You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
docs: add security hardening details to server-contract and archive plans
Document fail2ban, SSH hardening, security headers, and Trivy scanning
in the Server Hardening section. Update Caddyfile examples to show the
security_headers snippet. Add scan-images.sh to infrastructure scripts
table. Mark ci-cd-improvements and monitoring-alerting plans as archived.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|`scan-images.sh`| Scan running container images for vulnerabilities (Trivy) | Cron: weekly Sunday at 04:00 |
107
108
108
109
## Server Hardening
109
110
@@ -119,6 +120,14 @@ The bootstrap script applies several security measures automatically. Self-hoste
119
120
120
121
**Container resource limits** — Every platform service and every app container has explicit CPU and memory limits in its Docker Compose file. This prevents any single container from exhausting server resources. The 7 core services use ~2.66G / 3.25 CPU. The 3 optional metrics services add 448M / 1.00 CPU when enabled.
121
122
123
+
**Brute-force protection** — fail2ban is installed with an SSH jail (systemd backend, since Debian 12 uses journald). Configuration: maxretry=5, bantime=3600s. IPs that exceed the retry limit are banned for one hour.
124
+
125
+
**SSH hardening** — A drop-in config at `/etc/ssh/sshd_config.d/99-towlion-hardening.conf` enforces: `PermitRootLogin no`, `PasswordAuthentication no`, `MaxAuthTries 3`, `X11Forwarding no`. Only key-based authentication as the `deploy` user is permitted.
126
+
127
+
**Security headers** — The platform Caddyfile includes a `(security_headers)` snippet that sets: `Strict-Transport-Security` (HSTS, max-age=31536000, includeSubDomains), `X-Content-Type-Options nosniff`, `X-Frame-Options DENY`, `Referrer-Policy strict-origin-when-cross-origin`, `Permissions-Policy` (camera, microphone, and geolocation denied), and strips the `Server` header. All app and ops Caddy routes import this snippet.
128
+
129
+
**Image vulnerability scanning** — Trivy is installed via the Aqua Security apt repository. Every deploy runs a non-blocking `trivy image` scan of the newly built app image (HIGH/CRITICAL severity). A weekly cron job (`scan-images.sh`, Sunday 04:00) scans all running container images.
130
+
122
131
**Mandatory Access Control (AppArmor)** — Debian 12 ships with AppArmor enabled by default. Docker automatically applies the `docker-default` AppArmor profile to all containers, which restricts capabilities like writing to `/proc` and `/sys`, mounting filesystems, and accessing raw sockets. No configuration is needed — this works out of the box.
123
132
124
133
SELinux is **not** used. While SELinux is the standard MAC system on RHEL/Fedora, it is not well-suited for Debian:
@@ -132,13 +141,24 @@ Since AppArmor is already active and Docker integrates with it automatically, th
132
141
133
142
## Caddyfile Generation
134
143
135
-
The platform Caddyfile at `/opt/platform/Caddyfile` contains a single import directive:
144
+
The platform Caddyfile at `/opt/platform/Caddyfile` contains a security headers snippet and an import directive:
0 commit comments