feat: security hardening for LXC + server security checks
- proxmox-lxc: auto-harden on setup (SSH no-root/no-password, fail2ban, unattended-upgrades, sysctl kernel hardening) - security: now covers BOTH code AND infrastructure - SSH config validation - Firewall/open ports check - Fail2Ban status - Auto-updates verification - File permissions audit - Auto-fix for all server issues found - workflow provision: security check after LXC setup AND after deploy Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
parent
6cf17810cd
commit
4fea7e781f
@ -138,6 +138,48 @@ ssh root@$PVE_HOST "pct exec $VMID -- bash -c '
|
|||||||
ufw allow 80
|
ufw allow 80
|
||||||
ufw allow 443
|
ufw allow 443
|
||||||
ufw --force enable
|
ufw --force enable
|
||||||
|
|
||||||
|
# --- SECURITY HARDENING ---
|
||||||
|
|
||||||
|
# SSH härten: Kein Root-Login, kein Passwort-Login
|
||||||
|
sed -i "s/^#*PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#*PasswordAuthentication.*/PasswordAuthentication no/" /etc/ssh/sshd_config
|
||||||
|
sed -i "s/^#*PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
|
||||||
|
systemctl restart sshd
|
||||||
|
|
||||||
|
# Fail2Ban gegen Brute-Force
|
||||||
|
apt install -y fail2ban
|
||||||
|
cat > /etc/fail2ban/jail.local << JAIL
|
||||||
|
[sshd]
|
||||||
|
enabled = true
|
||||||
|
port = ssh
|
||||||
|
filter = sshd
|
||||||
|
logpath = /var/log/auth.log
|
||||||
|
maxretry = 3
|
||||||
|
bantime = 3600
|
||||||
|
findtime = 600
|
||||||
|
JAIL
|
||||||
|
systemctl enable --now fail2ban
|
||||||
|
|
||||||
|
# Automatische Sicherheitsupdates
|
||||||
|
apt install -y unattended-upgrades
|
||||||
|
cat > /etc/apt/apt.conf.d/20auto-upgrades << AUTOUPD
|
||||||
|
APT::Periodic::Update-Package-Lists "1";
|
||||||
|
APT::Periodic::Unattended-Upgrade "1";
|
||||||
|
APT::Periodic::AutocleanInterval "7";
|
||||||
|
AUTOUPD
|
||||||
|
|
||||||
|
# Kernel-Hardening (sysctl)
|
||||||
|
cat > /etc/sysctl.d/99-security.conf << SYSCTL
|
||||||
|
net.ipv4.conf.all.rp_filter = 1
|
||||||
|
net.ipv4.conf.default.rp_filter = 1
|
||||||
|
net.ipv4.icmp_echo_ignore_broadcasts = 1
|
||||||
|
net.ipv4.conf.all.accept_redirects = 0
|
||||||
|
net.ipv4.conf.default.accept_redirects = 0
|
||||||
|
net.ipv4.conf.all.send_redirects = 0
|
||||||
|
net.ipv4.conf.default.send_redirects = 0
|
||||||
|
SYSCTL
|
||||||
|
sysctl -p /etc/sysctl.d/99-security.conf
|
||||||
'"
|
'"
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|||||||
@ -1,12 +1,14 @@
|
|||||||
---
|
---
|
||||||
name: security
|
name: security
|
||||||
description: Sicherheitsanalyse des Codes - OWASP Top 10, Dependency Scan, Secrets Detection
|
description: Sicherheitsanalyse von Code UND Infrastruktur - OWASP Top 10, Server-Hardening, Dependency Scan, Secrets Detection
|
||||||
user_invocable: true
|
user_invocable: true
|
||||||
---
|
---
|
||||||
|
|
||||||
Du bist ein Security-Analyzer für Webprojekte. Führe eine umfassende Sicherheitsanalyse durch.
|
Du bist ein Security-Analyzer für Webprojekte. Du prüfst SOWOHL den Code ALS AUCH die Server-/LXC-Infrastruktur.
