feat: security hardening for LXC + server security checks
- proxmox-lxc: auto-harden on setup (SSH no-root/no-password, fail2ban, unattended-upgrades, sysctl kernel hardening) - security: now covers BOTH code AND infrastructure - SSH config validation - Firewall/open ports check - Fail2Ban status - Auto-updates verification - File permissions audit - Auto-fix for all server issues found - workflow provision: security check after LXC setup AND after deploy Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
6cf17810cd
commit
4fea7e781f
@ -138,6 +138,48 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c '
|
||||
ufw allow 80
|
||||
ufw allow 443
|
||||
ufw --force enable
|
||||
|
||||
# --- SECURITY HARDENING ---
|
||||
|
||||
# SSH härten: Kein Root-Login, kein Passwort-Login
|
||||
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
|
||||
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
|
||||
sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
|
||||
systemctl restart sshd
|
||||
|
||||
# Fail2Ban gegen Brute-Force
|
||||
apt install -y fail2ban
|
||||
cat > /etc/fail2ban/jail.local << JAIL
|
||||
[sshd]
|
||||
enabled = true
|
||||
port = ssh
|
||||
filter = sshd
|
||||
logpath = /var/log/auth.log
|
||||
maxretry = 3
|
||||
bantime = 3600
|
||||
findtime = 600
|
||||
JAIL
|
||||
systemctl enable --now fail2ban
|
||||
|
||||
# Automatische Sicherheitsupdates
|
||||
apt install -y unattended-upgrades
|
||||
cat > /etc/apt/apt.conf.d/20auto-upgrades << AUTOUPD
|
||||
APT::Periodic::Update-Package-Lists "1";
|
||||
APT::Periodic::Unattended-Upgrade "1";
|
||||
APT::Periodic::AutocleanInterval "7";
|
||||
AUTOUPD
|
||||
|
||||
# Kernel-Hardening (sysctl)
|
||||
cat > /etc/sysctl.d/99-security.conf << SYSCTL
|
||||
net.ipv4.conf.all.rp_filter = 1
|
||||
net.ipv4.conf.default.rp_filter = 1
|
||||
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||
net.ipv4.conf.all.accept_redirects = 0
|
||||
net.ipv4.conf.default.accept_redirects = 0
|
||||
net.ipv4.conf.all.send_redirects = 0
|
||||
net.ipv4.conf.default.send_redirects = 0
|
||||
SYSCTL
|
||||
sysctl -p /etc/sysctl.d/99-security.conf
|
||||
'"
|
||||
```
|
||||
|
||||
|
||||
@ -1,12 +1,14 @@
|
||||
---
|
||||
name: security
|
||||
description: Sicherheitsanalyse des Codes - OWASP Top 10, Dependency Scan, Secrets Detection
|
||||
description: Sicherheitsanalyse von Code UND Infrastruktur - OWASP Top 10, Server-Hardening, Dependency Scan, Secrets Detection
|
||||
user_invocable: true
|
||||
---
|
||||
|
||||
Du bist ein Security-Analyzer für Webprojekte. Führe eine umfassende Sicherheitsanalyse durch.
|
||||
Du bist ein Security-Analyzer für Webprojekte. Du prüfst SOWOHL den Code ALS AUCH die Server-/LXC-Infrastruktur.
|
||||
|
||||
## ANALYSE-PROZESS
|
||||
|
||||
### Code-Security
|
||||
1. Scanne alle Source-Dateien auf Sicherheitsprobleme
|
||||
2. Prüfe package.json/package-lock.json auf vulnerable Dependencies (`npm audit --json`)
|
||||
3. Suche nach hardcoded Secrets
|
||||
@ -14,6 +16,15 @@ Du bist ein Security-Analyzer für Webprojekte. Führe eine umfassende Sicherhei
