Auto-commit from giteapush.sh at 2025-05-01 10:32:16

2025-05-01 10:32:16 -04:00 · 2025-05-01 10:32:16 -04:00 · ca48eb2972
commit ca48eb2972
parent de697d8cc6
2 changed files with 91 additions and 0 deletions
--- a/cheatsheets/server_hardening_disaster_recovery.md
+++ b/cheatsheets/server_hardening_disaster_recovery.md
@ -0,0 +1,87 @@
+# 🛡️ Server Hardening & Disaster Recovery Cheat Sheet
+
+## 🔐 Server Hardening Checklist
+
+### 🔒 OS & User Security
+- ✅ Use **key-based SSH authentication** (`~/.ssh/authorized_keys`)
+- ✅ Disable root login:  
+  ```bash
+  sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
+  sudo systemctl restart sshd
+  ```
+- ✅ Change default SSH port and rate-limit with Fail2Ban or UFW
+- ✅ Set strong password policies:
+  ```bash
+  sudo apt install libpam-pwquality
+  sudo nano /etc/security/pwquality.conf
+  ```
+- ✅ Lock down `/etc/sudoers`, remove unnecessary sudo privileges
+
+### 🔧 Kernel & System Hardening
+- ✅ Install and configure `ufw` or `iptables`:
+  ```bash
+  sudo ufw default deny incoming
+  sudo ufw allow ssh
+  sudo ufw enable
+  ```
+- ✅ Disable unused filesystems:
+  ```bash
+  echo "install cramfs /bin/true" >> /etc/modprobe.d/disable-filesystems.conf
+  ```
+- ✅ Set kernel parameters:
+  ```bash
+  sudo nano /etc/sysctl.d/99-sysctl.conf
+  # Example: net.ipv4.ip_forward = 0
+  sudo sysctl -p
+  ```
+
+### 🧾 Logging & Monitoring
+- ✅ Enable and configure `auditd`:
+  ```bash
+  sudo apt install auditd audispd-plugins
+  sudo systemctl enable auditd
+  ```
+- ✅ Centralize logs using `rsyslog`, `logrotate`, or Fluentbit
+- ✅ Use `fail2ban`, `CrowdSec`, or `Wazuh` for intrusion detection
+
+## 💾 Disaster Recovery Checklist
+
+### 📦 Backups
+- ✅ Automate **daily database dumps** (e.g., `pg_dump`, `mysqldump`)
+- ✅ Use **ZFS snapshots** for versioned backups
+- ✅ Sync offsite via `rclone`, `rsync`, or cloud storage
+- ✅ Encrypt backups using `gpg` or `age`
+
+### 🔁 Testing & Recovery
+- ✅ **Verify backup integrity** regularly:
+  ```bash
+  gpg --verify backup.sql.gpg
+  pg_restore --list backup.dump
+  ```
+- ✅ Practice **bare-metal restores** in a test environment
+- ✅ Use **PITR** (Point-In-Time Recovery) for PostgreSQL
+
+### 🛑 Emergency Scripts
+- ✅ Create service restart scripts:
+  ```bash
+  systemctl restart mastodon
+  docker restart azuracast
+  ```
+- ✅ Pre-stage `rescue.sh` to rebuild key systems
+- ✅ Include Mastodon/Gitea/etc. reconfig tools
+
+### 🗂️ Documentation
+- ✅ Maintain a **runbook** with:
+  - Service recovery steps
+  - IPs, ports, login methods
+  - Admin contacts and escalation
+
+### 🧪 Chaos Testing
+- ✅ Simulate failure of:
+  - A disk or volume (use `zpool offline`)
+  - A network link (`iptables -A OUTPUT ...`)
+  - A database node (use Patroni/pg_auto_failover tools)
+
+---
+
+> ✅ **Pro Tip**: Integrate all hardening and backup tasks into your Ansible playbooks for consistency and redeployability.
--- a/miscellaneous/dbcheck.log
+++ b/miscellaneous/dbcheck.log
@ -1216,3 +1216,7 @@ Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"}
 Failed to send Mastodon DM (attempt 1): {"error":"The access token is invalid"}
 Failed to send Mastodon DM (attempt 2): {"error":"The access token is invalid"}
 Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"}
+✅ Genesis Radio Healthcheck 2025-05-01 10:30:16: All systems normal.
+Failed to send Mastodon DM (attempt 1): {"error":"The access token is invalid"}
+Failed to send Mastodon DM (attempt 2): {"error":"The access token is invalid"}
+Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"}