PLEASE

2026-02-06 20:05:51 +03:00 · 2026-02-06 20:05:51 +03:00 · ea43703255
commit ea43703255
1 changed files with 267 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -0,0 +1,267 @@
 # I can kill your server by overloading your disk
 ## You dont have a firewall
 ## You dont have a VPN for your internal services
 ## You dont have a DMZ 
 ## You are mixing your production deployment and your test deployment
 # PLEASE Set up firewall so at least DRONE CI API isnt exposed
 # Server & Deployment Security Hardening Guide
 ## Threat model (what we’re defending against)
 * Disk exhaustion / resource exhaustion
 * Direct access to internal services
 * Lateral movement after compromise
 * Accidental exposure of test systems
 * No network segmentation or trust boundaries
 ---
 ## 1. Network Segmentation (Non-Negotiable)
 ### Environments
 **NEVER mix these on the same host or network segment:**
 * Production
 * Staging
 * Test / Dev
 **Minimum setup**
 * Separate VMs or nodes
 * Separate subnets/VPCs
 * Separate credentials
 * Separate databases
 ### Zones
 * **Public zone**: Load balancer / reverse proxy only
 * **DMZ**: Web servers
 * **Internal zone**: Databases, queues, caches
 * **Management zone**: SSH, monitoring, CI/CD
 ---
 ## 2. VPN for Internal Services
 Internal services **must not be publicly routable**.
 Options:
 * WireGuard (recommended)
 * OpenVPN
 * Cloud-native private networking (AWS VPC, GCP VPC, etc.)
 **Rules**
 * Databases listen on private IPs only
 * Redis, Kafka, internal APIs → VPN or private subnet
 * No public IPs for internal services
 ---
 ## 3. Firewall Policy (IPtables)
 ### Firewall Philosophy
 * **Default deny**
 * Explicit allow
 * Log drops (rate-limited)
 * Stateful filtering
 ---
 ## 4. IPtables Baseline Configuration
 ### Flush existing rules
 ```bash
 iptables -F
 iptables -X
 iptables -t nat -F
 iptables -t mangle -F
 ```
 ---
 ### Default policies
 ```bash
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
 ```
 ---
 ### Allow loopback
 ```bash
 iptables -A INPUT -i lo -j ACCEPT
 ```
 ---
 ### Allow established connections
 ```bash
 iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
 ```
 ---
 ### SSH (restricted)
 ```bash
 iptables -A INPUT -p tcp --dport 22 -s <YOUR_VPN_SUBNET>/24 -m conntrack --ctstate NEW -j ACCEPT
 ```
 **Never expose SSH to the world.**
 ---
 ### HTTP / HTTPS
 ```bash
 iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
 iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
 ```
 ---
 ### Rate-limit connections (DDoS / abuse mitigation)
 ```bash
 iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 50 -j DROP
 iptables -A INPUT -p tcp --syn --dport 80  -m connlimit --connlimit-above 50 -j DROP
 ```
 ---
 ### Protect against SYN floods
 ```bash
 iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
 ```
 ---
 ### ICMP (limited)
 ```bash
 iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT
 ```
 ---
 ### Log and drop everything else
 ```bash
 iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES DROP: "
 iptables -A INPUT -j DROP
 ```
 ---
 ### Persist rules
 ```bash
 iptables-save > /etc/iptables/rules.v4
 ```
 ---
 ## 5. Disk Exhaustion Protection
 ### Enable disk quotas
 ```bash
 mount -o remount,usrquota,grpquota /
 quotacheck -cum /
 quotaon /
 ```
 ### Log rotation
 ```bash
 apt install logrotate
 ```
 ### Tmpfs for temp files
 ```bash
 tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0
 ```
 ---
 ## 6. Application-Level Protections
 ### Reverse proxy (mandatory)
 * Nginx / HAProxy / Envoy
 * Rate limiting
 * Request body size limits
 Example (Nginx):
 ```nginx
 client_max_body_size 10M;
 limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
 ```
 ---
 ## 7. Deployment Security Best Practices
 ### CI/CD
 * No SSH deploys
 * Use short-lived credentials
 * One-way artifact promotion (build once → promote)
 ### Secrets
 * Never in Git
 * Use Vault / SSM / Secrets Manager
 * Rotate regularly
 ---
 ## 8. OS Hardening
 * Disable password SSH auth
 * Use SSH keys only
 * Fail2ban
 * Automatic security updates
 * Remove unused packages
 * Run services as non-root
 ---
 ## 9. Monitoring & Alerting
 You don’t have security if you don’t have visibility.
 Monitor:
 * Disk usage
 * Connection counts
 * Failed auth attempts
 * Firewall drops
 * CPU / memory saturation
 ---
 ## 10. Final Reality Check
 If:
 * You don’t have a firewall
 * You don’t have segmentation
 * You don’t have a VPN
 * You mix prod and test
 Then **you don’t have security — you have hope.**