From ea43703255085e210785e6ed6683bb45c350524b Mon Sep 17 00:00:00 2001 From: Some Guy Date: Fri, 6 Feb 2026 20:05:51 +0300 Subject: [PATCH] PLEASE --- README.md | 267 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 267 insertions(+) create mode 100644 README.md diff --git a/README.md b/README.md new file mode 100644 index 0000000..344bad5 --- /dev/null +++ b/README.md @@ -0,0 +1,267 @@ +# I can kill your server by overloading your disk +## You dont have a firewall +## You dont have a VPN for your internal services +## You dont have a DMZ +## You are mixing your production deployment and your test deployment + +# PLEASE Set up firewall so at least DRONE CI API isnt exposed + +# Server & Deployment Security Hardening Guide + +## Threat model (what we’re defending against) + +* Disk exhaustion / resource exhaustion +* Direct access to internal services +* Lateral movement after compromise +* Accidental exposure of test systems +* No network segmentation or trust boundaries + +--- + +## 1. Network Segmentation (Non-Negotiable) + +### Environments + +**NEVER mix these on the same host or network segment:** + +* Production +* Staging +* Test / Dev + +**Minimum setup** + +* Separate VMs or nodes +* Separate subnets/VPCs +* Separate credentials +* Separate databases + +### Zones + +* **Public zone**: Load balancer / reverse proxy only +* **DMZ**: Web servers +* **Internal zone**: Databases, queues, caches +* **Management zone**: SSH, monitoring, CI/CD + +--- + +## 2. VPN for Internal Services + +Internal services **must not be publicly routable**. + +Options: + +* WireGuard (recommended) +* OpenVPN +* Cloud-native private networking (AWS VPC, GCP VPC, etc.) + +**Rules** + +* Databases listen on private IPs only +* Redis, Kafka, internal APIs → VPN or private subnet +* No public IPs for internal services + +--- + +## 3. Firewall Policy (IPtables) + +### Firewall Philosophy + +* **Default deny** +* Explicit allow +* Log drops (rate-limited) +* Stateful filtering + +--- + +## 4. IPtables Baseline Configuration + +### Flush existing rules + +```bash +iptables -F +iptables -X +iptables -t nat -F +iptables -t mangle -F +``` + +--- + +### Default policies + +```bash +iptables -P INPUT DROP +iptables -P FORWARD DROP +iptables -P OUTPUT ACCEPT +``` + +--- + +### Allow loopback + +```bash +iptables -A INPUT -i lo -j ACCEPT +``` + +--- + +### Allow established connections + +```bash +iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT +``` + +--- + +### SSH (restricted) + +```bash +iptables -A INPUT -p tcp --dport 22 -s /24 -m conntrack --ctstate NEW -j ACCEPT +``` + +**Never expose SSH to the world.** + +--- + +### HTTP / HTTPS + +```bash +iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT +iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT +``` + +--- + +### Rate-limit connections (DDoS / abuse mitigation) + +```bash +iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 50 -j DROP +iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j DROP +``` + +--- + +### Protect against SYN floods + +```bash +iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP +``` + +--- + +### ICMP (limited) + +```bash +iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT +``` + +--- + +### Log and drop everything else + +```bash +iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES DROP: " +iptables -A INPUT -j DROP +``` + +--- + +### Persist rules + +```bash +iptables-save > /etc/iptables/rules.v4 +``` + +--- + +## 5. Disk Exhaustion Protection + +### Enable disk quotas + +```bash +mount -o remount,usrquota,grpquota / +quotacheck -cum / +quotaon / +``` + +### Log rotation + +```bash +apt install logrotate +``` + +### Tmpfs for temp files + +```bash +tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0 +``` + +--- + +## 6. Application-Level Protections + +### Reverse proxy (mandatory) + +* Nginx / HAProxy / Envoy +* Rate limiting +* Request body size limits + +Example (Nginx): + +```nginx +client_max_body_size 10M; +limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s; +``` + +--- + +## 7. Deployment Security Best Practices + +### CI/CD + +* No SSH deploys +* Use short-lived credentials +* One-way artifact promotion (build once → promote) + +### Secrets + +* Never in Git +* Use Vault / SSM / Secrets Manager +* Rotate regularly + +--- + +## 8. OS Hardening + +* Disable password SSH auth +* Use SSH keys only +* Fail2ban +* Automatic security updates +* Remove unused packages +* Run services as non-root + +--- + +## 9. Monitoring & Alerting + +You don’t have security if you don’t have visibility. + +Monitor: + +* Disk usage +* Connection counts +* Failed auth attempts +* Firewall drops +* CPU / memory saturation + +--- + +## 10. Final Reality Check + +If: + +* You don’t have a firewall +* You don’t have segmentation +* You don’t have a VPN +* You mix prod and test + +Then **you don’t have security — you have hope.**