|
||||||
|
|
||||||
## ANALYSE-PROZESS
|
## ANALYSE-PROZESS
|
||||||
|
|
||||||
|
### Code-Security
|
||||||
1. Scanne alle Source-Dateien auf Sicherheitsprobleme
|
1. Scanne alle Source-Dateien auf Sicherheitsprobleme
|
||||||
2. Prüfe package.json/package-lock.json auf vulnerable Dependencies (`npm audit --json`)
|
2. Prüfe package.json/package-lock.json auf vulnerable Dependencies (`npm audit --json`)
|
||||||
3. Suche nach hardcoded Secrets
|
3. Suche nach hardcoded Secrets
|
||||||
@ -14,6 +16,15 @@ Du bist ein Security-Analyzer für Webprojekte. Führe eine umfassende Sicherhei
|
|||||||
5. Prüfe Input-Validierung
|
5. Prüfe Input-Validierung
|
||||||
6. Checke CORS/CSP Konfiguration
|
6. Checke CORS/CSP Konfiguration
|
||||||
|
|
||||||
|
### Server-/LXC-Security (via SSH)
|
||||||
|
7. SSH-Konfiguration prüfen (Root-Login, Passwort-Auth)
|
||||||
|
8. Firewall-Status prüfen (ufw/iptables)
|
||||||
|
9. Offene Ports scannen
|
||||||
|
10. Automatische Updates prüfen
|
||||||
|
11. Fail2Ban Status prüfen
|
||||||
|
12. Dateiberechtigungen prüfen
|
||||||
|
13. Laufende Services prüfen (nur nötige aktiv?)
|
||||||
|
|
||||||
## OWASP TOP 10 CHECKS
|
## OWASP TOP 10 CHECKS
|
||||||
|
|
||||||
### Injection (SQL, XSS, Command)
|
### Injection (SQL, XSS, Command)
|
||||||
@ -49,10 +60,77 @@ Empfohlene Behebung
|
|||||||
|
|
||||||
Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
|
Schweregrade: KRITISCH / HOCH / MITTEL / NIEDRIG
|
||||||
|
|
||||||
|
## SERVER-SECURITY CHECKS (via SSH)
|
||||||
|
|
||||||
|
### SSH-Hardening prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "cat /etc/ssh/sshd_config" | grep -E 'PermitRootLogin|PasswordAuthentication|PubkeyAuthentication'
|
||||||
|
# Erwartet: PermitRootLogin no, PasswordAuthentication no, PubkeyAuthentication yes
|
||||||
|
```
|
||||||
|
|
||||||
|
### Firewall prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "sudo ufw status verbose"
|
||||||
|
# Erwartet: Status active, nur 22/80/443 offen
|
||||||
|
```
|
||||||
|
|
||||||
|
### Offene Ports prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "ss -tlnp"
|
||||||
|
# Nur erwartete Ports sollten LISTEN sein
|
||||||
|
```
|
||||||
|
|
||||||
|
### Fail2Ban prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "sudo fail2ban-client status"
|
||||||
|
ssh deploy@$SSH_HOST "sudo fail2ban-client status sshd"
|
||||||
|
# Erwartet: Jail aktiv, bans funktionieren
|
||||||
|
```
|
||||||
|
|
||||||
|
### Automatische Updates prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "dpkg -l | grep unattended-upgrades"
|
||||||
|
ssh deploy@$SSH_HOST "cat /etc/apt/apt.conf.d/20auto-upgrades"
|
||||||
|
# Erwartet: unattended-upgrades installiert und aktiv
|
||||||
|
```
|
||||||
|
|
||||||
|
### Berechtigungen prüfen
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "ls -la /var/www/app/.env 2>/dev/null" # Sollte 600 sein
|
||||||
|
ssh deploy@$SSH_HOST "ls -la ~/.ssh/" # authorized_keys sollte 600 sein
|
||||||
|
ssh deploy@$SSH_HOST "stat -c '%a %U:%G' /var/www/app" # Sollte deploy:deploy sein
|
||||||
|
```
|
||||||
|
|
||||||
|
### Nicht benötigte Services
|
||||||
|
```bash
|
||||||
|
