fix: remove SSH hardening from LXC setup - blocks deployment
SSH hardening (no root, no password) prevents pct exec and deploy access on dev/staging servers. Moved to security skill as production-only optional step. Kept: fail2ban, auto-updates, sysctl. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
4fea7e781f
commit
24219530fa
@ -139,13 +139,7 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c '
|
||||
ufw allow 443
|
||||
ufw --force enable
|
||||
|
||||
# --- SECURITY HARDENING ---
|
||||
|
||||
# SSH härten: Kein Root-Login, kein Passwort-Login
|
||||
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
|
||||
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
|
||||
sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
|
||||
systemctl restart sshd
|
||||
# --- SECURITY HARDENING (ohne SSH - stört beim Deploy) ---
|
||||
|
||||
# Fail2Ban gegen Brute-Force
|
||||
apt install -y fail2ban
|
||||
|
||||
@ -62,10 +62,10 @@ Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
|
||||
|
||||
## SERVER-SECURITY CHECKS (via SSH)
|
||||
|
||||
### SSH-Hardening prüfen
|
||||
### SSH-Hardening prüfen (optional - NICHT bei Entwicklungs-/Staging-Servern)
|
||||
SSH-Hardening kann das Deployment stören. Nur auf Produktionsservern aktivieren.
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
|
||||
# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes
|
||||
```
|
||||
|
||||
### Firewall prüfen
|
||||
@ -111,11 +111,6 @@ ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running"
|
||||
Wenn Probleme gefunden werden, SOFORT fixen:
|
||||
|
||||
```bash
|
||||
# Root-Login deaktivieren
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
||||
|
||||
# Fail2Ban installieren
|
||||
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
|
||||
|
||||
@ -126,6 +121,13 @@ ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-recon
|
||||
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
|
||||
```
|
||||
|
||||
### SSH-Hardening (NUR Produktion, NICHT auf Staging/Dev)
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
||||
```
|
||||
|
||||
## TOOLS
|
||||
- `npm audit --json` für Dependency-Check
|
||||
- Grep nach Secret-Patterns im gesamten Projekt
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user