# ๐Ÿ›ก๏ธ Server Hardening & Disaster Recovery Cheat Sheet ## ๐Ÿ” Server Hardening Checklist ### ๐Ÿ”’ OS & User Security - โœ… Use **key-based SSH authentication** (`~/.ssh/authorized_keys`) - โœ… Disable root login: ```bash sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config sudo systemctl restart sshd ``` - โœ… Change default SSH port and rate-limit with Fail2Ban or UFW - โœ… Set strong password policies: ```bash sudo apt install libpam-pwquality sudo nano /etc/security/pwquality.conf ``` - โœ… Lock down `/etc/sudoers`, remove unnecessary sudo privileges ### ๐Ÿ”ง Kernel & System Hardening - โœ… Install and configure `ufw` or `iptables`: ```bash sudo ufw default deny incoming sudo ufw allow ssh sudo ufw enable ``` - โœ… Disable unused filesystems: ```bash echo "install cramfs /bin/true" >> /etc/modprobe.d/disable-filesystems.conf ``` - โœ… Set kernel parameters: ```bash sudo nano /etc/sysctl.d/99-sysctl.conf # Example: net.ipv4.ip_forward = 0 sudo sysctl -p ``` ### ๐Ÿงพ Logging & Monitoring - โœ… Enable and configure `auditd`: ```bash sudo apt install auditd audispd-plugins sudo systemctl enable auditd ``` - โœ… Centralize logs using `rsyslog`, `logrotate`, or Fluentbit - โœ… Use `fail2ban`, `CrowdSec`, or `Wazuh` for intrusion detection ## ๐Ÿ’พ Disaster Recovery Checklist ### ๐Ÿ“ฆ Backups - โœ… Automate **daily database dumps** (e.g., `pg_dump`, `mysqldump`) - โœ… Use **ZFS snapshots** for versioned backups - โœ… Sync offsite via `rclone`, `rsync`, or cloud storage - โœ… Encrypt backups using `gpg` or `age` ### ๐Ÿ” Testing & Recovery - โœ… **Verify backup integrity** regularly: ```bash gpg --verify backup.sql.gpg pg_restore --list backup.dump ``` - โœ… Practice **bare-metal restores** in a test environment - โœ… Use **PITR** (Point-In-Time Recovery) for PostgreSQL ### ๐Ÿ›‘ Emergency Scripts - โœ… Create service restart scripts: ```bash systemctl restart mastodon docker restart azuracast ``` - โœ… Pre-stage `rescue.sh` to rebuild key systems - โœ… Include Mastodon/Gitea/etc. reconfig tools ### ๐Ÿ—‚๏ธ Documentation - โœ… Maintain a **runbook** with: - Service recovery steps - IPs, ports, login methods - Admin contacts and escalation ### ๐Ÿงช Chaos Testing - โœ… Simulate failure of: - A disk or volume (use `zpool offline`) - A network link (`iptables -A OUTPUT ...`) - A database node (use Patroni/pg_auto_failover tools) --- > โœ… **Pro Tip**: Integrate all hardening and backup tasks into your Ansible playbooks for consistency and redeployability.