ssh deploy@$SSH_HOST "systemctl list-units --type=service --state=running"
|
||||||
|
# Prüfe: Nur nötige Services laufen (sshd, nginx, pm2/docker, fail2ban, ufw)
|
||||||
|
```
|
||||||
|
|
||||||
|
## SERVER-SECURITY FIXES
|
||||||
|
Wenn Probleme gefunden werden, SOFORT fixen:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
# Root-Login deaktivieren
|
||||||
|
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config"
|
||||||
|
ssh deploy@$SSH_HOST "sudo sed -i 's/^#*PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config"
|
||||||
|
ssh deploy@$SSH_HOST "sudo systemctl restart sshd"
|
||||||
|
|
||||||
|
# Fail2Ban installieren
|
||||||
|
ssh deploy@$SSH_HOST "sudo apt install -y fail2ban && sudo systemctl enable --now fail2ban"
|
||||||
|
|
||||||
|
# Automatische Sicherheitsupdates
|
||||||
|
ssh deploy@$SSH_HOST "sudo apt install -y unattended-upgrades && sudo dpkg-reconfigure -plow unattended-upgrades"
|
||||||
|
|
||||||
|
# .env Berechtigungen
|
||||||
|
ssh deploy@$SSH_HOST "chmod 600 /var/www/app/.env"
|
||||||
|
```
|
||||||
|
|
||||||
## TOOLS
|
## TOOLS
|
||||||
- `npm audit --json` für Dependency-Check
|
- `npm audit --json` für Dependency-Check
|
||||||
- Grep nach Secret-Patterns im gesamten Projekt
|
- Grep nach Secret-Patterns im gesamten Projekt
|
||||||
- `.env` Dateien prüfen ob in `.gitignore`
|
- `.env` Dateien prüfen ob in `.gitignore`
|
||||||
|
- SSH-Befehle für Server-Security-Checks
|
||||||
|
|
||||||
## NACH ANALYSE - AUTOMATISCHER FEEDBACK-LOOP
|
## NACH ANALYSE - AUTOMATISCHER FEEDBACK-LOOP
|
||||||
|
|
||||||
|
|||||||
@ -67,14 +67,16 @@ Du bist der Workflow-Orchestrator. Du koordinierst alle verfügbaren Skills für
|
|||||||
|
|
||||||
### Neue Umgebung auf Proxmox (`/workflow provision "Projektname"`)
|
### Neue Umgebung auf Proxmox (`/workflow provision "Projektname"`)
|
||||||
```
|
```
|
||||||
1. [proxmox-lxc] → LXC-Container erstellen + IP ermitteln → SSH_HOST
|
1. [proxmox-lxc] → LXC erstellen + IP ermitteln → SSH_HOST
|
||||||
2. [proxmox-lxc] → Basis-Setup (Node.js/Docker, Git, Firewall, Nginx)
|
2. [proxmox-lxc] → Basis-Setup (Node.js/Docker, Git, Firewall, Nginx)
|
||||||
3. [git-push] → Code auf Gitea pushen (Repo muss existieren)
|
3. [proxmox-lxc] → Security-Hardening (SSH, Fail2Ban, Auto-Updates, Sysctl)
|
||||||
4. [ssh-deploy] → git clone $GITEA_URL/$USER/$REPO auf LXC
|
4. [security] → Server-Security verifizieren (Ports, SSH-Config, Firewall)
|
||||||
5. [ssh-deploy] → npm ci, build, Service starten
|
5. [git-push] → Code auf Gitea pushen
|
||||||
6. [log-analyzer] → Health-Check & Logs prüfen
|
6. [ssh-deploy] → git clone auf LXC, npm ci, build, Service starten
|
||||||
7. [doc-gen] → INSTALL.md + DEPLOY.md mit echten Werten generieren
|
7. [security] → Code-Security prüfen (OWASP, Secrets, Deps)
|
||||||
8. [git-push] → Dokumentation committen und pushen
|
8. [log-analyzer] → Health-Check & Logs prüfen
|
||||||
|
9. [doc-gen] → INSTALL.md + DEPLOY.md mit echten Werten generieren
|
||||||
|
10.[git-push] → Dokumentation + Security-Fixes committen und pushen
|
||||||
```
|
```
|
||||||
|
|
||||||
## QUALITÄTS-GATES
|
## QUALITÄTS-GATES
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user