|
||||
5. Prüfe Input-Validierung
|
||||
6. Checke CORS/CSP Konfiguration
|
||||
|
||||
### Server-/LXC-Security (via SSH)
|
||||
7. SSH-Konfiguration prüfen (Root-Login, Passwort-Auth)
|
||||
8. Firewall-Status prüfen (ufw/iptables)
|
||||
9. Offene Ports scannen
|
||||
10. Automatische Updates prüfen
|
||||
11. Fail2Ban Status prüfen
|
||||
12. Dateiberechtigungen prüfen
|
||||
13. Laufende Services prüfen (nur nötige aktiv?)
|
||||
|
||||
## OWASP TOP 10 CHECKS
|
||||
|
||||
### Injection (SQL, XSS, Command)
|
||||
@ -49,10 +60,77 @@ Empfohlene Behebung
|
||||
|
||||
Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
|
||||
|
||||
## SERVER-SECURITY CHECKS (via SSH)
|
||||
|
||||
### SSH-Hardening prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
|
||||
# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes
|
||||
```
|
||||
|
||||
### Firewall prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "sudo ufw status verbose"
|
||||
# Erwartet: Status active, nur 22/80/443 offen
|
||||
```
|
||||
|
||||
### Offene Ports prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "ss -tlnp"
|
||||
# Nur erwartete Ports sollten LISTEN sein
|
||||
```
|
||||
|
||||
### Fail2Ban prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "sudo fail2ban-client status"
|
||||
ssh deploy@$SSH_HOST "sudo fail2ban-client status sshd"
|
||||
# Erwartet: Jail aktiv, bans funktionieren
|
||||
```
|
||||
|
||||
### Automatische Updates prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "dpkg -l | grep unattended-upgrades"
|
||||
ssh deploy@$SSH_HOST "cat /etc/apt/apt.conf.d/20auto-upgrades"
|
||||
# Erwartet: unattended-upgrades installiert und aktiv
|
||||
```
|
||||
|
||||
### Berechtigungen prüfen
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "ls -la /var/www/app/.env 2>/dev/null" # Sollte 600 sein
|
||||
ssh deploy@$SSH_HOST "ls -la ~/.ssh/" # authorized_keys sollte 600 sein
|
||||
ssh deploy@$SSH_HOST "stat -c '%a %U:%G' /var/www/app" # Sollte deploy:deploy sein
|
||||
```
|
||||
|
||||
### Nicht benötigte Services
|
||||
```bash
|
||||
ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running"
|
||||
# Prüfe: Nur nötige Services laufen (sshd, nginx, pm2/docker, fail2ban, ufw)
|
||||
```
|
||||
|
||||
## SERVER-SECURITY FIXES
|
||||
Wenn Probleme gefunden werden, SOFORT fixen:
|
||||
|
||||
```bash
|
||||
# Root-Login deaktivieren
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
||||
|
||||
# Fail2Ban installieren
|
||||
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
|
||||
|
||||
# Automatische Sicherheitsupdates
|
||||
ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades"
|
||||
|
||||
# .env Berechtigungen
|
||||
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
|
||||
```
|
||||
|
||||
## TOOLS
|
||||
- `npm audit --json` für Dependency-Check
|
||||
- Grep nach Secret-Patterns im gesamten Projekt
|
||||
- `.env` Dateien prüfen ob in `.gitignore`
|
||||
- SSH-Befehle für Server-Security-Checks
|
||||
|
||||
## NACH ANALYSE - AUTOMATISCHER FEEDBACK-LOOP
|
||||
|
||||
|
||||
@ -67,14 +67,16 @@ Du bist der Workflow-Orchestrator. Du koordinierst alle verfügbaren Skills für
|
||||
|
||||
### Neue Umgebung auf Proxmox (`/workflow provision "Projektname"`)
|
||||
```
|
||||
1. [proxmox-lxc] → LXC-Container erstellen + IP ermitteln → SSH_HOST
|
||||
1. [proxmox-lxc] → LXC erstellen + IP ermitteln → SSH_HOST
|
||||
2. [proxmox-lxc] → Basis-Setup (Node.js/Docker, Git, Firewall, Nginx)
|
||||
3. [git-push] → Code auf Gitea pushen (Repo muss existieren)
|
||||
4. [ssh-deploy] → git clone $GITEA_URL/$USER/$REPO auf LXC
|
||||
5. [ssh-deploy] → npm ci, build, Service starten
|
||||
6. [log-analyzer] → Health-Check & Logs prüfen
|
||||
7. [doc-gen] → INSTALL.md + DEPLOY.md mit echten Werten generieren
|
||||
8. [git-push] → Dokumentation committen und pushen
|
||||
3. [proxmox-lxc] → Security-Hardening (SSH, Fail2Ban, Auto-Updates, Sysctl)
|
||||
4. [security] → Server-Security verifizieren (Ports, SSH-Config, Firewall)
|
||||
5. [git-push] → Code auf Gitea pushen
|
||||
6. [ssh-deploy] → git clone auf LXC, npm ci, build, Service starten
|
||||
7. [security] → Code-Security prüfen (OWASP, Secrets, Deps)
|
||||
8. [log-analyzer] → Health-Check & Logs prüfen
|
||||
9. [doc-gen] → INSTALL.md + DEPLOY.md mit echten Werten generieren
|
||||
10.[git-push] → Dokumentation + Security-Fixes committen und pushen
|
||||
```
|
||||
|
||||
## QUALITÄTS-GATES
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user