BuyAFirewall/Overload
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

PLEASE

Browse Source
This commit is contained in:
Some Guy 2026-02-06 20:05:51 +03:00
commit ea43703255
1 changed files with 267 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

267
README.md Normal file
View File

@ -0,0 +1,267 @@
# I can kill your server by overloading your disk
## You dont have a firewall
## You dont have a VPN for your internal services
## You dont have a DMZ
## You are mixing your production deployment and your test deployment
# PLEASE Set up firewall so at least DRONE CI API isnt exposed
# Server & Deployment Security Hardening Guide
## Threat model (what were defending against)
* Disk exhaustion / resource exhaustion
* Direct access to internal services
* Lateral movement after compromise
* Accidental exposure of test systems
* No network segmentation or trust boundaries
---
## 1. Network Segmentation (Non-Negotiable)
### Environments
**NEVER mix these on the same host or network segment:**
* Production
* Staging
* Test / Dev
**Minimum setup**
* Separate VMs or nodes
* Separate subnets/VPCs
* Separate credentials
* Separate databases
### Zones
* **Public zone**: Load balancer / reverse proxy only
* **DMZ**: Web servers
* **Internal zone**: Databases, queues, caches
* **Management zone**: SSH, monitoring, CI/CD
---
## 2. VPN for Internal Services
Internal services **must not be publicly routable**.
Options:
* WireGuard (recommended)
* OpenVPN
* Cloud-native private networking (AWS VPC, GCP VPC, etc.)
**Rules**
* Databases listen on private IPs only
* Redis, Kafka, internal APIs → VPN or private subnet
* No public IPs for internal services
---
## 3. Firewall Policy (IPtables)
### Firewall Philosophy
* **Default deny**
* Explicit allow
* Log drops (rate-limited)
* Stateful filtering
---
## 4. IPtables Baseline Configuration
### Flush existing rules
```bash
iptables -F
iptables -X
iptables -t nat -F
iptables -t mangle -F
```
---
### Default policies
```bash
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
```
---
### Allow loopback
```bash
iptables -A INPUT -i lo -j ACCEPT
```
---
### Allow established connections
```bash
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
```
---
### SSH (restricted)
```bash
iptables -A INPUT -p tcp --dport 22 -s <YOUR_VPN_SUBNET>/24 -m conntrack --ctstate NEW -j ACCEPT
```
**Never expose SSH to the world.**
---
### HTTP / HTTPS
```bash
iptables -A INPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
```
---
### Rate-limit connections (DDoS / abuse mitigation)
```bash
iptables -A INPUT -p tcp --syn --dport 443 -m connlimit --connlimit-above 50 -j DROP
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j DROP
```
---
### Protect against SYN floods
```bash
iptables -A INPUT -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
```
---
### ICMP (limited)
```bash
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 5 -j ACCEPT
```
---
### Log and drop everything else
```bash
iptables -A INPUT -m limit --limit 5/min -j LOG --log-prefix "IPTABLES DROP: "
iptables -A INPUT -j DROP
```
---
### Persist rules
```bash
iptables-save > /etc/iptables/rules.v4
```
---
## 5. Disk Exhaustion Protection
### Enable disk quotas
```bash
mount -o remount,usrquota,grpquota /
quotacheck -cum /
quotaon /
```
### Log rotation
```bash
apt install logrotate
```
### Tmpfs for temp files
```bash
tmpfs /tmp tmpfs defaults,noexec,nosuid 0 0
```
---
## 6. Application-Level Protections
### Reverse proxy (mandatory)
* Nginx / HAProxy / Envoy
* Rate limiting
* Request body size limits
Example (Nginx):
```nginx
client_max_body_size 10M;
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
```
---
## 7. Deployment Security Best Practices
### CI/CD
* No SSH deploys
* Use short-lived credentials
* One-way artifact promotion (build once → promote)
### Secrets
* Never in Git
* Use Vault / SSM / Secrets Manager
* Rotate regularly
---
## 8. OS Hardening
* Disable password SSH auth
* Use SSH keys only
* Fail2ban
* Automatic security updates
* Remove unused packages
* Run services as non-root
---
## 9. Monitoring & Alerting
You dont have security if you dont have visibility.
Monitor:
* Disk usage
* Connection counts
* Failed auth attempts
* Firewall drops
* CPU / memory saturation
---
## 10. Final Reality Check
If:
* You dont have a firewall
* You dont have segmentation
* You dont have a VPN
* You mix prod and test
Then **you dont have security — you have hope.**