diff --git a/cheatsheets/server_hardening_disaster_recovery.md b/cheatsheets/server_hardening_disaster_recovery.md new file mode 100644 index 0000000..fd23c40 --- /dev/null +++ b/cheatsheets/server_hardening_disaster_recovery.md @@ -0,0 +1,87 @@ +# ๐Ÿ›ก๏ธ Server Hardening & Disaster Recovery Cheat Sheet + +## ๐Ÿ” Server Hardening Checklist + +### ๐Ÿ”’ OS & User Security +- โœ… Use **key-based SSH authentication** (`~/.ssh/authorized_keys`) +- โœ… Disable root login: + ```bash + sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config + sudo systemctl restart sshd + ``` +- โœ… Change default SSH port and rate-limit with Fail2Ban or UFW +- โœ… Set strong password policies: + ```bash + sudo apt install libpam-pwquality + sudo nano /etc/security/pwquality.conf + ``` +- โœ… Lock down `/etc/sudoers`, remove unnecessary sudo privileges + +### ๐Ÿ”ง Kernel & System Hardening +- โœ… Install and configure `ufw` or `iptables`: + ```bash + sudo ufw default deny incoming + sudo ufw allow ssh + sudo ufw enable + ``` +- โœ… Disable unused filesystems: + ```bash + echo "install cramfs /bin/true" >> /etc/modprobe.d/disable-filesystems.conf + ``` +- โœ… Set kernel parameters: + ```bash + sudo nano /etc/sysctl.d/99-sysctl.conf + # Example: net.ipv4.ip_forward = 0 + sudo sysctl -p + ``` + +### ๐Ÿงพ Logging & Monitoring +- โœ… Enable and configure `auditd`: + ```bash + sudo apt install auditd audispd-plugins + sudo systemctl enable auditd + ``` +- โœ… Centralize logs using `rsyslog`, `logrotate`, or Fluentbit +- โœ… Use `fail2ban`, `CrowdSec`, or `Wazuh` for intrusion detection + +## ๐Ÿ’พ Disaster Recovery Checklist + +### ๐Ÿ“ฆ Backups +- โœ… Automate **daily database dumps** (e.g., `pg_dump`, `mysqldump`) +- โœ… Use **ZFS snapshots** for versioned backups +- โœ… Sync offsite via `rclone`, `rsync`, or cloud storage +- โœ… Encrypt backups using `gpg` or `age` + +### ๐Ÿ” Testing & Recovery +- โœ… **Verify backup integrity** regularly: + ```bash + gpg --verify backup.sql.gpg + pg_restore --list backup.dump + ``` +- โœ… Practice **bare-metal restores** in a test environment +- โœ… Use **PITR** (Point-In-Time Recovery) for PostgreSQL + +### ๐Ÿ›‘ Emergency Scripts +- โœ… Create service restart scripts: + ```bash + systemctl restart mastodon + docker restart azuracast + ``` +- โœ… Pre-stage `rescue.sh` to rebuild key systems +- โœ… Include Mastodon/Gitea/etc. reconfig tools + +### ๐Ÿ—‚๏ธ Documentation +- โœ… Maintain a **runbook** with: + - Service recovery steps + - IPs, ports, login methods + - Admin contacts and escalation + +### ๐Ÿงช Chaos Testing +- โœ… Simulate failure of: + - A disk or volume (use `zpool offline`) + - A network link (`iptables -A OUTPUT ...`) + - A database node (use Patroni/pg_auto_failover tools) + +--- + +> โœ… **Pro Tip**: Integrate all hardening and backup tasks into your Ansible playbooks for consistency and redeployability. diff --git a/miscellaneous/dbcheck.log b/miscellaneous/dbcheck.log index dbfcd6e..e56b016 100644 --- a/miscellaneous/dbcheck.log +++ b/miscellaneous/dbcheck.log @@ -1216,3 +1216,7 @@ Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"} Failed to send Mastodon DM (attempt 1): {"error":"The access token is invalid"} Failed to send Mastodon DM (attempt 2): {"error":"The access token is invalid"} Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"} +โœ… Genesis Radio Healthcheck 2025-05-01 10:30:16: All systems normal. +Failed to send Mastodon DM (attempt 1): {"error":"The access token is invalid"} +Failed to send Mastodon DM (attempt 2): {"error":"The access token is invalid"} +Failed to send Mastodon DM (attempt 3): {"error":"The access token is invalid"}