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes
``` ```
### Firewall prüfen ### Firewall prüfen
@ -111,11 +111,6 @@ ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running"
Wenn Probleme gefunden werden, SOFORT fixen: Wenn Probleme gefunden werden, SOFORT fixen:
```bash ```bash
# Root-Login deaktivieren
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
# Fail2Ban installieren # Fail2Ban installieren
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban" ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
@ -126,6 +121,13 @@ ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-recon
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env" ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
``` ```
### SSH-Hardening (NUR Produktion, NICHT auf Staging/Dev)
```bash
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
```
## TOOLS ## TOOLS
- `npm audit --json` für Dependency-Check - `npm audit --json` für Dependency-Check
- Grep nach Secret-Patterns im gesamten Projekt - Grep nach Secret-Patterns im gesamten Projekt