fix: remove SSH hardening from LXC setup - blocks deployment
SSH hardening (no root, no password) prevents pct exec and deploy access on dev/staging servers. Moved to security skill as production-only optional step. Kept: fail2ban, auto-updates, sysctl. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
4fea7e781f
commit
24219530fa
@ -139,13 +139,7 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c '
|
|||||||
ufw allow 443
|
ufw allow 443
|
||||||
ufw --force enable
|
ufw --force enable
|
||||||
|
|
||||||
# --- SECURITY HARDENING ---
|
# --- SECURITY HARDENING (ohne SSH - stört beim Deploy) ---
|
||||||
|
|
||||||
# SSH härten: Kein Root-Login, kein Passwort-Login
|
|
||||||
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
|
|
||||||
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
|
|
||||||
sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
|
|
||||||
systemctl restart sshd
|
|
||||||
|
|
||||||
# Fail2Ban gegen Brute-Force
|
# Fail2Ban gegen Brute-Force
|
||||||
apt install -y fail2ban
|
apt install -y fail2ban
|
||||||
|
|||||||
@ -62,10 +62,10 @@ Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
|
|||||||
|
|
||||||
## SERVER-SECURITY CHECKS (via SSH)
|
## SERVER-SECURITY CHECKS (via SSH)
|
||||||
|
|
||||||
### SSH-Hardening prüfen
|
### SSH-Hardening prüfen (optional - NICHT bei Entwicklungs-/Staging-Servern)
|
||||||
|
SSH-Hardening kann das Deployment stören. Nur auf Produktionsservern aktivieren.
|
||||||
```bash
|
```bash
|
||||||
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
|
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
|
||||||
# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes
|
|
||||||
```
|
```
|
||||||
|
|
||||||
### Firewall prüfen
|
### Firewall prüfen
|
||||||
@ -111,11 +111,6 @@ ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running"
|
|||||||
Wenn Probleme gefunden werden, SOFORT fixen:
|
Wenn Probleme gefunden werden, SOFORT fixen:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
# Root-Login deaktivieren
|
|
||||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
|
||||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
|
||||||
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
|
||||||
|
|
||||||
# Fail2Ban installieren
|
# Fail2Ban installieren
|
||||||
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
|
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
|
||||||
|
|
||||||
@ -126,6 +121,13 @@ ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-recon
|
|||||||
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
|
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### SSH-Hardening (NUR Produktion, NICHT auf Staging/Dev)
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||||
|
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||||
|
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
||||||
|
```
|
||||||
|
|
||||||
## TOOLS
|
## TOOLS
|
||||||
- `npm audit --json` für Dependency-Check
|
- `npm audit --json` für Dependency-Check
|
||||||
- Grep nach Secret-Patterns im gesamten Projekt
|
- Grep nach Secret-Patterns im gesamten Projekt
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user