59 lines
2.4 KiB
Markdown
59 lines
2.4 KiB
Markdown
# Weekly Security Posture Scan
|
|
|
|
## Targets
|
|
1. forge (localhost / 192.168.1.16) — James' home
|
|
2. james-old (192.168.1.17) — retired, still running
|
|
3. staging/dev (192.168.1.253) — home server
|
|
4. prod (192.168.100.2) — inou prod (when available)
|
|
5. caddy (192.168.0.2 / 100.84.42.55) — reverse proxy
|
|
6. zurich.inou.com (82.22.36.202) — VPS
|
|
7. amsterdam.inou.com (82.24.174.112) — VPS
|
|
8. UDM-Pro (192.168.0.1) — core router
|
|
|
|
## Per-Host Checks (VPS/Linux)
|
|
|
|
### Intrusion Detection
|
|
- [ ] `last -20` — any logins from unknown IPs?
|
|
- [ ] `lastb | head -30` — brute force attempts (volume/pattern)
|
|
- [ ] `cat /etc/passwd | awk -F: '$3>=1000'` — unauthorized users?
|
|
- [ ] `cat ~/.ssh/authorized_keys` — compare against known keys baseline
|
|
- [ ] `find /home -name authorized_keys -exec cat {} \;` — same for all users
|
|
- [ ] `crontab -l; ls /etc/cron.d/` — rogue cron jobs?
|
|
- [ ] `ps aux | grep -v '\[' | sort -k3 -rn | head -20` — suspicious processes?
|
|
- [ ] `ss -tnp | grep -v '127.0.0\|::1'` — unexpected outbound connections?
|
|
- [ ] `find / -mtime -7 -type f -name '*.sh' 2>/dev/null` — recently modified scripts
|
|
- [ ] `docker ps -a` — unauthorized containers?
|
|
- [ ] Check for rootkits: `rkhunter --check --skip-keypress` or `chkrootkit`
|
|
|
|
### Hardening Verification
|
|
- [ ] `sshd -T | grep -E 'passwordauth|permitroot'` — still hardened?
|
|
- [ ] `ufw status` — rules unchanged?
|
|
- [ ] `fail2ban-client status sshd` — running, banning?
|
|
- [ ] `ss -tlnp` — only expected ports listening?
|
|
- [ ] `apt list --upgradable` — outstanding security patches?
|
|
- [ ] File permissions on /etc/shadow, /etc/sudoers
|
|
|
|
### Caddy Specific
|
|
- [ ] TLS cert validity/expiry
|
|
- [ ] Reverse proxy rules — no unintended exposure
|
|
- [ ] Access logs — unusual patterns?
|
|
|
|
### UDM-Pro Specific
|
|
- [ ] Firmware version — current?
|
|
- [ ] Port forwards — only intended ones
|
|
- [ ] IDS/IPS enabled and signatures current
|
|
- [ ] Connected clients — any unknown devices?
|
|
- [ ] Exposed management ports?
|
|
|
|
## Baseline
|
|
First run establishes baseline files at `memory/security-baselines/`:
|
|
- `zurich-keys.txt` — authorized SSH keys
|
|
- `zurich-ports.txt` — expected listening ports
|
|
- `zurich-users.txt` — expected users
|
|
- Same for amsterdam, caddy, prod
|
|
|
|
## Reporting
|
|
- Clean scan → log to `memory/security-scans/YYYY-MM-DD.md`
|
|
- Any findings → Fully alert (warning/critical) + detailed log
|
|
- Track trends (ban count, failed login volume)
|