summaryrefslogtreecommitdiff
path: root/cheatsheets/server_hardening_disaster_recovery.md
blob: fd23c40956504f862dfdd1b0a3840f66cd9425ed (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87

# ๐Ÿ›ก๏ธ Server Hardening & Disaster Recovery Cheat Sheet

## ๐Ÿ” Server Hardening Checklist

### ๐Ÿ”’ OS & User Security
- โœ… Use **key-based SSH authentication** (`~/.ssh/authorized_keys`)
- โœ… Disable root login:  
  ```bash
  sudo sed -i 's/^PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
  sudo systemctl restart sshd
  ```
- โœ… Change default SSH port and rate-limit with Fail2Ban or UFW
- โœ… Set strong password policies:
  ```bash
  sudo apt install libpam-pwquality
  sudo nano /etc/security/pwquality.conf
  ```
- โœ… Lock down `/etc/sudoers`, remove unnecessary sudo privileges

### ๐Ÿ”ง Kernel & System Hardening
- โœ… Install and configure `ufw` or `iptables`:
  ```bash
  sudo ufw default deny incoming
  sudo ufw allow ssh
  sudo ufw enable
  ```
- โœ… Disable unused filesystems:
  ```bash
  echo "install cramfs /bin/true" >> /etc/modprobe.d/disable-filesystems.conf
  ```
- โœ… Set kernel parameters:
  ```bash
  sudo nano /etc/sysctl.d/99-sysctl.conf
  # Example: net.ipv4.ip_forward = 0
  sudo sysctl -p
  ```

### ๐Ÿงพ Logging & Monitoring
- โœ… Enable and configure `auditd`:
  ```bash
  sudo apt install auditd audispd-plugins
  sudo systemctl enable auditd
  ```
- โœ… Centralize logs using `rsyslog`, `logrotate`, or Fluentbit
- โœ… Use `fail2ban`, `CrowdSec`, or `Wazuh` for intrusion detection

## ๐Ÿ’พ Disaster Recovery Checklist

### ๐Ÿ“ฆ Backups
- โœ… Automate **daily database dumps** (e.g., `pg_dump`, `mysqldump`)
- โœ… Use **ZFS snapshots** for versioned backups
- โœ… Sync offsite via `rclone`, `rsync`, or cloud storage
- โœ… Encrypt backups using `gpg` or `age`

### ๐Ÿ” Testing & Recovery
- โœ… **Verify backup integrity** regularly:
  ```bash
  gpg --verify backup.sql.gpg
  pg_restore --list backup.dump
  ```
- โœ… Practice **bare-metal restores** in a test environment
- โœ… Use **PITR** (Point-In-Time Recovery) for PostgreSQL

### ๐Ÿ›‘ Emergency Scripts
- โœ… Create service restart scripts:
  ```bash
  systemctl restart mastodon
  docker restart azuracast
  ```
- โœ… Pre-stage `rescue.sh` to rebuild key systems
- โœ… Include Mastodon/Gitea/etc. reconfig tools

### ๐Ÿ—‚๏ธ Documentation
- โœ… Maintain a **runbook** with:
  - Service recovery steps
  - IPs, ports, login methods
  - Admin contacts and escalation

### ๐Ÿงช Chaos Testing
- โœ… Simulate failure of:
  - A disk or volume (use `zpool offline`)
  - A network link (`iptables -A OUTPUT ...`)
  - A database node (use Patroni/pg_auto_failover tools)

---

> โœ… **Pro Tip**: Integrate all hardening and backup tasks into your Ansible playbooks for consistency and redeployability.
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-15 00:43:31 +0000